Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prisma Policy Labels not working #3475

Closed
MikkoMyllyniemi opened this issue Sep 6, 2022 · 3 comments · Fixed by #3896
Closed

Prisma Policy Labels not working #3475

MikkoMyllyniemi opened this issue Sep 6, 2022 · 3 comments · Fixed by #3896
Assignees
Labels
bug Something isn't working integrations

Comments

@MikkoMyllyniemi
Copy link

Description

At the company I work at we are using Checkov together with Prisma Cloud Code Security, and I'm having trouble using the policy labels in Prisma to filter checks.

On Prisma's side, I've added a label to the "Default namespace is used" policy check called "mikko-testaa".
image

Filtering on Prisma via this label works, as it only shows the namespace policy check.
image

Execution and Results

With that in mind these are the checkov commands that I used both locally and on Jenkins;
checkov -d . --framework helm -o json --output-file-path . --prisma-api-url [PRISMAURL] --bc-api-key [PRISMAUSER::PRISMAKEY]] --policy-metadata-filter policy.label=mikko-testaa

I tried running as-is and also running via a config file, both returning the same result;
image

Have I misunderstood the policy-metadata-filter parameter? What am I doing wrong?

Version
Checkov version 2.1.179

@MikkoMyllyniemi
Copy link
Author

The fact that the Available options: shows empty makes me think there is something wrong with getting policies from prisma?

@kartikp10 kartikp10 self-assigned this Sep 8, 2022
@kartikp10
Copy link
Contributor

Hey @MikkoMyllyniemi I haven't been able to reproduce this issue. I applied a similar label to the poicy and it worked as expected.

❯ ckv -l --policy-metadata-filter policy.label=kartik-test --bc-api-key "$PC_ACCESS_KEY::$PC_SECRET_KEY"
|    | Id         | Type     | Entity                            | Policy                    | IaC       |
|----|------------|----------|-----------------------------------|---------------------------|-----------|
|  0 | CKV_K8S_21 | resource | kubernetes_config_map             | Default namespace is used | Terraform |
|  1 | CKV_K8S_21 | resource | kubernetes_cron_job               | Default namespace is used | Terraform |
|  2 | CKV_K8S_21 | resource | kubernetes_daemonset              | Default namespace is used | Terraform |
|  3 | CKV_K8S_21 | resource | kubernetes_deployment             | Default namespace is used | Terraform |
|  4 | CKV_K8S_21 | resource | kubernetes_ingress                | Default namespace is used | Terraform |
|  5 | CKV_K8S_21 | resource | kubernetes_job                    | Default namespace is used | Terraform |
|  6 | CKV_K8S_21 | resource | kubernetes_pod                    | Default namespace is used | Terraform |
|  7 | CKV_K8S_21 | resource | kubernetes_replication_controller | Default namespace is used | Terraform |
|  8 | CKV_K8S_21 | resource | kubernetes_role_binding           | Default namespace is used | Terraform |
|  9 | CKV_K8S_21 | resource | kubernetes_secret                 | Default namespace is used | Terraform |
| 10 | CKV_K8S_21 | resource | kubernetes_service                | Default namespace is used | Terraform |
| 11 | CKV_K8S_21 | resource | kubernetes_service_account        | Default namespace is used | Terraform |
| 12 | CKV_K8S_21 | resource | kubernetes_stateful_set           | Default namespace is used | Terraform |


---

Can you please share debug logs? You can enable debug logging by setting the env var LOG_LEVEL=DEBUG. Please be sure to redact any sensitive data from the logs.

@kartikp10
Copy link
Contributor

Never mind, I found the issue. It appears that GET https://api.prismacloud.io/filter/policy/suggest returns only "recently used" filters and therefore a new label may or may not be returned. I'll fix this to use this method instead https://prisma.pan.dev/api/cloud/cspm/policy#operation/get-policy-filter-options

@kartikp10 kartikp10 added the bug Something isn't working label Sep 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working integrations
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants