Prisma Cloud Application Security: What are the minimum API access key permissions needed for Checkov scanning in Prisma Cloud Application Security?

Prisma Cloud Application Security: What are the minimum API access key permissions needed for Checkov scanning in Prisma Cloud Application Security?

1449
Created On 07/28/23 19:36 PM - Last Modified 01/29/26 00:01 AM


Question


What are the minimum API access key permissions needed for Checkov scanning in Prisma Cloud Application Security?

Environment

Answer


Per our documentation, the access keys (user) running Checkov in Jenkins would require either the DeveloperAppSec Admin, or System Admin role within Prisma.

If you prefer to use a custom permission group, Checkov requires the following permissions:

  • --Policies: Policies - 'View' permissions
  • --Application Security: Projects - 'View' permissions
  • --Settings: Providers - ('View' and 'Create') OR ('View' and 'Update') permissions

Please note:

The Developer role does not support the use of --policy-metadata-filter and --policy-metadata-filter-exception.

This is because these options require permission to call the policies API, which the Developer role does not have.

To use these filters, you must either assign a different role to the user or create a custom permission group that includes the necessary permissions noted above.



 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000g1xlCAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail