Enhanced Pull Request Comments: Empower Developers to Ship Code That’s Secure by Default

Apr 04, 2023
4 minutes
... views

Preventing misconfigurations and vulnerabilities from reaching runtime in a manner that doesn’t slow development is challenging. But that’s where pull request (PR) comments come in.

With pull request comments, you can address code security issues — such as IaC misconfigurations, exposed credentials, and vulnerabilities in open source — early in the software development lifecycle, and empower yourself to ship code that’s secure by default.

Through Prisma Cloud’s enhanced PR comments support, you can get advanced functionality, such as automated fixes and embedded security guardrails, supported across all version control system (VCS) providers.

Let’s look at PR comments and walk through how you can use them in your day to day.

Built-In Security Context with Pull Request Comments

Traditional code reviews audit a developer’s work and provide comments that the developer must manually address before merging. But manual processes are time consuming and don’t follow DevSecOps best practices. A better solution — namely, pull request comments — would empower you to fix code issues before you merge your side branch to the master.

When a pull request is opened, Prisma Cloud will automatically scan every line of code and provide in-line comments indicating what to fix and how to fix it. So when you go to merge your code, you’ll see in detail exactly what issues — such as IaC misconfigurations, vulnerabilities, exposed credentials and open source license violations — you’ll need to address.

Automatically-Generated Fixes and Audit Trails

Prisma Cloud enables you to further simplify the process to ship secure code by providing suggested fix comments. With one click, you can accept a pull request comment that will automatically apply the code fix.

And whenever you address a comment and commit a fix — whether it’s an automated or manual fix — each comment is then auto-updated to reflect the comment that has been addressed. These interactive comments provide both a written record of code issues and an audit trail of fixes. If a security incident should occur, you can trace back from the compromise to the PR comment on the precise line of at-risk code to identify if the issue was addressed.

Prisma Cloud provides a suggested fix via a PR comment.
Prisma Cloud provides a suggested fix via a PR comment.

Support Across All VCS Providers

Prisma Cloud supports PR comments capabilities across all VCS types — including Bitbucket, Bitbucket Server, Azure Repos, GitHub, GitHub Server, GitLab and GitLab Self-Managed.

The platform will also generate reports on PR comments, such as the report below that outlines IaC misconfigurations flagged in a PR comment in Bitbucket.

Prisma Cloud generates a report detailing two flagged IaC misconfigurations found in a pull request.
Prisma Cloud generates a report detailing two flagged IaC misconfigurations found in a pull request.

Embedded Security Guardrails with Enforcement Rules for Pull Requests

Getting delayed because of a blocked PR can be frustrating and is one reason why streamlining your development is key to helping your team prevent risks from emerging at runtime. With Enforcement Rules for pull requests, Prisma Cloud enables you with guidance and security guardrails to help simplify this process.

With Enforcement Rules, you can finely tune several risk thresholds across each category — vulnerabilities, licenses, IaC, build integrity, and secrets — so you can quickly identify the truly critical issues from ones that can be fixed in the next PR.

Enabling soft fails will generate comments that contextualize code risks but don’t block you from merging your PR, which enables you to maintain your release velocity. Hard fails, on the other hand, introduce security guardrails long before production and equip your team to prevent or block code merges until critical issues are addressed. You’ll never be left in the dark wondering why something was blocked because in-line code comments provide context on the risks.

Enforcement Rules can be fine-tuned depending on your organization’s unique needs and security goals.
Enforcement Rules can be fine-tuned depending on your organization’s unique needs and security goals.

Shifting Left with Pull Request Comments

PR comments are nothing new — cloud-native organizations have long been using them as a frictionless way for developers to ship secure code. But with Prisma Cloud’s recent enhancements and expanded support for all VCS providers, any team can easily adopt PR comments as they continue along their DevSecOps adoption journey.

To see PR comments in action, watch a Code Security demo or request a free trial.


Subscribe to Cloud Native Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.