Policies
Policies are sets of ordered rules. Rule order determines how a policy is evaluated.
You can manage your rules and policies programmatically using the policy API endpoints.
For more information about policy endpoints, see:
How to Add / Update Policy Rules
All of the PUT /api/vVERSION/policies/*
endpoints work similarly.
To add, edit, or remove vulnerability rules from a policy:
- Retrieve the entire policy, which includes all the vulnerability rules using the
GET
endpoint.
For example, the following cURL command uses basic auth to retrieve a list of all image vulnerability rules, pretty-prints the JSON response, and saves the results to a vulnerability_rules.json
file.
$ curl -k \
-u <USER> \
https://<CONSOLE>/api/v1/policies/runtime/host \
| jq '.' > vulnerability_rules.json
-
Modify the saved JSON with the updates, including any new rule insertions. Note: Rule order is important.
-
Update the rules by pushing the new JSON payload into the
PUT
endpoint.For example, the following cURL command installs the rules defined in your
vulnerability_rules.json
file.Note: Remember to specify the
@
symbol.$ curl -k \
-u <USER> \
-X PUT \
-H "Content-Type:application/json" \
'https://<CONSOLE>/api/v<VERSION>/policies/runtime/host \
--data-binary "@vulnerability_rules.json"'
Any previously installed rules are overwritten.
Minimum Rule Parameters
To create or update a rule, specify the following:
- Rule name
- At least 1 collection specifying a collection name (at minimum)
- A block threshold (optional, but recommended)
- An alert threshold (optional, but recommended)
For example, to replace all the vulnerability rules for CI image deployments:
$ curl 'https://<CONSOLE>/api/v<VERSION>/policies/vulnerability/ci/images?project=<PROJECT>' \
-X PUT \
-u <USER> \
-H 'Content-Type: application/json' \
-d \
'{
"rules": [
{
"name": "<RULE_NAME>",
"collections":[
{
"name":"<COLLECTION_NAME>",
}
],
"alertThreshold":{
"disabled":false,
"value":4
},
"blockThreshold":{
"enabled":false,
"value":0
},
}
],
"policyType": "ciImagesVulnerability"
}'
Note: The default alert threshold of Low
is typically too broad and not actionable. Usually you'll want to specify a threshold of Critical
or High
.
Referencing Collections by Name
You can reference a collection by its name when creating / updating a rule. If the collection name exists in Console, the remaining resource fields for the collection will automatically be filled in.
Note: The referenced collections must exist prior to creating / updating rules, or the API will not add / update your rules.
In Console, the default collection is All
.
All
is a collection created by the system when the software is installed / upgraded.
When using the API, you can specify All
as the <COLLECTION_NAME>
to apply the default collection.
How to Delete Policy Rules
In general, the policy endpoints don't have DELETE
methods.
Use the PUT
method to delete all rules by submitting an empty JSON object.
For example, to delete all host runtime rules:
curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d '{}' \
https://<CONSOLE>/api/v1/policies/runtime/host
How to Construct a Compliance Policy
To construct an effective rule for a compliance policy:
-
Specify at least one "check" in the
condition.vulnerabilities
object. A check is a security best practice or baseline setting which will be validated by the scanner. -
Specify an action for each check. Prisma Cloud needs to know what to do when a check fails (for example, alert or block).
-
In the
effect
parameter, specify the range of possible actions configured in the rule. The value ineffect
a comma-separated list.For example, in a one-check rule, the effect could be
alert
or in a two-check rule, the effect could bealert, fail
.See Actions for failed checks for more info.
The following curl command creates a single rule compliance policy for container images scanned in the CI pipeline:
$ curl 'https://<CONSOLE>/api/v<VERSION>/policies/compliance/ci/images' \
-k \
-X PUT \
-u <USER> \
-H 'Content-Type: application/json' \
-d \
'{
"rules": [
{
"name": "my-rule",
"effect": "alert",
"collections":[
{
"name":"All"
}
],
"condition": {
"vulnerabilities": [
{
"id": 41,
"block": false,
"minSeverity": 1
}
]
}
}
],
"policyType": "ciImagesCompliance"
}'
Actions for failed checks
To configure Prisma Cloud to run a check, add the check to your rule in the condition.vulnerabilities
object.
