How should the development team configure the pipeline or policy to produce this outcome?

The development team wants to fail CI jobs where a specific CVE is contained within the image.

How should the development team configure the pipeline or policy to produce this outcome?
A . Set the specific CVE exception as an option in Jenkins or twistcli.
B . Set the specific CVE exception as an option in Defender running the scan.
C . Set the specific CVE exception as an option using the magic string in the Console.
D . Set the specific CVE exception in Console’s CI policy.

View Answer

Answer: D

Explanation:

Reference tech docs: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/continuous_integration/set_policy_ci_plugins.html

Vulnerability rules that target the build tool can allow specific vulnerabilities by creating an exception and setting the effect to ‘ignore’. Block them by creating an exception and setting hte effect to ‘fail’. For example, you could create a vulnerability rule that explicitly allows CVE-2018-1234 to suppress warnings in the scan results.

To fail CI jobs based on a specific CVE contained within an image, the development team should configure the policy within Prisma Cloud’s Console, specifically within the Continuous Integration (CI) policy settings. By setting a specific CVE exception in the CI policy, the team can define criteria that will cause the CI process to fail if the specified CVE is detected in the scanned image. This approach allows for granular control over the build process, ensuring that images with known vulnerabilities are not promoted through the CI/CD pipeline, thereby maintaining the security posture of the deployed applications. This method is in line with best practices for integrating security into the CI/CD process, allowing for automated enforcement of security standards directly within the development pipeline.