Infrastructure as Code (IaC) Security

Identify and fix misconfigurations in Terraform, CloudFormation, ARM, Kubernetes, and other IaC templates

Infrastructure as Code (IaC) enables engineers to version control, deploy, and improve cloud infrastructure while leveraging DevOps processes. This also presents an opportunity to proactively improve the posture of cloud infrastructure and reduce the burden on security and operations teams.

Learn more about shifting your cloud security left

Automated Infrastructure as Code security

Powered by open source, Bridgecrew by Prisma Cloud scans IaC templates for misconfigurations across the development lifecycle, embedding security in integrated development environments, continuous integration tools, repositories and runtime environments. Bridgecrew enforces policy-as-code early through automation, preventing deploying misconfigurations and providing automated fixes.
  • Continuous governance to enforce policies in code
  • Embedded in DevOps workflows and tooling
  • Automated misconfiguration fixes via pull requests
  • Backed by the community
    Backed by the community
  • Developer-friendly integrations
    Developer-friendly integrations
  • Automated fixes
    Automated fixes
  • Built-in guardrails
    Built-in guardrails
  • Drift detection
    Drift detection
  • Compliance benchmarks
    Compliance benchmarks

The Bridgecrew by Prisma Cloud Solution

Our approach to IaC security

Backed by the community

Bridgecrew is built on the open source project Checkov. Checkov is a policy-as-code tool with millions of downloads that checks for misconfigurations in IaC templates such as Terraform, CloudFormation, Kubernetes, Helm, ARM Templates and Serverless framework. Users can leverage hundreds of out-of-the-box policies and add custom rules. Bridgecrew augments Checkov with simplified user experience and enterprise features.

  • Check for policy misconfigurations

    Checkov checks IaC templates against hundreds of out of the box policies based on benchmarks, such as CIS, and community sourced checks.

  • Leverage context aware policies

    Checkov’s policies include graph-based checks that allow multiple levels of resource relationships for complex policies such as higher severity levels for internet facing resources.

  • Extend capabilities and integrations

    Checkov is designed to be extensible, with the ability to add custom policies and tags, as well as CLIs designed to be added to continuous integration and other DevOps tools.

  • Integrate with Bridgecrew to extend its capabilities

    Bridgecrew augments Checkov’s open source capabilities with Bridgecrew for a history of scans, additional integrations, auto-fixes and more.

Integrated IaC as part of the pipeline

Involving developers in remediation is the fastest way to get things fixed. Bridgecrew provides feedback directly in popular DevOps, including integrated development environments (IDE), continuous integration (CI) tools, and version control system (VCS). Additional aggregation and reporting are available in the Bridgecrew platform.

  • Provide fast feedback throughout the development lifecycle

    Bridgecrew integrates with IDEs, CI tools and VCS to provide feedback and guardrails in the tools developers already use.

  • Enable fixes with code review comments

    Native integrations with VCS creates code comments with each new pull request for identified misconfigurations to make finding and fixing misconfigurations easier.

  • View all code misconfigurations in one place

    Bridgecrew includes a centralized view of all misconfigurations across scanned repositories, with filtering and searching to find code blocks and owners.

  • Build remediation work into DevOps workflows

    Integrations with collaboration and ticketing tools can generate tickets and alerts to notify the right teams to add remediations to DevOps tasks.

Context aware and actionable feedback

When developers are moving as fast as possible to meet deadlines, providing policy violations without explanation just causes frustration. Bridgecrew includes automatic remediations for many policies along with guidelines for all policies to provide the details to get misconfigurations fixed.

  • Context aware visibility and policies

    Bridgecrew surfaces policy violations for resources and the dependencies, and policies can be based on context such as higher severity for internet exposed violations, helping with prioritization.

  • Provide actionable guidance

    Each policy violation comes with actionable guidelines about the misconfiguration along with guidance to remediate the issue.

  • Trace cloud to code with code owners for faster remediation

    Cloud resources are traceable back to IaC templates with the code modifier, to find the right resource and team to remediate issues fast.

  • Enable GitOps workflows

    Tracing cloud misconfigurations back to code enables issues identified in runtime to be fixed in code to maintain the benefits of scalability and auditability of IaC templates.

Enforced guardrails and prevent drift

Under pressure to deliver features, developers follow the path of least resistance. Similarly, during an incident engineers can rush to fix issues directly in cloud environments, leaving IaC templates out of sync. Create a secure golden pipeline for infrastructure as code to be vetted and enforce GitOps best practices of maintaining configurations in code by leveraging guardrails and detecting drift.

  • Block severe misconfigurations from being added to repos and deployed

    Integrations with CI tools allow for hard fails that can block misconfigured code from entering a repository or deployment process.

  • Set custom levels for blocking builds

    Hard fail policy levels can be set per repository, along with per policy exclusions and per resource suppressions.

  • Extend policy sets with custom policies

    Add custom policies using Python, YAML or the UI policy editor to apply organization specific policies, including multiple resource, graph-based policies.

  • Provide actionable information about failed deployments

    Every scan includes a Code Review with the list of misconfigurations with guidelines to remediate the issue and auto-fixes for issues identified in pull requests.

  • Detect and remediate drift

    Bridgecrew can compare runtime configurations to IaC templates to identify changes made directly to cloud environments and trace cloud configurations back to the code and owner to bring code and cloud in sync.

Compliance benchmarks

Begin meeting compliance in the development phase. Bridgecrew and the community behind Checkov have mapped popular benchmarks to IaC templates to check for compliance issues in cloud infrastructure before deployment.

  • Check for CIS Benchmarks violations

    Get continuous auditing for IaC configurations against Center for Internet Security (CIS) benchmarks.

  • Compare resource configurations to other popular benchmarks

    Benchmark IaC configurations against requirements for SOC2, HIPAA, PCI-DSS, and more.

  • Maintain an audit trail based on resource history

    Review the history of configuration changes for IaC resources that led up to issues and remediations.

  • Export reports across individual frameworks

    Reports based on benchmark findings can be exported to a preformatted PDF for internal review or external audits.

Cloud Security Posture Management modules

Visibility, Compliance and Governance

Continuously monitor all cloud resources for misconfigurations, vulnerabilities and other security threats. Simplify compliance reporting.

Threat Detection

Pinpoint the highest risk security issues using ML-powered and threat intelligence-based detection with contextual insights.

Data Security

Continuously monitor cloud storage for security threats, govern file access and mitigate malware attacks.

Infrastructure as Code Security

Automated IaC security embedded in developer workflows.