I work at an organization that has a majority of its services and resources in the Cloud. We use code to manage our cloud infrastructure using Azure DevOps. This article explains how to set up static code analysis for infrastructure as code using Azure DevOps pipelines and Prisma cloud.
Static (non-running) code analysis is performed as part of the security development lifecycle, where tools are used to find vulnerabilities such as buffer overflow, SQL injection within application code.
It is the process of managing infrastructure resources using code. The prominent tools in this field are Terraform, Azure Resource Manager templates, Cloud formation templates, and Azure BICEP used for deploying resources. Additionally, tools such as Ansible, Chef, and Puppet are used for configuration. These tools effectively maintain consistency across multiple deployments and serve as documentation of existing environments.
However, this process could introduce vulnerabilities into the infrastructure environment, such as publicly exposed Virtual machines or storage containers.
Every PR with Terraform code has to pass the validation process in this flow by successfully generating a terraform plan with intended changes. Then, we feed this plan output into the Prisma IAC task to be scanned for vulnerabilities. Post which the PR is peer-reviewed and approved to merge into deployment branch. If the job fails, the PR is blocked from being merged unless open issues are resolved.
Setup Service Connection in Azure DevOps:
There are two approaches that we can take to use Prisma Cloud Extension for Azure DevOps. However, irrespective of the approach, the controls, and policies applied are the same.
Here is the pipeline definition based on the 2nd approach:
Now that we have a pipeline definition setup, you can now integrate these tasks into your existing terraform validation and deployment pipelines.
Below is an example of pipeline execution with Prisma Warning that we have one medium issue.
Prisma cloud IAC Scan only supports terraform. However, if you are using platform native tools such as ARM templates or Azure BICEP, you will be able to use services such as Azure Policy to validate your deployment. Azure Policy is a powerful service that can help catch security issues and ensure that the infrastructure definition is right-sized and meets the desired configuration.
When Azure Resource Manager templates or Azure BICEP code violates a defined policy, the deployment will fail at the validation state. Since we use the validation as a gating process for all Pull Requests with Infrastructure code, this violation blocks the merge of “faulty code” into our deployment branch.