CI/CD Security

Harden your CI/CD pipelines, reduce your attack surface and protect your application development environment.

The volume and sophistication of attacks targeting the engineering ecosystem is rapidly growing. According to Gartner, organizations must protect the delivery pipeline to remain secure in the cloud. Prisma® Cloud provides a powerful yet simple way to gain visibility and control across application delivery pipelines.

Learn about the Top 10 CI/CD Security Risks

Supply chain attacks carry an outsized risk

Cloud-native applications utilize numerous dependencies and third-party software. Comprehensive visibility across this diverse ecosystem of dependencies and software is essential to understand all potential security risks.

CI/CD pipeline risks are often overlooked

Numerous technologies are connected to CI/CD pipelines — which are essential for automation controls — and can access both source code and runtime environments. But traditional AppSec programs don't recognize this source of risk and therefore don’t include CI/CD pipelines in their attack surface monitoring workflow.

Siloed security tooling causes coverage gaps

Without the full context of an application’s infrastructure, it’s impossible to determine if an identified risk is exposed within the application or not. Only by connecting visibility across the delivery pipeline to runtime, can security issues be surfaced in the context of the entire codebase, allowing for better prioritization and faster fixes.

Prisma Cloud makes it simple for AppSec practitioners to secure their CI/CD pipelines without slowing engineers down.

Prisma Cloud continuously monitors pipelines against the OWASP Top 10 CI/CD Security Risks and other attack vectors so that bad actors can’t breach the delivery pipeline or inject malicious code into applications.

Single view into the engineering ecosystem
Complete protection against the OWASP Top 10 CI/CD Security Risks
Granular controls to block insecure code from reaching production

Graph-based CI/CD mapping
Comprehensive engineering tool inventory
Pipeline posture management
Actionable fix guidance

THE PRISMA CLOUD SOLUTION

Graph-Based CI/CD Security for Practitioners

Centralized visibility across the engineering ecosystem

The cloud-native engineering ecosystem is increasingly complex, which makes it challenging for AppSec teams to get the visibility they need to secure it. Getting a unified inventory of the languages, frameworks and executables within their ecosystems is the first step toward a secure CI/CD pipeline.

Prisma Cloud CI/CD Security brings together a single view of all technologies in use and their associated code security risks.

Scan across languages and repositories with unmatched accuracy.
Identify security risks across code types for all the most popular languages.
Connect infrastructure and application risks.
Focus on the critical risks that are exposed within your codebase, eliminate false positives and prioritize remediations faster.
Visualize your software supply chain.
Get a consolidated inventory of your CI/CD pipelines and code risks across your engineering ecosystem.
Catalog your software supply chain.
Generate a software bill of materials (SBOM) to track all sources of application risk and understand your attack surface.

Centralized visibility across the engineering ecosystem

Posture management of the delivery pipeline

Cloud attacks frequently target CI/CD pipelines and the software supply chain, exposing organizations to code injection, credential theft, data exfiltration and intellectual property theft. Organizations must respond by implementing new security practices. Security issues mapped to the OWASP Top 10 identify attack vectors and provide guidance on how to address CI/CD security.

Get visibility into your software supply chain security posture.
Identify missing branch protection rules, insecure pipeline configurations and potential for poisoned pipelines, with native controls to proactively prevent attacks.
Run a graph-based attack path analysis of the many resources impacting your pipelines.
Software pipelines are multidimensional, with many tools, internal and external resources that must all be secured to prevent attacks.
Harden your delivery pipelines.
Backed by the world’s best CI/CD security researchers, Prisma Cloud helps teams adopt critical security guardrails to harden their pipelines over time. These guardrails ensure that bad actors can’t leverage CI/CD pipeline weaknesses to reach production environments or run malicious code.
Identify credentials exposed in pipelines.
Find cleartext credentials in webhooks and pipeline logs that could be stolen and abused.
Create and enforce custom policies throughout the software development lifecycle.
Integrate vulnerability management to scan repositories, registries, CI/CD pipelines and runtime environments.

Posture management of the delivery pipeline

Cloud Application Graph™

By harnessing the power of relational graph databases, Prisma Cloud distills all components of the modern engineering ecosystem into a single view. With supply chain context, and per developer workflows, organizations can harden their CI/CD pipelines over time and prevent security issues from reaching production.

Analyze the entire ecosystem.
Correlate several disparate signals across codebases, scanners, orchestration and automation tools, and more to centralize visibility and control across all engineering technologies and workflows.
Visualize breach pathways.
Untangle complex relationships to pinpoint critical risks and understand the breach pathways to reach critical assets.

Part of the CNAPP

The only way to prevent insecure code from reaching production is to scan every code artifact, dependency, and ensure the delivery pipeline is effectively protected. CI/CD Security is just one application security use case that’s a part of Prisma Cloud’s cloud-native application protection platform (CNAPP).

Identify risks in code as developers are building and testing software.
Check packages and images for vulnerabilities and compliance issues across repositories like GitHub and registries such as Docker, Quay, Artifactory and others.
Lock down deployments to only vetted images and templates.
Leverage Prisma Cloud code scanning and container sandbox analysis to identify and block malicious code and apps from reaching production.
Capture detailed forensics of every audit or security incident.
Automatically and securely gather forensics details in a powerful timeline view to enable incident response. You can view data in Prisma Cloud or send it to other systems for deeper analysis.
Prevent risky activity across any runtime environment.
Manage runtime policies from a centralized console to ensure security is always present as part of every deployment.Mapping of incidents to the MITRE ATT&CK® framework, along with detailed forensics and rich metadata, helps SOC teams track threats for ephemeral cloud-native workloads.
Context-aware security.
Detect and prevent misconfigurations and vulnerabilities that lead to data breaches and compliance violations in runtime with complete cloud developer inventory, configuration assessments, automated remediations and more.