For each check, specify the action to take if the check fails.
Actions are set on a per-check basis in condition.vulnerabilities[X].block
, where:
Effect | condition.vulnerabilities[X].block |
---|---|
alert | false |
fail | true |
The ignore
effect is set implicitly for any check not explicitly included in the condition.vulnerabilities[X]
array.
The effect
parameter is a helper for the Console UI and has no impact on the policy itself.
However, we recommend you specify an effect
parameter for each rule, to ensure the policy table in the Console UI renders properly.
In the UI, these are convenience strings which enable you to quickly review the policy table and see the effect of each rule. For example, you may want to quickly find the rule that's failing/blocking your build in the CI pipeline.
📄️ Get Continuous Integration (CI) Image Compliance Policy
Retrieves the compliance policy for images scanned in your continuous integration (CI) pipeline.
📄️ Update Continuous Integration (CI) Image Compliance Policy
Updates the compliance policy for images scanned in your continuous integration (CI) pipeline.
📄️ Get Continuous Integration (CI) Serverless Compliance Policy
Retrieves the compliance policy for serverless functions built in your Continuous Integration (CI) pipeline.
📄️ Update Continuous Integration (CI) Serverless Compliance Policy
Updates the compliance policy for serverless functions built in your Continuous Integration (CI) pipeline.
📄️ Get Container Compliance Policy
Retrieves the compliance policy for running containers.
📄️ Update Container Compliance Policy
Updates the compliance policy for running containers.
📄️ Get Impacted Container Compliance Policy
Lists the containers caught by your compliance policy on a per-rule basis.
📄️ Get Host Compliance Policy
Retrieves the compliance policy for hosts protected by Defender.
📄️ Update Host Compliance Policy
Updates the compliance policy for hosts protected by Defender.
📄️ Get Serverless Compliance Policy
Retrieves the compliance policy for serverless functions situated in your cloud provider's infrastructure.
📄️ Update Serverless Compliance Policy
Updates the compliance policy for serverless functions situated in your cloud provider's infrastructure.
📄️ Get Impacted VMs Compliance Policy
Retrieves a list of all resources a compliance rule impacts.
📄️ Get Agentless App Firewall Policy
Returns the Agentless application firewall policy
📄️ Set Agentless App Firewall Policy
Sets the Agentless WAAS policy.
📄️ Get Agentless App Firewall Policy Impacted
Returns a list of mirrored VMs for which the firewall policy rule applies to.
📄️ Get Agentless App Firewall Policy Resources
Returns the WAAS VPC configuration resources.
📄️ Get Agentless App Firewall Policy State
Returns the state for the Agentless app firewall policy.
📄️ Generate a WAAS API Specification Object
Resolves the endpoints defined in an OpenAPI/Swagger specification and returns a `waas.APISpec` object.
📄️ Get WAAS App-embedded Policy
Retrieves the WAAS policy for web apps protected by App-Embedded Defender.
📄️ Update WAAS App-embedded Policy
Updates the WAAS policy for web apps protected by App-Embedded Defender.
📄️ Get WAAS Container Policy
Retrieves the WAAS policy for containers.
📄️ Update WAAS Container Policy
Updates the WAAS policy for containers.
📄️ Container App Firewall Policy Impacted
Returns a list of containers for which the firewall policy rule applies to.
📄️ Get WAAS Host Policy
Retrieves the WAAS policy for hosts.
📄️ Update WAAS Host Policy
Updates the WAAS policy for hosts.
📄️ Host App Firewall Policy Impacted
Returns a list of hosts for which the firewall policy rule applies to.
📄️ Get WAAS Network List
Retrieves a list of all WAAS network lists.
