Cloud Code Security

Prisma® Cloud delivers automated security for cloud native infrastructure and applications, integrated with developer tools

Cloud native application development is fast-paced and complex. It can be a challenge for security teams to keep up. However, DevOps practices present an opportunity to use automation to secure apps and infrastructure before deployment, alleviating that pressure.

Read about Unit 42’s latest research on the state of infrastructure as code security

A single tool for securing IaC, container images and source code across all modern architectures cloud environments.

Prisma Cloud embeds comprehensive security across the software development cycle. The platform identifies vulnerabilities, misconfigurations and compliance violations in IaC templates, container images and git repositories. It offers IaC scanning backed by an open source community, and image analysis backed by years of container expertise and threat research. With centralized visibility and policy controls, engineering teams can secure their full stack without leaving their tools, while security teams can ensure that only secure code is deployed.
  • Support for multiple languages, runtimes and frameworks
  • Consistent controls from build time to runtime
  • Embedded in DevOps tooling
  • IaC scanning
    Infrastructure as Code scanning
  • Container image scanning
    Container image scanning
  • Policy as code
    Policy as code
  • Secrets scanning
    Secrets scanning
  • Git repo vuln management
    Git repo vuln management
  • OSS license compliance
    OSS license compliance


Our approach to Cloud Code Security

Infrastructure as code scanning

Infrastructure as code presents an opportunity to secure cloud infrastructure in code before it’s ever deployed to production. Prisma Cloud streamlines security throughout the software development lifecycle using automation and by embedding security into workflows in DevOps tooling for Terraform, CloudFormation, Kubernetes, Dockerfile, Serverless and ARM templates.

  • Automate cloud misconfiguration checks in code

    Add automated checks for misconfigurations at every step of the software development lifecycle.

  • Leverage the power of open source and the community

    Checkov, the open source tool built by Bridgecrew powering Prisma Cloud Infrastructure as Code Security, is backed by an active community and has been downloaded millions of times.

  • Embed misconfiguration checks in developer tools

    Prisma Cloud comes with native integrations for IDEs, VCS, and CI/CD tooling to help developers secure code in their existing workflows.

  • Include deep context for misconfigurations

    Prisma Cloud automatically tracks dependencies for IaC resources as well as the most recent developer modifiers to improve collaboration in large teams.

  • Provide automated feedback and fixes in code

    Automate pull request comments for misconfigurations along with automated pull requests and commit fixes and Smart Fixes for identified misconfigurations.

Container image scanning

Container images are a key component of cloud native applications. However, they typically include many resources outside the control of developers, such as operating systems and configurations. Prisma Cloud allows security teams to provide actionable feedback and guardrails for vulnerabilities and compliance violations in container images to keep these components secure.

  • Identify vulnerabilities in container images

    Use twistcli to identify vulnerabilities in operating systems and open source packages built into container image layers.

  • Provide fix status and remediation guidance

    Give developers the fix status, the minimum version to remediate and the time since the fix was released to prioritize updating packages.

  • Alert on or block vulnerabilities by severity level

    Add guardrails to block images with vulnerabilities that don’t meet severity level requirements, before they are pushed to production.

  • Achieve container compliance in code

    Check your container image dependencies and configurations for violations against popular benchmarks like CIS and proprietary issues such as malware in build time.

  • Ensure trust for container images

    Harden images by leveraging build time scanning and trusted registries for a secure container image supply chain.

  • Integrate across the software development lifecycle

    Embed security feedback and guardrails in popular CI/CD tools, VCS, and registries.

Policy as code

Traditional security testing is performed by separate organizations using separate tools, creating siloed and difficult-to-replicate controls. Prisma Cloud offers policy-as-code to provide controls built into code that can be replicated, version-controlled and tested against live code repositories.

  • Build and control policies using code

    Define, test and version control check-lists, skip-lists and graph-based custom policies in Python and YAML for IaC templates.

  • Deploy and configure accounts and agents in code

    Use Terraform to onboard accounts, deploy agents and configure runtime policies, including ingestion and protection based on OpenAPI and Swagger files.

  • Leverage out of the box and custom policies for misconfigurations

    Prisma Cloud comes out of the box with hundreds of policies built in code and allows you to add custom policies for cloud resources and IaC templates.

  • Provide feedback directly on the code being written

    IaC templates have direct feedback with auto-fixes, pull/merge request comments, and pull/merge request auto-fixes.

Secrets scanning

It only takes bad actors a minute to find and abuse credentials exposed online. Identify secrets before production using Prisma Cloud. Find and remove secrets in IaC templates and container images in development environments and build time using signatures and heuristics.

  • Find secrets in IaC templates

    Identify passwords and tokens in IaC templates in IDEs, CLIs, pre-commit and in CI/CD tooling.

  • Identify secrets in container images

    Find hardcoded secrets in container images locally, in registries and CI/CD scans.

  • Identify secrets using multiple methods

    Use regular expressions, keywords or entropy-based identifiers to locate common and uncommon secrets such as AWS access keys and database passwords.

Git repository vulnerability management

A majority of modern application code is made up of open source dependencies. Lack of awareness and breaking changes prevent developers from using the latest packages that minimize vulnerabilities. Prisma Cloud identifies vulnerabilities in open source dependencies found in Node.js, Python, Java and Go repositories.

  • Build out a software bill-of-materials

    Prisma Cloud will locate dependencies in repositories and build a software bill-of-materials (SBOM) of the packages in use for vetting.

  • Verify security of dependencies against open source and proprietary databases

    Prisma Cloud scans git and non-git-based repositories for package vulnerabilities and compares them against public databases like NVD and the Prisma Cloud Intelligence Stream.

  • Include remediation guidance

    The output of the findings includes the fix status, the minimum version to remediate and the time since the fix was released to prioritize updating libraries.

OSS license compliance

Every company has its own acceptable use policies for open source licenses. Don’t wait until a manual compliance review to find out that an open source library is non-compliant. Prisma Cloud catalogs open source licenses for dependencies and can alert or block repository commits based on customizable policies.

  • Avoid costly open source license violations

    Alert and block builds based on open source package licenses in Node.js, Python, Java and Go dependencies.

  • Scan git and non-git repositories for issues

    Prisma Cloud has native integrations with GitHub, but can scan any repository type using twistcli.

  • Use default rules or customize alerting and blocking

    Set alerting and blocking thresholds by license type to match internal requirements for copyleft and permissive licenses.

Cloud Code Security modules

Infrastructure as Code Security

Automated IaC security embedded in developer workflows.