* [Blog](https://www.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com/blog/corporate/)
* [Cloud Native Security Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-native-security-platform/)
* Prisma Cloud Supply Chain...

# Prisma Cloud Supply Chain Security Reduces Code Complexity and Risk

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2022%2F03%2Fcloud-software-supply-chain-security%2F)  
[](https://twitter.com/share?text=Prisma+Cloud+Supply+Chain+Security+Reduces+Code+Complexity+and+Risk&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2022%2F03%2Fcloud-software-supply-chain-security%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2022%2F03%2Fcloud-software-supply-chain-security%2F&title=Prisma+Cloud+Supply+Chain+Security+Reduces+Code+Complexity+and+Risk&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/2022/03/cloud-software-supply-chain-security/&ts=markdown)  
\[\](mailto:?subject=Prisma Cloud Supply Chain Security Reduces Code Complexity and Risk)  
Link copied  
By [Guy Eisenkot](https://www.paloaltonetworks.com/blog/author/guy-eisenkot/?ts=markdown "Posts by Guy Eisenkot")  
Mar 09, 2022  
5 minutes  
[Cloud Native Security Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-native-security-platform/?ts=markdown)  
[Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown)  
[DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)  
[Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)  
[DevSecOps](https://www.paloaltonetworks.com/blog/tag/devsecops/?ts=markdown)  
[Prisma Cloud](https://www.paloaltonetworks.com/blog/tag/prisma-cloud/?ts=markdown)  
[Supply Chain](https://www.paloaltonetworks.com/blog/tag/supply-chain/?ts=markdown)

This post is also available in: [日本語 (Japanese)](https://www.paloaltonetworks.com/blog/2022/04/cloud-software-supply-chain-security/?lang=ja "Switch to Japanese(日本語)")

Cloud native supply chains have been highly tuned to meet the demands of DevOps speed and innovation. They are typically made up of containers and infrastructure as code (IaC) with open source dependencies to speed up innovation and CI/CD pipelines to automate the delivery of new features. With our latest release, Prisma Cloud now provides an automatic inventory and visualization of your cloud native supply chain. This provides quick visibility into the software bill of materials, connections between components and code pipelines that make up your cloud native applications.

Software supply chains have direct access to proprietary code and are just a few pivots away from production environments and sensitive data, and thus are increasingly becoming the target of attacks. [Gartner predicted](https://www.gartner.com/doc/4003625) that "by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021." Organizations need to prepare for these attacks from every angle.

## Risks to Software Supply Chains

Supply chains are made up of two primary elements -- the various application and infrastructure components that make up cloud native applications and the pipeline that builds and delivers these components into a working application environment. Both of these pieces are subject to threats from bad actors attempting to tamper code to install cryptominers or exfiltrate sensitive data.

In Unit 42's recent [Cloud Threat Report](https://www.paloaltonetworks.com/prisma/unit42-cloud-threat-research-2h21?ts=markdown), the team conducted a red team exercise against a software supply chain and a study of the posture of open source code. They found that access to overly permissive credentials opened the door for lateral movement and continuous integration (CI) pipeline poisoning. This highlights how easy it can be for attackers to gain access to a pipeline to inject malicious code.

As part of the same research, a scan of open source components across repositories and registries found that a shocking 64% of Terraform modules contained at least one high or critical misconfiguration, and 91% of container images contain one high or critical severity vulnerability. If any of these open source components were included in an application, they would increase the attack surface for bad actors.

## Principles of Supply Chain Security

Protecting against these attacks requires a full stack, full lifecycle approach to securing pipelines. Prisma Cloud already provides comprehensive security for cloud native supply chains. Now, Prisma Cloud inventories and visualizes the pieces of your application supply chain.
![Screenshot of a supply chain graph.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-7.png)
Visibility into a software supply chain.

With this visibility, DevOps and security teams alike will have a better understanding of all of the components of their applications and how to improve their posture.

For each component of this software supply chain in the new visualization, Prisma Cloud provides protection from code to cloud.

### Code

A secure supply chain begins with secure open source components. Open source components make up a majority of modern applications, however, most contain some vulnerability. Prisma Cloud already identifies [vulnerabilities and misconfigurations in repository packages and IaC files](https://www.paloaltonetworks.com/prisma/cloud/cloud-code-security?ts=markdown) locally through our integrated development environment (IDE) integrations and Command Line Interface (CLI) tools powered by Bridgecrew. For many security issues identified, Prisma Cloud provides fix suggestions to empower developers to secure their own code.
![Screenshot of codes on a terragoat.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-8.png)
Code inputs vetted for policy violations in IDE environments.