📄️ Add WAAS Network List
Creates a new WAAS network list.
📄️ Update WAAS Network List
Updates an existing WAAS network list.
📄️ Delete WAAS Network List
Deletes an existing WAAS network list.
📄️ Get Out-of-Band WAAS Policy
Discovers and detects the HTTP traffic for an existing WAAS out of band custom rule.
📄️ Update Out-of-Band WAAS Policy
Updates or edits a WAAS custom rule for out of band traffic.
📄️ Get Impacted Resources for Out-of-Band WAAS Policy
Discovers and detects the impacted resources for the HTTP traffic in an existing WAAS out of band custom rule.
📄️ Get WAAS Serverless Policy
Retrieves a list of all WAAS policy rules for serverless functions.
📄️ Update WAAS Serverless Policy
Updates the WAAS policy for serverless functions.
📄️ Get CNNS Container and Host Policy
Retrieves a list of all CNNS container and host rules.
📄️ Update CNNS Container and Host Policy
Updates all container and host CNNS rules in a single shot.
📄️ Get Runtime App-embedded Policy
Retrieves the runtime policy for apps protected by App-Embedded Defenders.
📄️ Add Runtime App-embedded Policy
Adds a runtime policy for app-embedded deployments.
📄️ Update Runtime App-embedded Policy
Updates the runtime policy for app-embedded deployments.
📄️ Get Runtime Container Policy
Retrieves the runtime policy for containers protected by Defender.
📄️ Update Runtime Container Policy
Updates the runtime policy for containers.
📄️ Set Container Runtime Policy
Sets the given runtime policy.
📄️ Update Runtime Impacted Container Policy
Returns the impacted images based on a given rule
📄️ Get Runtime Host Policy
Retrieves the runtime policy for hosts protected by Defender.
📄️ Update Runtime Host Policy
Updates the runtime policy for hosts protected by Defender.
📄️ Set Host Runtime Policy
Sets the given host policy.
📄️ Get Runtime Serverless Policy
Retrieves the runtime policy for your serverless functions.
📄️ Update Runtime Serverless Policy
Updates the runtime policy for your serverless functions.
📄️ Set Host Runtime Policy
Sets the given host policy.
📄️ Get Base Images Rules
Returns all the base image scopes and the list of base images digests for each of them.
📄️ Add Base Images Rule
Adds the base images which match the given scope configuration.
📄️ Download Base Images Rules
Downloads the base images rules data to CSV.
📄️ Delete Base Images Rule
Removes all base images under a given scope.
📄️ Get CI Image Vulnerability Policy
Retrieves the vulnerability policy for images scanned in your continuous integration (CI) pipeline.
📄️ Update CI Image Vulnerability Policy
Updates the policy for images scanned in your continuous integration (CI) pipeline.
📄️ Get CI Serverless Vulnerability Policy
Retrieves the vulnerability policy for serverless functions scanned in your continuous integration (CI) pipeline.
📄️ Update CI Serverless Vulnerability Policy
Updates the vulnerability policy for serverless functions scanned in your continuous integration (CI) pipeline.
📄️ Get Host Vulnerability Policy
Retrieves the vulnerability policy for your hosts protected by Defender.
📄️ Update Host Vulnerability Policy
Updates the vulnerability policy for your hosts protected by Defender.
📄️ Get Impacted Host Vulnerability Policy
Lists the hosts ensnared by your policy on a per-rule basis.
📄️ Get Image Vulnerability Policy
Retrieves the vulnerability policy for deployed container images.
📄️ Update Image Vulnerability Policy
Updates the vulnerability policy for deployed container images.
📄️ Get Impacted Image Vulnerability Policy
Lists the images caught by your policy on a per-rule basis.
📄️ Get Serverless Vulnerability Policy
Retrieves the vulnerability policy for serverless functions situated in your cloud provider's infrastructure.
📄️ Update Serverless Vulnerability Policy
Updates the vulnerability policy for serverless functions situated in your cloud provider's infrastructure.