Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
This branch is 4 commits behind metalstormbass:main.

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

Cloudguard Workload and Azure Functions


This document outlines how to apply Cloudguard Workload protection to an Azure Function in a CI/CD pipeline. The feature being installed is call FSP or Function Self Protect. This is for demonstration purposes only. Here is a logical diagram of the Azure Function:

This function is deployed through Github Actions. That being said, it can be deployed using any CI/CD tool. All of the instructions for the CI/CD pipeline are stored in the build.yml. From a high level this is what the build pipeline does:

  1. Configure Runner Environment
  2. Set up Azure Resource Group, Storage Container and Function App
  3. Apply Cloudguard FSP (Function Self Protect

Get started by forking this repository!


In order to run this demo, you need the following:

Github Account
Azure Account
Check Point Cloud Security Posture Management Account

To run the script, you must also have Python3.


Ensur Azure Serverless Protection is enabled on Check Point Cloud Security Posture Management

Microsoft Azure

Create an App Registration in Azure. As this will be used multiple times, please note the following:

  • Application (client) ID
  • Directory (tenant) ID
  • Secret
  • Subscription ID

Ensure that you give this app registration "Contributor" permission.

Prep the Github Environment

First go to Settings > Secrets and populate the secrets:

CG_TOKEN - Note: This must be in the format DOME9_API_KEY:DOME_API_SECRET
AZ_RG - This is the name of the resource group to be created
AZ_LOCATION - Azure Region. EG: West US 2
STORAGE_NAME - Name of your storage container
APP_NAME - App name. This must be unique

Note: Standard naming for Azure rules apply.

Second, select the "Actions" tab and enable workflows.

Run the Build

To deploy this function to Azure, modify the _build_flag and commit the changes. This kicks off the Github Action pipeline. Once the build is finished, you will then see it in Check Point CSPM

Sync to Check Point CSPM

Depending on when you build your function in relation to the sync interval it may take some time for the information to appear. If you would like to force this synchronization, you can run the following command:

curl -X POST<CLOUDGUARD_ID_FOR_AZURE>/SyncNow --basic -u <DOME9_API_KEY>:<DOME_SECRET> -H 'Accept: application/json'

Check Point CSPM

Open Check Point CSPM and navigate to the "Serverless" option. Select "Serverless Assets" and click on the function you created. This is what you will see:

Testing the function

First, grab the URL of your function.

To test the function, navigate back to the /scripts directory and run

λ python scripts\
Target: <APP URL>
Select 1 for Bening Input and 2 for Malicious Input: 1
b'Hello, Cloudguard Workload. This HTTP triggered function executed successfully.'

Malicious Input

You can also test putting in malicious input. Here is an example:

λ python scripts\
Target: <APP URL>
Select 1 for Bening Input and 2 for Malicious Input: 2
b'This HTTP triggered function executed successfully. Pass a name in the query string or in the request body for a personalized response.'

At this point, since this product is still in EA, it only has detection capabilities. Blocking capabilities are comming soon!


To delete the environment, modify the _destroy_flag and commit the changes. This will delete everything that was created.


This repo contains a nice how-to of the serverless protection functionality within CloudGuard CSPM when deployed via Azure DevOps ( the CI/CD previously known as VSTS )







No releases published


No packages published


  • Python 100.0%