Before pulling any image out of a public registry that may contain malware, Prisma Cloud includes [container sandbox technology](https://www.paloaltonetworks.com/blog/prisma-cloud/image-analysis-sandbox/?ts=markdown) to vet images before use. These tools in combination help ensure that the components that make up an application are as secure as possible before leaving the developer's desktop.

Additionally, it's all too easy to include a secret like an API key in your development environment and mistakenly commit that to a repository, exposing your organization to attack. Prisma Cloud includes checks to identify secrets to prevent exposure.

### Build

At this stage, software supply chain security expands from beyond components to include the pipeline. Prisma Cloud's integrations with version control systems (VCS) and CI/CD pipelines include checks and guardrails to ensure that only secure code is integrated into repositories, and secure container images make it into trusted registries.

Additionally, Prisma Cloud checks the integrity of the VCS and CI/CD pipelines themselves and ensures that correct branch protections are in place to prevent code tampering attacks. Pipelines given permission to deploy infrastructure for testing and automation can be limited to the [minimum permissions](https://www.paloaltonetworks.com/prisma/cloud/cloud-infrastructure-entitlement-mgmt?ts=markdown) required to accomplish their tasks.
![Screenshot of inside Prisma Cloud.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-9.png)
Pull requested comments pointing out issues in branches.

### Deploy

At the deployment stage, a secure supply chain will have a final gate for admission into a running environment. Here Prisma Cloud's admission controller and integration with cloud native technologies like [Open Policy Agent (OPA)](https://www.paloaltonetworks.com/blog/prisma-cloud/open-policy-agent-support/?ts=markdown) can be the final line of defense to prevent insecure configurations. Also, Prisma Cloud can enforce that only trusted images are pulled from registries into production. This prevents image poisoning attacks.
![Screenshot of admission audit details.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-10.png)
Integration with OPA prevents misconfigured containers from being deployed.

### Run

At the run stage, all of those components should continuously be monitored for newfound misconfigurations and vulnerabilities. Prisma Cloud provides a fast feedback loop to quickly provide vulnerability discoveries and remediation guidance to go back to the code and patch dependencies fast. Additionally, even with the most proactive approach to security, you still need runtime security to identify zero-days and [threats](https://www.paloaltonetworks.com/blog/prisma-cloud/threat-detection-cloud-security-strategy/?ts=markdown).

## One Platform for Supply Chain Security

Prisma Cloud's latest enhancements bring overall visibility into the posture of your software supply chain. This, in combination with Prisma Cloud's existing compliance and vulnerability checks, ensure that the components that make up your applications and the pipeline that assembles them are secure.

If you want to begin securing your software supply chain from end-to-end, request a [trial of Prisma Cloud](https://www.paloaltonetworks.com/prisma/request-a-prisma-cloud-trial?ts=markdown). We also welcome you to join us at the upcoming [Code to Cloud Summit](https://start.paloaltonetworks.com/code-to-cloud-summit.html) to hear about our approach to supply chain security from Guy Eisenkot, senior director, product management, Palo Alto Networks.

*** ** * ** ***

## Related Blogs

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Prisma Cloud: A Leader in Forrester Wave for Cloud Workload Security](https://www.paloaltonetworks.com/blog/2022/03/prisma-cloud-leader-in-forrester-cws-wave/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Discover, Protect and Respond with AWS and Prisma Cloud](https://www.paloaltonetworks.com/blog/2024/11/aws-and-prisma-cloud/)

### [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security/?ts=markdown), [Cloud Security Provider](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-provider/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Master Cloud Computing Risks with a Proactive, End-to-End Approach](https://www.paloaltonetworks.com/blog/2023/12/master-cloud-computing-risks/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Announcement](https://www.paloaltonetworks.com/blog/cloud-security/category/announcement/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Prisma Cloud: Darwin Release Introduces Code to Cloud Intelligence](https://www.paloaltonetworks.com/blog/2023/10/announcing-innovations-cnapp-prisma-cloud/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Announcement](https://www.paloaltonetworks.com/blog/cloud-security/category/announcement/?ts=markdown), [Cloud Native Security Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-native-security-platform/?ts=markdown), [Cloud Workload Protection](https://www.paloaltonetworks.com/blog/category/cloud-workload-protection/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Agentless Workload Scanning Gets Supercharged with Malware Scanning](https://www.paloaltonetworks.com/blog/2023/06/agentless-malware-scanning/)

### [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### So You Want to Launch 5G --- Is Your 5G Security Strategy Ready?](https://www.paloaltonetworks.com/blog/2023/03/your-5g-security-strategy/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language