DevSecOps with GitHub Security

Azure Active Directory
Monitor
Policy
Azure Security Center
GitHub

DevSecOps makes security best practices an integral part of DevOps while maintaining efficiency in an Azure framework, starting with the first steps of development. DevSecOps redirects the security focus by using a shift-left strategy. Instead of auditing code and the software supply chain for vulnerabilities at the end of the development process, it shifts to the beginning. Besides producing robust code, this fail fast approach helps resolve problems early on, when they're easier and less expensive to fix.

With many security capabilities, GitHub offers tools that support every part of a DevSecOps workflow:

  • Browser-based IDEs with built-in security extensions.
  • Agents that continuously monitor security advisories and replace vulnerable and out-of-date dependencies.
  • Search capabilities that scan source code for vulnerabilities.
  • Action-based workflows that automate every step of development, testing, and deployment.
  • Spaces that provide a way to privately discuss and resolve security threats and then publish the information.

These features provide a superb service for building secure cloud solutions combined with the monitoring and evaluation power of Azure.

Potential use cases

GitHub DevSecOps installations cover many security scenarios. Possibilities include the following cases:

  • Developers who want to take advantage of pre-configured environments that offer security capabilities.
  • Administrators who rely on having up-to-date, prioritized security reports at their fingertips, along with details on affected code and suggested fixes.
  • Streamlined organizations that need systems to automatically acquire new, uncompromised security devices when secrets are left exposed in code.
  • Development teams that could benefit from automatic upgrades when newer or more secure versions of external packages become available.

Architecture

Architecture diagram highlighting the security checks that run in various GitHub and Azure components in a GitHub DevSecOps environment.

Architecture diagram highlighting security checks that run in a GitHub DevSecOps environment. After Azure Active Directory (Azure AD) authenticates developers, Codespaces runs security scans. GitHub Actions then test security and encrypt sensitive data. In production, Azure Policy, Microsoft Defender for Cloud, and Azure Monitor evaluate deployed software for risks.

Download a Visio file of this architecture.

  1. When developers access GitHub resources, GitHub redirects them to Azure AD for SAML authentication. In a single sign-on (SSO) procedure, the Microsoft Authenticator app then uses FIDO2 strong authentication. The passwordless FIDO2 security keys align with the latest Fast Identity Online (FIDO) Alliance specifications.
  2. Developers begin working on tasks in Codespaces. These pre-built development environments organized into containers provide correctly configured IDEs that are equipped with required security scanning extensions.
  3. When developers commit new code, GitHub Actions automatically scan the code to quickly find vulnerabilities and coding errors.
  4. Pull requests (PRs) trigger code builds and automated testing through GitHub Actions. GitHub encrypts secrets and credentials at rest and obfuscates these entries in logs.
  5. GitHub Actions deploy build artifacts to Azure App Service while making changes to other cloud resources, such as service endpoints.
  6. Azure Policy evaluates Azure resources that are in deployment. Defined policies then potentially deny releases, modify cloud resources, or create warning events in activity logs.
  7. Microsoft Defender for Cloud identifies attacks targeting applications that are running in deployed projects.
  8. Azure Monitor continuously tracks and evaluates app behavior. When threats materialize, this service sends alerts to start the process of rolling code back to previous commits.

Components

  • Azure AD is a multi-tenant, cloud-based identity service that controls access to Azure and other cloud apps like Microsoft 365 and GitHub. Azure AD can be configured as the identity provider for GitHub, and multi-factor authentication can be enabled for extra security.
  • GitHub provides a code-hosting platform that developers can use for collaborating on both open-source and inner-source projects.
  • Codespaces is an online development environment, hosted by GitHub and powered by Visual Studio Code. This tool provides a complete development solution in the cloud.
  • GitHub Security works to eliminate threats in many ways. Agents and services identify vulnerabilities in repositories and in dependent packages. They also upgrade dependencies to up-to-date, secure versions.
  • GitHub Actions are custom workflows that provide continuous integration (CI) and continuous deployment (CD) capabilities directly in repositories. Computers called runners host these CI/CD jobs.
  • App Service provides a framework for building, deploying, and scaling web apps. This platform offers built-in infrastructure maintenance, security patching, and scaling.
  • Azure Policy helps teams manage and prevent IT issues through policy definitions that can enforce rules for cloud resources. For instance, if your project is about to deploy a virtual machine with an unrecognized SKU, Azure Policy alerts you to the problem and stops the deployment.
  • Microsoft Defender for Cloud provides unified security management and advanced threat protection across hybrid cloud workloads.
  • Azure Monitor collects and analyzes app telemetry, such as performance metrics and activity logs. When this service identifies irregular conditions, it alerts apps and personnel.

GitHub Security

GitHub Security provides multiple features for addressing security risks:

  • Secret scanning inspects repositories or commits for any tokens, keys, or secrets that appear in code. Teams can be notified that secrets have leaked into public view, and service providers can be notified that one of their secrets leaked. Service providers can optionally revoke or renew the secrets.

  • Code scanning inspects code for known vulnerabilities and coding errors. As an example, if a developer leaves a database connection string exposed in code, this feature discovers the secret. GitHub starts the process of obtaining an uncompromised string after verifying its validity with the database. These checks use CodeQL, a code analysis platform that improves upon traditional analyzers by allowing you to query code as if it were data. Scans automatically run at scheduled times or after certain events occur, like commits or pushes. Try CodeQL on LGTM.

  • GitHub Dependabot checks for outdated or vulnerable packages and applications. This automated agent updates software, replacing out-of-date or insecure dependencies with newer, secure versions. For instance, if your project uses an open-source library, Dependabot examines that library. Suppose the library doesn't encrypt sensitive cleartext that it stores in a database. In this case, Dependabot creates a PR to upgrade the library to a version that encrypts the data.

