Integrate Defender for Cloud CLI with CI/CD pipelines
Article
Defender for Cloud Command Line Interface (CLI) is an application you can use in continuous integration and continuous deployment (CI/CD) pipelines. It runs static analysis tools and connects code to cloud services. You can use Defender for Cloud CLI in any build process to scan images for security vulnerabilities with built-in security scanners. It sends the scan results to the Defender for Cloud portal. The Cloud Security Explorer can then access the container image and its vulnerabilities.
Prerequisites
An Azure Subscription with Defender for Cloud onboarded. If you don't already have an Azure account, create one for free.
One of the following CI/CD pipeline tools: Jenkins, BitBucket Pipelines, Google Cloud Build, Bamboo, CircleCI, Travis CI, TeamCity, Oracle DevOps services, AWS CodeBuild
Security Admin Permission to create the client ID and secret.
Setup
In the following sections, we explain how to retrieve the Client ID and Secrets, update the CI/CD pipeline script, and add environment variables to the CI/CD pipeline.
Retrieve the API Token
To allow security data from the Defender for Cloud CLI to be passed to the Defender for Cloud backend, the security admin in Defender for Cloud must first generate an API key from Defender for Cloud for authentication.
When tokens are generated, the security admin selects a subscription scope to be associated with the token. The data being "pushed" into Defender for Cloud from this token is scoped to the subscription the token is associated with. These API tokens are immutable and can only be generated/deleted.
From there, the security admin must securely pass the token to developers to be added to the CI/CD pipeline.
Go to Microsoft Defender for Cloud > Management > Environment Settings > Integrations.
Select Add integration and then select DevOps Ingestion.
Enter a descriptive name for the token, the selected tenant store the token information. The client secret is generated when you enter a description for the secret and the expiration date.
Enable the token in the Configuration and create the tokens.
Copy each token. They can't be edited or retrieved after you select OK.
In the Integrations table, the new Ingestion is displayed.
Update the CI/CD pipeline script
Each CI/CD pipeline tool has different syntax. This code is an example of a Bitbucket pipeline:
After securely receiving the tokens, the developer must configure an environment variable for the key. The environment variable is passed to the CLI through the shell script that the developer can receive from curl or manually copying the shell script into their repo.
This certification measures your ability to accomplish the following technical tasks: Design and implement processes and communications, design and implement a source control strategy, design and implement build and release pipelines, develop a security and compliance plan, and implement an instrumentation strategy.