Merge pull request #1078 from PaloAltoNetworks/CWP-39605

[Compute CWP-39605]: Clarify denied listening ports for App-embedded

code-security/admin_guide/get-started/connect-your-repositories/add-bitbucket-server.adoc

@@ -41,6 +41,11 @@ image::bitb-server-5.png[width=550]
 +
 By default, the access token's permissions are set similar to your current level of access. You need to define two levels of permissions - *Project permissions* and *Repository permission*. Repository permission inherits the Project permissions; thus, Repository permission should be as high as the Project permission. For example, if you have a Project write permission, you should also have a Repository write permission. You can always modify or revoke token permissions. If you need to know more about the Project and Repository permissions, see https://confluence.atlassian.com/bitbucketserver0717/personal-access-tokens-1087535496.html[here].
 +
+*Required Permissions:*
+
+* *For Projects - Read* 
+* *For Repositories - Admin*
++
 image::bitb-server-6.png[width=550]
 
 .. Add *Expiry*.

code-security/admin_guide/get-started/setup-administrator-access.adoc

@@ -7,7 +7,9 @@ To know more see https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cl
 
 Administrators can create a custom permission group for Code Security on the Prisma Cloud console. Using the parameters for permissions, you can limit or enhance the responsibilities of the users.
 
-* *Suppression Management*: You can enable user permissions to view, create, update and delete resources on *Repositories* (Settings > Repositories). These parameters enable suppression management for vulnerabilities found in resources. In addition, configuring view permission for all Code Security functions allows you to see the resource vulnerabilities to make informed decisions.
+* *Repositories*: You can enable user permissions to view, create, update and delete resources on *Repositories* (Settings > Repositories). These parameters enable suppression management for vulnerabilities found in resources. In addition, configuring view permission for all Code Security functions allows you to see the resource vulnerabilities to make informed decisions.
++
+NOTE: You are required to select both Create and Update permissions when onboarding new repositories.
 
 * *Code Security Configuration*: Enabling permissions for Code Security Configuration helps you manage Code Security licenses, Enforcement thresholds, notifications, developer suppressions and creating rules to exclude paths for scans.
 

code-security/admin_guide/scan-monitor/development-pipelines/enforcement.adoc

@@ -50,40 +50,30 @@ To understand the default scan parameter on Prisma Cloud with the enforcement ru
 
 | | Info| Low | Medium | High | Critical
 
-|Vulnerabilities
-5+| Hard Fail
-
-Soft Fail
-
-Comment Bot
-
-|Licenses
-5+| Hard Fail
-
-Soft Fail
-
-Comment Bot
-
-|IaC
-5+| Hard Fail
-
-Soft Fail
-
-Comment Bot
-
-|Build Integrity
-5+| Hard Fail
-
-Soft Fail
-
-Comment Bot
-
-|Secrets
-5+| Hard Fail
-
-Soft Fail
-
-Comment Bot
+.3+|Vulnerabilities
+| |  |  |  | Hard Fail
+| |Soft Fail  |  |  |
+| |Comments Bot  |  |  |
+
+.3+|Licenses
+| |  |  |  | Hard Fail
+| |Soft Fail   |  |  |
+| |Comments Bot   |  |  |
+
+.3+|IaC
+| |Hard Fail  |  |  |
+| |Soft Fail  |  |  |
+| |Comments Bot  |  |  |
+
+.3+|Build Integrity
+| |Hard Fail  |  |  |
+| |Soft Fail  |  |  |
+| |Comments Bot  |  |  |
+
+.3+|Secrets
+| |Hard Fail  |  |  |
+| |Soft Fail  |  |  |
+| |Comments Bot  |  |  |
 
 |===
 

code-security/admin_guide/scan-monitor/secrets-scanning.adoc

@@ -1,6 +1,6 @@
 == Secrets Scanning
 
-You can use Code Security to detect and block secrets in IaC files stored in your IDEs, Git-based VCS, and CI/CD pipelines.
+You can use Code Security to detect and block secrets in files in your IDEs, VCS repositories, and CI/CD pipelines.
 
 A secret is a programmatic access key that provides systems with access to information, services or assets. Developers use secrets such as API keys, encryption keys, OAuth tokens, certificates, PEM files, passwords, and passphrases to enable their application to securely communicate with other cloud services.
 
