Prisma Scanning Tutorial
Prisma Scanning Tutorial
API Tutorial
Gunjan Patel
http://www.paloaltonetworks.com
© 2019 Palo Alto Networks. Proprietary and Confidential 1
Table of Contents
Activity 1 – Container Image Scanning for Vulnerabilities 2
Task 1 – Build and Scan the Application Container Image 5
Conclusion 15
● Scan your container images for security vulnerabilities using Prisma Public Cloud
(formerly Redlock) free public APIs
● Scan publicly available container images for security vulnerabilities
● Patch the images
● Push the patched image to your container registry
Dockerfile:
Dockerfile is the manifest with build instructions on how to build a specific container image.
Image:
Container images are read-only templates from which containers are launched. Each image
contains a series of layers as explained above.
Container:
A container is a running and mutable (Read + Write) form of the image.
We will build the frontend service for our Guestbook app. The Development team wrote the code,
and now we are packaging the code in a container.
This is the Dockerfile, which describes what we are including in this image (base OS/image, code
and code dependencies/libraries):
In this Dockerfile…
● We are using PHP:5-apache base image for our frontend app container (line 15)
https://hub.docker.com/_/php
● Adding the frontend app code, PHP, JavaScript, and HTML to the image (line 29-31)
cd ignite2019-how14/code
➔ Edit the Dockerfile to add Prisma Public Cloud image scanning API call
nano Dockerfile
➔ Go to the end of the file and append the following two lines at the end
ARG rl_args
What we’re doing here by adding the r1_args and SCAN_CMD is, we are listing all the
packages installed in this image and getting the list of all the vulnerabilities associated with
those packages from the Prisma Public Cloud free public image scanning API. The
Prisma Public Cloud Infrastructure as Code Scanner will provide a pass/fail for the build
based on the list of vulnerabilities we get back.
ARG rl_args is for passing the build arguments to configure when to pass/fail the build and
how to group/see the scan result. See https://vscanapidoc.redlock.io/ for more information.
cp Dockerfile.withScanning Dockerfile
➔ Next, analyze the completed results and take note of the following:
b. It fails because the vulnerability scan result received from the Prisma Public Cloud
image scan API endpoint indicate more than one packages have known
vulnerabilities
c. Notice that the final image would have had 38 high severity CVEs, 248 medium and
102 low severity CVEs, totaling 394 CVEs.
Note: Your results may be different as new CVEs are being identified.
e. Failure reason is the number of CVEs exceeded the threshold (by default 1)
End of Activity 1
● Scan your kubernetes application deployment manifest using Prisma Public Cloud
Infrastructure-as-Code (IaC) public API for security best practices
● Analyze the result
● Fix all the applicable misconfigurations
In this activity, we will start using Kubernetes specific terms such as Pods, Services, etc.
Here is a good primer: https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/
What is Kubernetes?
Kubernetes manifest file describes how your containerized application is deployed in kubernetes.
There can be one or more objects in a manifest file such as Deployment (replicated group of
Pods), Services (proxy), Volumes, and ConfigMaps (configuration for the application
pods/containers). Manifest files can be in JSON or YAML format. YAML format is more common in
kubernetes world, so we will use that in this lab, but Prisma Public Cloud Infrastructure-as-Code
(IaC) API supports both JSON and YAML format.
When you scan your kubernetes manifest files using the free Prisma Public Cloud
Infrastructure-as-Code (IaC) API, you get back the analysis result that points of any configuration
which is vulnerable to exploitation. The scan result will have severity associated with each of the
rule violations.
You can include this scan into your CI/CD (Continuous Integration/ Continuous Delivery) pipeline,
so all your kubernetes manifests go through an automated sanity check before they are applied to
production. CI Build should fail if any of your manifests have a high severity security
misconfiguration.
This API also allows you to scan Terraform and CFT files for security best practices violations.
Detailed documentation can be found here: https://iacscanapidoc.redlock.io/
cd ..
cat guestbook-ew.yaml
➔ Scan the guestbook app manifest with Prisma Public Cloud IaC (Infrastructure-as-Code)
Scan API
As you can see from the scan result, we have 2 potential security misconfigurations in our manifest:
a. A container is running in privileged mode which can be dangerous
b. Pods in a deployment are sharing network namespace with the host
Both of these are classified as high severity security best practice violations, as you can see from
the severity field for both of the violations.
nano guestbook-ew.yaml
hostNetwork: true
Use your choice of editor (vi/nano) to modify the guestbook-ew.yaml f ile. To delete a
You can also scan your Terraform and CFT template files with the same Prisma Public Cloud IaC
public API endpoint, and they’re all provided for free.
For more details on Kubernetes manifest scanning and IaC API documentation, check out the
documentation page: https://scanapidoc.redlock.io/
End of Activity 2