Configure an ImageVulnerabilityScan for Prisma
This topic gives you an example of how to configure a secret and ImageVulnerabilityScan (IVS) for Prisma.
Example secret
This section contains a sample secret containing the Prisma Cloud account access key, secret key, and console URL which are used to authenticate your Prisma account. You must apply this once to your developer namespace.
apiVersion: v1
kind: Secret
metadata:
name: prisma-auth
stringData:
username: USERNAME
password: PASSWORD
address: ADDRESS
Where:
USERNAMEis the access Key from the Prisma Cloud account.PASSWORDis the secret Key from the Prisma Cloud account.ADDRESSis the URL for Console from the Prisma Cloud account.
Example ImageVulnerabilityScan
This section contains a sample IVS that uses Prisma to scan a targeted image and push the results to the specified registry location. For information about the IVS specification, see Configuration Options.
apiVersion: app-scanning.apps.tanzu.vmware.com/v1alpha1
kind: ImageVulnerabilityScan
metadata:
name: prisma-ivs
annotations:
app-scanning.apps.tanzu.vmware.com/scanner-name: Prisma
spec:
image: TARGET-IMAGE
scanResults:
location: registry/project/scan-results
serviceAccountNames:
publisher: publisher
scanner: scanner
steps:
- name: prisma
image: PRISMA-SCANNER-IMAGE
imagePullPolicy: IfNotPresent
workingDir: /workspace
securityContext:
privileged: true
allowPrivilegeEscalation: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
script: |
#!/bin/bash
# Alternative method of making twistcli available in the container
curl --output ./twistcli --write-out "%{http_code}" -s -L -k -u $USER_NAME:$PASSWORD $ADDRESS/api/v1/util/twistcli
chmod +x /workspace/twistcli
if [[ ! -e /cred-helper/config.json ]]; then
echo "{}" > /cred-helper/config.json
fi
podman pull $IMAGE
twistcli images scan --podman-path /usr/bin/podman --address $ADDRESS --user $USER_NAME --password $PASSWORD $IMAGE --output-file ./twist-scan.json --containerized
# Input commands used for your Prisma summary report conversion. See below for more detail.
twistoutput=./twist-scan.json
twistversion=$(./twistcli -v | sed "s/twistcli version //")
IMAGE_NAME=$(echo $IMAGE | cut -d'@' -f1)
IMAGE_DIGEST=$(echo $IMAGE | cut -d'@' -f2)
/prismaconverter image $twistversion $twistoutput "./" "./scan-results/twist-scan-cdx.json" $IMAGE_NAME $IMAGE_DIGEST
env:
- name: USER_NAME
valueFrom:
secretKeyRef:
key: username
name: prisma-auth
optional: false
- name: PASSWORD
valueFrom:
secretKeyRef:
key: password
name: prisma-auth
optional: false
- name: ADDRESS
valueFrom:
secretKeyRef:
key: address
name: prisma-auth
optional: false
- name: IMAGE
value: $(params.image)
workspace: {}
Where:
TARGET-IMAGEis the image to scan. You must specify the digest.PRISMA-SCANNER-IMAGEis the image containing the Prisma Cloud twistcli, podman, and a utility to convert the Prisma summary report in JSON format to a CycloneDX SBOM in XML format. The Prisma scanner produces a proprietary output instead of community standard CycloneDX or SPDX. Because of this, you cannot use the scan report summary produced by Prisma as is and you must convert it. Contact your account team if you want to use Prisma and need this utility.- The
securityContextgrants root access as Prisma requires root access to run. If permission is not given, you might encounter acannot clone: Operation not permittederror message. For information about thesecurityContext, see Customize an ImageVulnerabilityScan. Due to needing root access, you cannot run Prisma scans in clusters with restricted pod Security Standards.
For information about using the CLI, see the Prisma twistcli docs.
