Microsoft recently announced the new Defender for DevOps which is an extension built in directly into Microsoft Defender for Cloud now allowing you to monitor and manage security across a number of pipeline environments including Github and Azure DevOps.
Some of the features include:
- Vulnerability management in open source code.
- Exposed secrets in code that have been hard coded.
- Container image scanning
- Pull Request annotations
This has been long awaited and finally it's here. In this short post we will go through how to on-board the feature using Defender for Cloud in Azure.
The Microsoft Security DevOps extension currently supports the following open source tools:
| Name | Language | License |
|---|---|---|
| Bandit | Python | Apache License 2.0 |
| BinSkim | Binary--Windows, ELF | MIT License |
| ESlint | JavaScript | MIT License |
| Credscan | Credential Scanner (also known as CredScan) is a tool developed and maintained by Microsoft to identify credential leaks such as those in source code and configuration files common types: default passwords, SQL connection strings, Certificates with private keys |
Not Open Source |
| Template Analyzer | ARM template, Bicep file | MIT License |
| Terrascan | Terraform (HCL2), Kubernetes (JSON/YAML), Helm v3, Kustomize, Dockerfiles, Cloud Formation | Apache License 2.0 |
| Trivy | container images, file systems, git repositories | Apache License 2.0 |
You can customise the extension and only run a selection of these tools which we will look at later in this post.
Adding the Azure DevOps connector in Microsoft Defender
At the time of writing, Defender for DevOps is currently in preview and only available in the Central US Azure region.
You will need the following permissions to get this configure:
- Organisation administrator in Azure DevOps
- Security Administrator role in Defender for Cloud.
- Contributor role on the subscription you are creating the connector in.
- In Azure DevOps, configure: Third-party applications gain access via OAuth, which must be set to
On. Learn more about OAuth
1: Open up Microsoft Defender for Cloud in the Azure Portal and navigate to DevOps Security
2: Select "Add Connector" and choose Azure DevOps
3: Choose a Resource Group and give your connector a name (globally unique).
4: Select the plan shown. Currently this is free as the service is in preview
5: On the next section select "Authorize". This will authorise your account and give Microsoft Defender permissions to your Azure DevOps organisation. You will see a pop up appear which will prompt for sign in. Make sure you sign in with the right account and have the right organisation selected if you are part of multiple. This caught me out on the first attempt and the creation failed.
6: Next on the same screen you will need to select which Azure DevOps projects and repositories you want to grant access to. You can either select specific ones or use auto discovery which will on-board everything and any future ones that are created.
7: Review the configuration and select "create".
8: You should then see the environment successfully connected in Microsoft Defender in the Azure DevOps security blade:
Next we will look at the installing the extensions in Azure DevOps and setting up the pipeline required to perform the scans.
Configuring the extensions and pipeline in Azure DevOps
1: Navigate to Azure DevOps and select manage extensions at the top right of your screen:
2: Select "Browse marketplace" and install the following extensions:
- Microsoft Security DevOps
- SARIF SAST Scans Tab (Add a tab to your build to show the scan results)
Configure the security scan pipeline
In order to scan our code we need to configure the pipeline with the required tooling from Microsoft that runs the extension.
1: Create a new starter pipeline in your repository and paste the following code (more detailed instructions provide by MS here:
# Starter pipeline
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml
trigger: none
pool:
vmImage: 'windows-latest'
steps:
- task: UseDotNet@2
displayName: 'Use dotnet'
inputs:
version: 3.1.x
- task: UseDotNet@2
displayName: 'Use dotnet'
inputs:
version: 5.0.x
- task: UseDotNet@2
displayName: 'Use dotnet'
inputs:
version: 6.0.x
- task: MicrosoftSecurityDevOps@1
displayName: 'Microsoft Security DevOps'
inputs:
categories: 'IaC,secrets'
tools: 'terrascan,credscan'
I mainly store Terraform code in my selected repository and so I have specified that I want to run the terrascan and 'credscan" tool and I want to specifically scan for Infrastructure As Code misconfiguration and exposed secrets in my code.
2: Run the pipeline and wait for the job to complete. Once this is done you can view the results in the scan tab:
3: You can now view the results in the scan tab. You can see I have quite a few areas in TF where adjustments are needed:
You can also customise the sensitivity of the scans. More information on how to configure the analysers on Github
Additionally the scan results are also published as an artifact:
4: Next you can navigate back to Microsoft Defender for Cloud in Azure and view the results and security posture directly there giving you a unified single pane of glass:
Enable pull request annotations
Defender for DevOps allows you to expose the above security findings as annotations in pull requests so developers know where issue need to be resolved before the code is merged into the main branch. This prevents issues before any code reaches production.
Enable build validation on your main branch in Azure DevOps
1: Sign in to Azure DevOps and navigate to project settings and then repositories
2: Select your repository and then navigate to policies and then select your main branch.
3: Navigate to the build validation section and enable the build validation with the default settings. Select the pipeline we created earlier in the build pipeline dropdown. Give it an appropriate name:
Enable pull request annotation in Defender for Cloud
1: Login to the Azure portal and navigate to Defender for Cloud > DevOps Security
2: Select the relevant repository to enable the pull request annotation and select configure:
3: Enable the annotations and select a category. Currently only secrets are supported whilst in preview.
Now we are all set. I have intentionally hard coded a secret in my repository and created a pull request to show the annotations working. The pull request triggered the build validation we set up earlier which performs a new scan.
This was just a crash course on this preview feature and there is defiantly a lot more left to explore however it's great to be able to perform these scans with a single extension and view them directly in Microsoft Defender now providing the capability not only to view your security posture in Azure but also in Azure DevOps.
Top comments (0)