Configure the Microsoft Security DevOps Azure DevOps extension
Note
Effective December 31, 2022, the Microsoft Security Code Analysis (MSCA) extension is retired. MSCA is replaced by the Microsoft Security DevOps Azure DevOps extension. MSCA customers should follow the instructions in this article to install and configure the extension.
Microsoft Security DevOps is a command line application that integrates static analysis tools into the development lifecycle. Microsoft Security DevOps installs, configures, and runs the latest versions of static analysis tools (including, but not limited to, SDL/security and compliance tools). Microsoft Security DevOps is data-driven with portable configurations that enable deterministic execution across multiple environments.
The Microsoft Security DevOps uses the following Open Source tools:
| Name | Language | License |
|---|---|---|
| AntiMalware | AntiMalware protection in Windows from Microsoft Defender for Endpoint, that scans for malware and breaks the build if malware has been found. This tool scans by default on windows-latest agent. | Not Open Source |
| Bandit | Python | Apache License 2.0 |
| BinSkim | Binary--Windows, ELF | MIT License |
| Credscan | Credential Scanner (also known as CredScan) is a tool developed and maintained by Microsoft to identify credential leaks such as those in source code and configuration files common types: default passwords, SQL connection strings, Certificates with private keys |
Not Open Source |
| ESlint | JavaScript | MIT License |
| Template Analyzer | ARM template, Bicep file | MIT License |
| Terrascan | Terraform (HCL2), Kubernetes (JSON/YAML), Helm v3, Kustomize, Dockerfiles, Cloud Formation | Apache License 2.0 |
| Trivy | container images, file systems, git repositories | Apache License 2.0 |
Prerequisites
- Admin privileges to the Azure DevOps organization are required to install the extension.
If you don't have access to install the extension, you must request access from your Azure DevOps organization's administrator during the installation process.
Configure the Microsoft Security DevOps Azure DevOps extension
To configure the Microsoft Security DevOps Azure DevOps extension:
Sign in to Azure DevOps.
Navigate to Shopping Bag > Manage extensions.
Select Shared.
Note
If you've already installed the Microsoft Security DevOps extension, it will be listed in the Installed tab.
Select Microsoft Security DevOps.
Select Install.
Select the appropriate organization from the dropdown menu.
Select Install.
Select Proceed to organization.
Configure your pipelines using YAML
To configure your pipeline using YAML:
Sign into Azure DevOps
Select your project.
Navigate to Pipelines
Select New pipeline.
Select Azure Repos Git.
Select the relevant repository.
Select Starter pipeline.
Paste the following YAML into the pipeline:
# Starter pipeline # Start with a minimal pipeline that you can customize to build and deploy your code. # Add steps that build, run tests, deploy, and more: # https://aka.ms/yaml trigger: none pool: vmImage: 'windows-latest' steps: - task: MicrosoftSecurityDevOps@1 displayName: 'Microsoft Security DevOps'To commit the pipeline, select Save and run.
The pipeline will run for a few minutes and save the results.
Note
Install the SARIF SAST Scans Tab extension on the Azure DevOps organization in order to ensure that the generated analysis results will be displayed automatically under the Scans tab.
Learn more
Learn how to create your first pipeline.
Learn how to deploy pipelines to Azure.
Next steps
Learn more about Defender for DevOps.
Learn how to connect your Azure DevOps to Defender for Cloud.
Feedback
Submit and view feedback for