Prisma Cloud: Application Security Suppression behavior

This article will address the following questions related to Cloud Application Security questions:

1. When deleting a suppression rule, why is the issue no longer present in the Application Security Projects page?
2. How to match the API response for List Suppression Rules API in the Application Security UI?
3. Why does creating new Policy Suppressions using Create New Suppression by Policy ID API fails?

• Prisma Cloud Enterprise Edition
  • Application Security
    • Projects
      • Suppressions

1. When deleting a suppression rule, why is the issue no longer present in the Application Security Projects page When an existing suppression is deleted, the issue gets deleted as well. As per current design, Prisma Cloud reopens the error during the next scan. As Prisma Cloud performs periodic scans twice a day, the error is expected to be reopened on the next scan. For repositories related to CI/CD Runs(checkov, CircleCI, Jenkins, Terraform Cloud etc) and CI/CD Systems(Registries) as they are only scanned manually by the users, the error won't reopen until the user manually scans the repo next time. 

2. How to match the API response for List Suppression Rules API in the Application Security UI The List Suppressions API returns all the existing suppressions present in the tenant. To match the Policy Suppression type, users can go to the Prisma Cloud Governance Page, use the filter Policy Subtype: Build; Run,Build and Enabled:Yes. For all the other suppression types like AccountSuppression (Repositories), TagsSuppression, LicenseSuppression etc, the UI currently does not have a direct page which displays all the suppressions made in the tenant. Projects page does show the suppressed resources with the right filters. However, it won't show suppression data unless a suppression is clicked on. To view suppression data, users can look into the Audit logs where the Resource Type will be Suppression. Note: The Audit log's retention period is 120 days. If the use case is to see Audit logs older than that users have the option to send the Audit logs to 3rd party integrations via webhooks, Amazon SQS, Splunk etc. 

3. Why does creating new Policy Suppressions using Create New Suppression by Policy ID API fails? The PolicySuppression option available via the Create New Suppression by Policy ID API should not be used to create policy suppressions. Instead, users should use the API Update Policy and change the value enabled=false. The PolicySuppression option available via the Create New Suppression by Policy ID API is reserved for backend use. Our engineering team is working on updating the docs to reflect the same. Additional Information Internal Notes