Work in Progress

Repository for showing a Secure Software Development Lifecyle

Goals

1. Build Container Image and push to Amazon Elastic Container Registry (ECR)
2. Build Amazon Elastic Compute Cloud (EC2) Instance with webserver (from html/index.html) via script at launch and deploy using Terraform Cloud
3. Build EKS Cluster with Amazon Elastic Kubernetes Service (EKS)
4. Deploy Conatiner Image within Amazon Elastic Container Service (ECS)

Technologies Used:

• Docker (Code)
• Terraform (IaC)
• GitHub (VCS)
• GitHub Actions (CI)
• Terraform Cloud (CD)
• Amazon Elastic Container Registry (ECR)
• Amazon Elastic Compute Cloud (Amazon EC2)
• Amazon Elastic Container Service (ECS)

Security Provided by Prisma Cloud

List of Security Functions provided by Prisma Cloud

Secure the Source

1. IaC & SCA Scanning with Checkov via IDE Plugin
2. IaC Tagging with Yor via GitHub Action @ Pull Request
3. Image Scanning with Twistcli via GitHub Action @ Pull Request
4. IaC & SCA Scanning with Checkov via GitHub Action @ Push to Main Branch
5. IaC & SCA Scanning with Prisma Cloud via Integration @ Push to Main Branch

Secure @ Build & Deploy

1. Image Scanning with Twistcli via GitHub Action @ Push to Main Branch
2. IaC Scanning with Prisma Cloud via Terraform Run Task during Terraform Plan
3. IaC Scanning with Prisma Cloud via Terraform Run Task during Terraform Apply
4. Scanning Images in Container Image Registry via Prisma Cloud

Secure the Runtime

1. Scanning for CI/CD Risk within Development Pipelines
2. Continuous Scanning of Configurations in AWS environment
3. Continuous Workload Vulnerability Scanning of cloud workloads

Information for Deployment

• Ensure repository is public or part of GitHub Enterprise for GitHub Code Security Integration
  • About GitHub Code Scanning Integration
• Configure GitHub Actions to allow for Write Permissions (Settings->Actions->General->Under "Workflow permissions"->Enable "Read and Write Permissions")

Integration with AWS

• Configure GitHub Action Secret - AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
• Configure GitHub Action Variables - AWS_ECR_REPOSITORY and AWS_REGION

Integrations with Terraform Cloud

• Configure Workspace to allow for "Auto apply" for Apply Method
• Configure GitHub Action Secret - TF_API_TOKEN
• Configure GitHub Action Variables - TERRAFORM_CLOUD_WORKSPACE and TERRAFORM_CLOUD_ORG

Integrations with Prisma Cloud

• Information for GitHubAction for IaC Tagging - yor-action
• Configure GitHub Action Secret for Checkov IaC Scan Scanning & Checkov Image Scanning - BC_API_KEY
• Configure GitHub Action Variables - PRISMA_API_URL
  • checkov-action
• Configure GitHub Action Secret for twistcli Image Scanning - PCC_CONSOLE_URL, PCC_PASS and PCC_USER
  • prisma-cloud-scan
  • legacy github action

GitHub Action Workflows

On Pull Request

1. 
2. 
3. 

On Push to Main Branch

1. 
2. 
3. 
4. 

Deprecated Workflows

• Checkov Image Scan

Links & Resources

• Install Terraform
• Automate Terraform with GitHub Actions
• Docker Docs - Containerizing an Application
• Github Action to AWS ECR (Docker Image) | Full Hands-on Tutorial
• How Prisma Cloud Secures Cloud Native App Development with DevOps Plugins
• Automated Container Image Scanning with the Prisma Cloud GitHub Action
• How to Deploy a Dockerised Application on AWS ECS With Terraform
• Bridgecrew Workshop - Yor Tag & Trace
• Create and manage an AWS ECS cluster with Terraform
• Terraform AWS Provider
• Terraform Cloud Workflows for GitHub
• Terraform AWS modules
• Create Amazon EKS Cluster using Terraform Module
• Provision and EKS cluster (AWS)
• How to create Docker Images with a Dockerfile on Ubuntu 22.04 LTS
• Kubernetes Provider for Terraform
• Deployment of Kubernetes, Helm and YAML files using Terraform
• https://github.com/twistlock/sample-code/blob/master/CI/GitHub/.github/workflows/scan.yml

Inspiration

• https://github.com/jcallowaypanw/cloud-security-aws-environement
• https://github.com/try-panwiac/vulnerable-front-end

Base Repos (Building Blocks)

• Build Container Image and push to Amazon Elastic Container Registry (ECR) with Image Scanning
  • https://github.com/jonhurtt/pc-container-image-scan
• Build Amazon Elastic Compute Cloud (EC2) Instance with webserver via script at launch and deploy using Terraform Cloud with Yor Tagging & Checkov Scanning
  • https://github.com/jonhurtt/github-terraform-aws

Roadmap

• Increase Runtime Security with auto deploy of Prisma Cloud Defender on Host and Container Clusters
  • https://docs.prismacloud.io/en/classic/compute-admin-guide/install/deploy-defender/host/auto-defend-host#deployment-process
  • https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs#installation
• Look into Trusted Images within Prisma Cloud
• Enablie twistcli scan to SARIF https://github.com/NJannasch/twistcli-sarif
• Look into Deploy infrastructure with Terraform and CircleCI
• Look into Deploy Consul and Vault on Kubernetes with run triggers
• Look to retrieve Terrform Apply Output and add to workflow in some manner
• Add additional resources within main.tf or expand to a more complex environment
• Add Traffic https://github.com/TheScriptGuy/generate-url-requests-docker
• Defend ECS Cluster [https://live.paloaltonetworks.com/t5/prisma-cloud-videos/defend-aws-ecs-cluster-with-prisma-cloud-compute/ta-p/529649]
• More Terraform Templates https://github.com/pfertyk/terraform-templates

Clean Up

• Remove Tags from IaC Templates
• Destroy Environment via Terraform Cloud

/end