  • Vulnerability management identifies and updates known vulnerabilities in code and in software packages that the code uses. It runs checks whenever the following events occur:

    • A repository's dependencies change (for instance, when a project switches from .NET to .NET Core).

    • A notification appears from Mend. This third-party service tracks vulnerabilities by continuously scanning open-source repositories.

    • A new vulnerability enters the GitHub Advisory Database. Entries in this database originate from the following sources:

When GitHub identifies a vulnerability, it takes the steps illustrated in the following diagram.

Architecture diagram illustrating the chain of events that the identification of a vulnerability triggers, including alerts, upgrades, and deployment.

Architecture diagram illustrating a chain of events in a GitHub DevSecOps implementation. At the outset, GitHub identifies a vulnerability and sends an email alert. Dependabot then creates a branch, updates the vulnerability source, and creates a PR. The branch merges. In the final step, GitHub Actions deploy the new app.

Download a Visio file of this diagram.

  1. GitHub sends an email alert to the organization owners and repository administrators.
  2. GitHub Dependabot, a DevOps bot agent, automatically completes the following three tasks:
    1. Creates a new branch in the repository.
    2. Upgrades the necessary dependencies to the minimum possible secure version needed to eliminate the vulnerability.
    3. Creates a PR with the upgraded dependency.
  3. When the PR is approved, the new branch merges with the base branch.
  4. The merged branch triggers CI/CD tasks in GitHub Actions.
  5. GitHub Actions deploy the new app version to a test or staging environment.

Considerations

To keep GitHub DevSecOps solutions aligned with the tenets of the Azure Well-Architected Framework, consider the following points when deciding how to implement this architecture.

Operational excellence

Operational excellence covers the operations processes that deploy an application and keep it running in production. For more information, see Overview of the operational excellence pillar.

  • Run automated tests and maintenance in environments that use vulnerability management capabilities, since these capabilities change code and its dependencies on your behalf. Automated testing identifies any issues that result from these changes.

  • Take advantage of Azure Policy features. Besides denying deployments and logging compliance issues, these policies can also modify resources, making them compliant, even if they aren't deployed that way. For example, if you try to deploy a storage account in Azure that uses HTTP, Azure Policy detects the situation. Policies can then automatically change the deployment and force the storage account to use HTTPS.

  • Azure Resource Manager uses JSON templates to describe the resources involved in deployment. Teams can also manage these template documents by using DevOps tools, like version control, code collaboration, and CI/CD workflows.

  • One concern with DevSecOps is that code scans can generate noisy results filled with false positives, leading to the following types of problems:

    • Developers waste time investigating nonexistent problems.
    • Addressing security issues interrupts workflow.
    • Having lost trust in security tools because of the inaccuracies, developers ignore results.

    Overcome these obstacles by integrating security into the software lifecycle:

    • Employ tools like Codespaces that embed scanning checks in IDEs, meaning developers use them in familiar environments.
    • Make security checks a regular part of code review instead of an afterthought.
    • Put developers in charge of high-precision scans, but leave noisier checks to security teams.

Performance efficiency

Performance efficiency is the ability of your workload to scale to meet the demands placed on it by users in an efficient manner. For more information, see Performance efficiency pillar overview.

For long-running or complex Actions, host your own runners for CI/CD jobs. You can then choose computers with powerful processing capabilities and ample memory. See About self-hosted runners.

Reliability

Reliability ensures your application can meet the commitments you make to your customers. For more information, see Overview of the reliability pillar.

Security

Security provides assurances against deliberate attacks and the abuse of your valuable data and systems. For more information, see Overview of the security pillar.

  • Using self-hosted Actions runners for public repositories isn't advised. A malicious user could join your repo and create a PR that runs unsafe code on computers in your network. GitHub-hosted runners remove this risk.
  • Scan your code using the CodeQL analysis engine to discover potential vulnerabilities and coding errors. CodeQL can run both on a schedule and when events occur, such as a commit or a PR creation, making it easy for users to identify security issues from within their PRs. See About code scanning.
  • Configure Dependabot security updates, which can remove known threats from projects.
  • Configure GitHub Enterprise Server to include GitHub Advanced Security, which is available for enterprise accounts on GitHub Enterprise Cloud and GitHub Enterprise Server 3.0 or higher. This provides extra features that help users find and fix security problems in their code. GitHub Enterprise can integrate automatic security and dependency scanning through GitHub Advanced Security and GitHub Open Source Security.
  • Augment the code-scanning capabilities of GitHub by adding third-party code-scanning tools that produce Static Analysis Results Interchange Format (SARIF) files. GitHub then creates alerts when those tools identify potential security issues.

Cost optimization

Cost optimization is about looking at ways to reduce unnecessary expenses and improve operational efficiencies. For more information, see Overview of the cost optimization pillar.

  • GitHub bills customers for GitHub Actions by the minute. In addition, the choice of operating system that hosts Actions jobs affects the per-minute consumption rate and per-minute cost. Wherever possible, choose Linux to host Actions. See About billing for GitHub actions.
  • Project managers on tight schedules may worry that adding security measures will delay development. Experience the opposite by saving time with these guidelines:
    • Shift testing left, closer to the source. Teams will have fewer mistakes as a result.
    • Address issues during programming, rather than months down the line in production. Then developers don't need to refresh their knowledge of the code.
  • GitHub Security features vary based on an organization's licensing, and whether a repository's visibility is public or private. See Plans for all developers.

Contributors

This article is maintained by Microsoft. It was originally written by the following contributors.

Principal author:

Next steps