CI/CD Security

Harden your CI/CD pipelines, reduce your attack surface and protect your application development environment.
CI/CD Security Hero Front Image
CI/CD Security Hero Back Image

The volume and sophistication of attacks targeting the engineering ecosystem is rapidly growing. According to Gartner, organizations must protect the delivery pipeline to remain secure in the cloud. Prisma® Cloud provides a powerful yet simple way to gain visibility and control across application delivery pipelines.

Learn about the Top 10 CI/CD Security Risks

Prisma Cloud makes it simple for AppSec practitioners to secure their CI/CD pipelines without slowing engineers down.

Prisma Cloud continuously monitors pipelines against the OWASP Top 10 CI/CD Security Risks and other attack vectors so that bad actors can’t breach the delivery pipeline or inject malicious code into applications.
  • Single view into the engineering ecosystem
  • Complete protection against the OWASP Top 10 CI/CD Security Risks
  • Granular controls to block insecure code from reaching production
  • Graph-based CI/CD mapping
    Graph-based CI/CD mapping
  • Comprehensive engineering tool inventory
    Comprehensive engineering tool inventory
  • Pipeline posture management
    Pipeline posture management
  • Actionable fix guidance
    Actionable fix guidance


Graph-Based CI/CD Security for Practitioners

Centralized visibility across the engineering ecosystem

The cloud-native engineering ecosystem is increasingly complex, which makes it challenging for AppSec teams to get the visibility they need to secure it. Getting a unified inventory of the languages, frameworks and executables within their ecosystems is the first step toward a secure CI/CD pipeline.

Prisma Cloud CI/CD Security brings together a single view of all technologies in use and their associated code security risks.

  • Scan across languages and repositories with unmatched accuracy.

    Identify security risks across code types for all the most popular languages.

  • Connect infrastructure and application risks.

    Focus on the critical risks that are exposed within your codebase, eliminate false positives and prioritize remediations faster.

  • Visualize your software supply chain.

    Get a consolidated inventory of your CI/CD pipelines and code risks across your engineering ecosystem.

  • Catalog your software supply chain.

    Generate a software bill of materials (SBOM) to track all sources of application risk and understand your attack surface.

Centralized visibility across the engineering ecosystem

Posture management of the delivery pipeline

Cloud attacks frequently target CI/CD pipelines and the software supply chain, exposing organizations to code injection, credential theft, data exfiltration and intellectual property theft. Organizations must respond by implementing new security practices. Security issues mapped to the OWASP Top 10 identify attack vectors and provide guidance on how to address CI/CD security.

  • Get visibility into your software supply chain security posture.

    Identify missing branch protection rules, insecure pipeline configurations and potential for poisoned pipelines, with native controls to proactively prevent attacks.

  • Run a graph-based attack path analysis of the many resources impacting your pipelines.

    Software pipelines are multidimensional, with many tools, internal and external resources that must all be secured to prevent attacks.

  • Harden your delivery pipelines.

    Backed by the world’s best CI/CD security researchers, Prisma Cloud helps teams adopt critical security guardrails to harden their pipelines over time. These guardrails ensure that bad actors can’t leverage CI/CD pipeline weaknesses to reach production environments or run malicious code.

  • Identify credentials exposed in pipelines.

    Find cleartext credentials in webhooks and pipeline logs that could be stolen and abused.

  • Create and enforce custom policies throughout the software development lifecycle.

    Integrate vulnerability management to scan repositories, registries, CI/CD pipelines and runtime environments.

Posture management of the delivery pipeline

Cloud Application Graph™

By harnessing the power of relational graph databases, Prisma Cloud distills all components of the modern engineering ecosystem into a single view. With supply chain context, and per developer workflows, organizations can harden their CI/CD pipelines over time and prevent security issues from reaching production.

  • Analyze the entire ecosystem.

    Correlate several disparate signals across codebases, scanners, orchestration and automation tools, and more to centralize visibility and control across all engineering technologies and workflows.

  • Visualize breach pathways.

    Untangle complex relationships to pinpoint critical risks and understand the breach pathways to reach critical assets.

Cloud Application Graph™

Part of the CNAPP

The only way to prevent insecure code from reaching production is to scan every code artifact, dependency, and ensure the delivery pipeline is effectively protected. CI/CD Security is just one application security use case that’s a part of Prisma Cloud’s cloud-native application protection platform (CNAPP).

  • Identify risks in code as developers are building and testing software.

    Check packages and images for vulnerabilities and compliance issues across repositories like GitHub and registries such as Docker, Quay, Artifactory and others.

  • Lock down deployments to only vetted images and templates.

    Leverage Prisma Cloud code scanning and container sandbox analysis to identify and block malicious code and apps from reaching production.

  • Capture detailed forensics of every audit or security incident.

    Automatically and securely gather forensics details in a powerful timeline view to enable incident response. You can view data in Prisma Cloud or send it to other systems for deeper analysis.

  • Prevent risky activity across any runtime environment.

    Manage runtime policies from a centralized console to ensure security is always present as part of every deployment.Mapping of incidents to the MITRE ATT&CK® framework, along with detailed forensics and rich metadata, helps SOC teams track threats for ephemeral cloud-native workloads.

  • Context-aware security.

    Detect and prevent misconfigurations and vulnerabilities that lead to data breaches and compliance violations in runtime with complete cloud developer inventory, configuration assessments, automated remediations and more.

Part of the CNAPP

Code Security Modules

Infrastructure as Code Security

Automated IaC security embedded in developer workflows.

Software Composition Analysis (SCA)

Context-aware open-source security and license compliance.

Secrets Security

Find and secure exposed and vulnerable secrets across all files in your repositories and CI/CD pipelines.

Featured Resources