Serverless CI/CD Plugin

When the CloudGuard serverless CI/CD plugin rejects a CI/CD deployment, it provides developers and DevOps engineers with clear guidance on how to remedy the detected risks. In addition, it provides developers with the ability to directly check their security posture, before they supply code into the pipeline.

The serverless CI/CD plugin supports Java, Python, Node, C#, and is designed to identify security risks spanning the serverless ecosystem (functions code, permissions, third-party libraries, and more).

The Plugin scans your code and configuration for the following:

• Identify overly permissive IAM Identity and Access Management (IAM) - A web service that customers can use to manage users and user permissions within their organizations. roles used by serverless functions

• Identify 3rd-party libraries for vulnerabilities

• Identify hard-coded credentials, secrets, and other sensitive information in serverless code

• Identify functions that are not used

How it Works

The CloudGuard Serverless CI/CD Plugin Deep Code Flow Analysis analyzes your serverless function code to understand how it operates. During deployment code/byte-code is analyzed to understand what the code "does". Code is parsed into an abstract syntax tree (AST), and then the execution of the code is emulated before the code is run. This is a complex process that requires the processing of non-deterministic state changes, and it allows CloudGuard to create very accurate results. ​

Actions

You can configure the Plugin to enable Runtime Protection on functions before they are deployed to your cloud account. When they are onboarded to CloudGuard, they have Runtime Protection already enabled.