@@ -9,25 +9,45 @@ For identifying secrets, Prisma Cloud provides default policies that use domain-
 image::scan-results-secrets-ide.png[width=800]
 
 
+=== Validate Secrets
+
+When scanning for secrets, Prisma Cloud can validate secrets against public APIs to verify if the secret is still active so that you can prioritize and handle exposed secrets quickly.
+
+By default the  validation of secrets is disabled and you can choose to enable the validation for secrets scan from *Settings > Code Security Configuration > Validate Secrets*.
+
+Additionally, you can choose to run Checkov on your repositories to filter valid secrets that may be potentially exposed. To see a list of potentially exposed secrets you need to add an environment variable `CKV_VALIDATE_SECRETS=true` after enabling Validate Secrets.
+
+In this example, you see a secret that is valid and requires to be prioritized in the repository after running Checkov on the terminal.
+
+image::secrets-validate-3.png[width=400]
+
+You can see the scan results of secrets after validation on *Projects > Secrets* and then use *Resource Explorer* to prioritize a valid secret by either a *Suppress* or by performing a *Manual Fix* on the secret.
+
+image::secrets-validate-4.gif[width=800]
+
 [.task]
 === Suppress Secret Notifications
 
-You have two ways to suppress notifications for a policy violation. You can either https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-policies/manage-prisma-cloud-policies[disable] a policy or suppress a notification for a specific resource or repository. As an example, you do not want to be notified of a violation for issues on non-production environments, or for resources without specific tags.
+By suppressing a notification for secrets you are choosing to no longer receive any information on a violation related to the suppressed secret. To suppress a notification you are required to define a suppression rule by adding a justification with an expiration time.
 
 [.procedure]
 
-. Select *Code Security > Projects*.
+. Select *Code Security > Projects > Secrets*.
+
+. Configure a suppression rule for a secret.
 
-. Filter scan results.
-.. Add *Category*-*Secrets*.
-.. Add *Status*: *Errors*.
+.. Select a secret and then *Suppress*.
 +
-image::scan-results-secrets-1.png[width=800]
+In this example, AWS Secret Keys are invalid in GitHub actions repository.
++
+image::secrets-validate-1.png[width=800]
 
-. *Suppress* the notification.
+.. Add a *Justification* with the *Expiration Time*.
 +
-You can select the specific resource, or resources that are assigned a specific tag, or suppress notifications for this policy violation across one or more repositories.
+image::secrets-validate-2.png[width=600]
 +
-image::scan-results-secrets-2.png[width=800]
+Optionally, you can choose a *Manual Fix* to resolve the secret violation.
+
+. Select *Save*.
 
 

code-security/policy-reference/alibaba-policies/alibaba-general-policies/alibaba-general-policies.adoc

@@ -0,0 +1,84 @@
+== Alibaba General Policies
+
+[width=85%]
+[cols="1,1,1"]
+|===
+|Policy|Checkov Check ID| Severity
+
+|xref:ensure-alibaba-cloud-database-instance-is-not-public.adoc[Alibaba Cloud database instance accessible to public]
+| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/alicloud/RDSIsPublic.py[CKV_ALI_9]
+|LOW
+
+
+|xref:ensure-alibaba-cloud-disk-is-encrypted-with-customer-master-key.adoc[Alibaba Cloud Disk is not encrypted with Customer Master Key]
+| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/alicloud/DiskEncryptedWithCMK.py[CKV_ALI_8]
+|LOW
+
+
+|xref:ensure-alibaba-cloud-disk-is-encrypted.adoc[Alibaba Cloud disk encryption is disabled]
+| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/alicloud/DiskIsEncrypted.py[CKV_ALI_7]
+|MEDIUM
+
+
+|xref:ensure-alibaba-cloud-kms-key-rotation-is-enabled.adoc[Alibaba Cloud KMS Key Rotation is disabled]
+| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/alicloud/KMSKeyRotationIsEnabled.py[CKV_ALI_27]
+|LOW
+
+
+|xref:ensure-alibaba-cloud-mongodb-has-transparent-data-encryption-enabled.adoc[Alibaba Cloud MongoDB does not have transparent data encryption enabled]
+| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/alicloud/MongoDBTransparentDataEncryptionEnabled.py[CKV_ALI_44]
+|LOW
+
+
+|xref:ensure-alibaba-cloud-oss-bucket-has-transfer-acceleration-disabled.adoc[Alibaba Cloud OSS bucket has transfer Acceleration disabled]
+| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/alicloud/OSSBucketTransferAcceleration.py[CKV_ALI_11]
+|LOW
+
+
+|xref:ensure-alibaba-cloud-oss-bucket-has-versioning-enabled.adoc[Alibaba Cloud OSS bucket has versioning disabled]
+| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/alicloud/OSSBucketVersioning.py[CKV_ALI_10]
+|LOW
+
+
+|xref:ensure-alibaba-cloud-oss-bucket-is-encrypted-with-customer-master-key.adoc[Alibaba Cloud OSS bucket is not encrypted with Customer Master Key]
+| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/alicloud/OSSBucketEncryptedWithCMK.py[CKV_ALI_6]
+|MEDIUM
+
+
+|xref:ensure-alibaba-cloud-oss-bucket-is-not-accessible-to-public.adoc[Alibaba Cloud OSS bucket accessible to public]
+| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/alicloud/OSSBucketPublic.py[CKV_ALI_1]
+|LOW
+
+
+|xref:ensure-alibaba-cloud-rds-instance-has-log-disconnections-enabled-1.adoc[Alibaba Cloud RDS instance has log_disconnections disabled]
+| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/alicloud/RDSInstanceLogDisconnections.py[CKV_ALI_36]
+|LOW
+
+
+|xref:ensure-alibaba-cloud-rds-instance-has-log-disconnections-enabled.adoc[Alibaba Cloud KMS Key is disabled]
+| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/alicloud/KMSKeyIsEnabled.py[CKV_ALI_28]
+|LOW
+
+
+|xref:ensure-alibaba-cloud-rds-instance-has-log-duration-enabled.adoc[Alibaba Cloud RDS instance does not have log_duration enabled]
+| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/alicloud/RDSInstanceLogsEnabled.py[CKV_ALI_35]
+|LOW
+
+
+|xref:ensure-alibaba-cloud-rds-instance-is-set-to-perform-auto-upgrades-for-minor-versions.adoc[Alibaba Cloud RDS instance is not set to perform auto upgrades for minor versions]
+| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/alicloud/RDSInstanceAutoUpgrade.py[CKV_ALI_30]
+|LOW
+
+
+|xref:ensure-alibaba-cloud-rds-log-audit-is-enabled.adoc[Alibaba Cloud RDS log audit is disabled]
+| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/alicloud/LogAuditRDSEnabled.py[CKV_ALI_38]
+|LOW
+
+
+|xref:ensure-alibaba-rds-instance-has-log-connections-enabled.adoc[Alibaba RDS instance has log_connections disabled]
+| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/alicloud/RDSInstanceLogConnections.py[CKV_ALI_37]
+|LOW
+
+
+|===
+

