Infrastructure as Code (IaC) Security

Identify and fix misconfigurations in Terraform, CloudFormation, ARM, Kubernetes, and other IaC templates

Infrastructure as Code (IaC) enables engineers to version control, deploy, and improve cloud infrastructure while leveraging DevOps processes. This also presents an opportunity to proactively improve the posture of cloud infrastructure and reduce the burden on security and operations teams.

Read about Unit 42’s latest research on the state of infrastructure as code security

Automated Infrastructure as Code security

Prisma Cloud, powered by Bridgecrew, scans IaC templates for misconfigurations across the development lifecycle, embedding security in integrated development environments, continuous integration tools, repositories and runtime environments. Prisma Cloud enforces policy-as-code early through automation, preventing deploying misconfigurations and providing automated fixes.
  • Continuous governance to enforce policies in code
  • Embedded in DevOps workflows and tooling
  • Automated misconfiguration fixes via pull requests
  • Backed by the community
    Backed by the community
  • Developer-friendly integrations
    Developer-friendly integrations
  • Automated fixes
    Automated fixes
  • Built-in guardrails
    Built-in guardrails
  • Compliance benchmarks
    Compliance benchmarks

The Prisma Cloud Solution

Our approach to IaC security

Backed by the community

Prisma Cloud IaC security is built on the open source project Checkov. Checkov is a policy-as-code tool with millions of downloads that checks for misconfigurations in IaC templates such as Terraform, CloudFormation, Kubernetes, Helm, ARM Templates and Serverless framework. Users can leverage hundreds of out-of-the-box policies and add custom rules. Prisma Cloud augments Checkov with simplified user experience and enterprise features.

  • Check for policy misconfigurations

    Checkov checks IaC templates against hundreds of out of the box policies based on benchmarks, such as CIS, HIPAA, PCI, and community sourced checks.

  • Leverage context aware policies

    Checkov’s policies include graph-based checks that allow multiple levels of resource relationships for complex policies such as higher severity levels for internet facing resources.

  • Extend capabilities and integrations

    Checkov is designed to be extensible, with the ability to add custom policies and tags, as well as CLIs designed to be added to continuous integration and other DevOps tools.

  • Integrate with Prisma Cloud to extend its capabilities

    Prisma Cloud augments Checkov’s open source capabilities with a history of scans, additional integrations, auto-fixes and more.


Integrated IaC as part of the pipeline

Involving developers in remediation is the fastest way to get things fixed. Prisma Cloud provides feedback directly in popular DevOps, including integrated development environments (IDE), continuous integration (CI) tools, and version control system (VCS). Additional aggregation and reporting are available in the Prisma Cloud platform.

  • Provide fast feedback throughout the development lifecycle

    Prisma Cloud integrates with IDEs, CI tools and VCS to provide feedback and guardrails in the tools developers already use.

  • Enable fixes with code review comments

    Native integrations with VCS creates code comments with each new pull request for identified misconfigurations to make finding and fixing misconfigurations easier.

  • View all code misconfigurations in one place

    Prisma Cloud includes a centralized view of all misconfigurations across scanned repositories, with filtering and searching to find code blocks and owners.

  • Build remediation work into DevOps workflows

    Integrations with collaboration and ticketing tools can generate tickets and alerts to notify the right teams to add remediations to DevOps tasks.


Context aware and actionable feedback

When developers are moving as fast as possible to meet deadlines, providing policy violations without explanation just causes frustration. Prisma Cloud includes automatic remediations for many policies along with guidelines for all policies to provide the details to get misconfigurations fixed.

  • Context aware visibility and policies

    Prisma Cloud surfaces policy violations for resources and the dependencies, and policies can be based on context such as higher severity for internet exposed violations, helping with prioritization.

  • Provide actionable guidance

    Each policy violation comes with actionable guidelines about the misconfiguration along with guidance to remediate the issue.

  • Trace cloud to code with code owners for faster remediation

    Cloud resources are traceable back to IaC templates with the code modifier, to find the right resource and team to remediate issues fast.

  • Enable GitOps workflows

    Tracing cloud misconfigurations back to code enables issues identified in runtime to be fixed in code to maintain the benefits of scalability and auditability of IaC templates.


Enforced guardrails

Under pressure to deliver features, developers follow the path of least resistance. Similarly, during an incident engineers can rush to fix issues directly in cloud environments, leaving IaC templates out of sync. Create a secure golden pipeline for infrastructure as code to be vetted and enforce GitOps best practices of maintaining configurations in code by leveraging guardrails.

  • Block severe misconfigurations from being added to repos and deployed

    Integrations with CI tools allow for hard fails that can block misconfigured code from entering a repository or deployment process.

  • Set custom levels for blocking builds

    Hard fail policy levels can be set per repository, along with per policy exclusions and per resource suppressions.

  • Extend policy sets with custom policies

    Add custom policies using Python, YAML or the UI policy editor to apply organization specific policies, including multiple resource, graph-based policies.

  • Provide actionable information about failed deployments

    Every scan includes a Code Review with the list of misconfigurations with guidelines to remediate the issue and auto-fixes for issues identified in pull requests.


Cloud Code Security module

Infrastructure as Code Security

Automated IaC security embedded in developer workflows.