Shift Security Left with Git Repo Vulnerability Management

Oct 13, 2020
3 minutes
... views

There is good evidence for a correlation between organizations that are highly prepared to deal with security events, and those that embed security into their DevOps processes. In the 2020 State of Cloud Native Security Report, which surveyed more than 3,000 DevOps, infrastructure, and security practitioners, 45% of companies who ranked as 'highly prepared' had adopted DevSecOps practices. 

In order to provide teams like these the most in-depth security tools on the market, Prisma Cloud now provides git repository (repo) vulnerability management by scanning code before its committed to workflows. This is in addition to a broad set of leading capabilities that are already allowing security teams to shift security left—that is, move security considerations as close to development as possible.

Shift Left Security Across Build, Deploy, and Run

Throughout the last year, we've innovated Prisma Cloud to deliver unified DevOps plugins, combining infrastructure-as-code (IaC) scanning with container image and serverless function scanning to secure the application lifecycle.

Prisma Cloud capabilities across build, depoy and run.
Prisma Cloud capabilities across build, depoy and run.


At the build, Prisma Cloud scans IaC templates for misconfigurations, integrated with software configuration managers (SCM), integrated development environments (IDE), and continuous integration (CI) tools. Additionally, users can scan container images and functions, with the ability to enforce application policies on vulnerability severity or compliance.


At the deploy phase, Prisma Cloud continuously monitors container registries and serverless repos to provide uninterrupted visibility and control into risk and compliance status. It also integrates with cloud native technologies, like Open Policy Agent, to offer additional visibility and enforcement over deployments.


At runtime, Prisma Cloud identifies visibility, protection and risk prioritizations so organizations can audit and improve their security posture across cloud infrastructure and cloud native applications. Users can define IaC Build policies and CI policies centrally from our dashboard to enhance control across the application lifecycle.

Shifting Further Left with Git Repo Vulnerability Management

As developers and DevOps teams deploy cloud native applications with increasing release velocity, they need ways to seamlessly integrate security across the full application lifecycle from build to deploy to run. With our latest release, these teams can now scan git repos for known CVEs before container images or functions are built as part of CI/CD workflows.

Initial support includes Java, Python and Node. Scanning can be initiated from the vulnerability policy and code repositories window with either GitHub credentials and/or repo location.

Modifying vulnerability management policies in Prisma Cloud.
Modifying vulnerability management policies in Prisma Cloud.

After credentials are updated, Prisma Cloud surfaces vulnerability details within vulnerability explorer under the new code repository tab. Vulnerability data is updated with each commit, or at user-defined time intervals. The vulnerability details include both severity and risk factors, just like the vulnerability users see data for hosts, images or functions.


 Code repository vulnerability alerts within Prisma Cloud
Code repository vulnerability alerts within Prisma Cloud.

Git repo vulnerability scanning bolsters the existing host, container and serverless vulnerability management and compliance features within Prisma Cloud.

Even More Integrated Capabilities

When combined with the other innovative functionality in this most recent release, git repo scanning demonstrates the powerful ability users gain in their efforts to shift security left. 

For more on integrated capabilities within Prisma Cloud, download the overview Shift Left and Enable DevSecOps.


Subscribe to Cloud Native Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.