code-security/policy-reference/alibaba-policies/alibaba-general-policies/ensure-alibaba-cloud-database-instance-is-not-public.adoc

@@ -0,0 +1,63 @@
+== Alibaba Cloud database instance accessible to public
+
+
+=== Policy Details 
+[width=45%]
+[cols="1,1"]
+|=== 
+|Prisma Cloud Policy ID 
+| 22d28a0c-a979-4a99-8614-919dcc393ae4
+
+|Checkov Check ID 
+| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/alicloud/RDSIsPublic.py[CKV_ALI_9]
+
+|Severity
+|LOW
+
+|Subtype
+|Build
+
+|Frameworks
+|Terraform
+
+|=== 
+
+
+
+=== Description 
+
+
+Public database instances are vulnerable, as attackers can use a variety of techniques to gain unauthorized access to public databases, such as SQL injection attacks, brute-force attacks, or exploiting misconfigurations or vulnerabilities in the database software. To prevent this risk, make the database instance private by restricting access to only authorized users.
+
+=== Fix - Buildtime
+
+
+*Terraform*
+
+
+
+
+[source,go]
+----
+{
+ "resource "alicloud_db_instance" "pass" {
+  engine              = "MySQL"
+  engine_version      = "5.6"
+  db_instance_class   = "rds.mysql.t1.small"
+  db_instance_storage = "10"
+  security_ips = [
+    "10.23.12.24"
+  ]
+  parameters = [{
+    name  = "innodb_large_prefix"
+    value = "ON"
+    }, {
+
+    name  = "connect_timeout"
+    value = "50"
+  }]
+
+}
+",
+}
+----

code-security/policy-reference/alibaba-policies/alibaba-general-policies/ensure-alibaba-cloud-disk-is-encrypted-with-customer-master-key.adoc

@@ -0,0 +1,56 @@
+== Alibaba Cloud Disk is not encrypted with Customer Master Key
+
+
+=== Policy Details
+[width=45%]
+[cols="1,1"]
+|=== 
+|Prisma Cloud Policy ID 
+| db67af3f-47dd-49ca-9a96-ce12924d9d89
+
+|Checkov Check ID 
+| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/alicloud/DiskEncryptedWithCMK.py[CKV_ALI_8]
+
+|Severity
+|LOW
+
+|Subtype
+|Build
+
+|Frameworks
+|Terraform
+
+|=== 
+
+
+
+=== Description
+
+Encrypting your disk with a CMK helps protect your data from unauthorized access or tampering.
+By encrypting your bucket, you can ensure that only authorized users with the correct key can access and decrypt the data, and that the data is protected while in storage.
+
+=== Fix - Buildtime
+
+
+*Terraform* 
+
+
+
+
+[source,go]
+----
+{
+ "resource "alicloud_disk" "pass" {
+  # cn-beijing
+  description = "Hello ecs disk."
+  category    = "cloud_efficiency"
+  size        = "30"
+  encrypted   = true
+  kms_key_id  = "2a6767f0-a16c-1234-5678-13bf*****"
+  tags = {
+    Name = "TerraformTest"
+  }
+
+}",
+}
+----