Question 8 - PCCSE discussion

Reference tech docs: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/continuous_integration/set_policy_ci_plugins.html

Vulnerability rules that target the build tool can allow specific vulnerabilities by creating an exception and setting the effect to 'ignore'. Block them by creating an exception and setting hte effect to 'fail'. For example, you could create a vulnerability rule that explicitly allows CVE-2018-1234 to suppress warnings in the scan results.

To fail CI jobs based on a specific CVE contained within an image, the development team should configure the policy within Prisma Cloud's Console, specifically within the Continuous Integration (CI) policy settings. By setting a specific CVE exception in the CI policy, the team can define criteria that will cause the CI process to fail if the specified CVE is detected in the scanned image. This approach allows for granular control over the build process, ensuring that images with known vulnerabilities are not promoted through the CI/CD pipeline, thereby maintaining the security posture of the deployed applications. This method is in line with best practices for integrating security into the CI/CD process, allowing for automated enforcement of security standards directly within the development pipeline.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMkpCAE&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail