In Prisma Cloud, generate an Access Key and Secret Key pair in Settings > Access Keys and note your API URL (e.g., https://api.prismacloud.io).
Install Checkov and configure it to report to Prisma Cloud by setting the environment variables BC_API_KEY (formatted as AccessKey::SecretKey), PRISMA_API_URL, and enabling platform reporting with --repo-id.
Run a scan: checkov -d ./infra --bc-api-key YOUR_BC_API_KEY --prisma-api-url https://api.prismacloud.io --repo-id org/repo.
View the submitted results in Prisma Cloud under Application Security > Projects, where findings are correlated with cloud runtime context.
Add a GitHub Actions step using the Prisma Cloud IaC Scan action from the GitHub Marketplace to automate submission on every pull request.
Configure suppression rules in the Prisma Cloud console to handle accepted-risk findings so recurring suppressions do not require per-repository Checkov skip annotations.
Known gotchas
The BC_API_KEY value must be formatted as AccessKey::SecretKey (with the double-colon separator); an incorrect format causes silent authentication failures.
Checkov submits findings asynchronously; results may not appear in the Prisma Cloud console for up to several minutes after the scan completes.
Palo Alto Networks is migrating Prisma Cloud into Cortex Cloud; API URLs and feature locations may shift during this transition — verify current documentation before automating.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp