Configure the Microsoft Security DevOps Azure DevOps extension

Note

Effective December 31, 2022, the Microsoft Security Code Analysis (MSCA) extension is retired. MSCA is replaced by the Microsoft Security DevOps Azure DevOps extension. MSCA customers should follow the instructions in this article to install and configure the extension.

Microsoft Security DevOps is a command line application that integrates static analysis tools into the development lifecycle. Microsoft Security DevOps installs, configures, and runs the latest versions of static analysis tools (including, but not limited to, SDL/security and compliance tools). Microsoft Security DevOps is data-driven with portable configurations that enable deterministic execution across multiple environments.

The Microsoft Security DevOps uses the following Open Source tools:

Name Language License
Bandit Python Apache License 2.0
BinSkim Binary--Windows, ELF MIT License
ESlint JavaScript MIT License
Credscan Credential Scanner (also known as CredScan) is a tool developed and maintained by Microsoft to identify credential leaks such as those in source code and configuration files
common types: default passwords, SQL connection strings, Certificates with private keys
Not Open Source
Template Analyzer ARM template, Bicep file MIT License
Terrascan Terraform (HCL2), Kubernetes (JSON/YAML), Helm v3, Kustomize, Dockerfiles, Cloud Formation Apache License 2.0
Trivy container images, file systems, git repositories Apache License 2.0

Prerequisites

  • Admin privileges to the Azure DevOps organization are required to install the extension.

If you don't have access to install the extension, you must request access from your Azure DevOps organization's administrator during the installation process.

Configure the Microsoft Security DevOps Azure DevOps extension

To configure the Microsoft Security DevOps Azure DevOps extension:

  1. Sign in to Azure DevOps.

  2. Navigate to Shopping Bag > Manage extensions.

    Screenshot that shows how to navigate to the manage extensions screen.

  3. Select Shared.

    Note

    If you've already installed the Microsoft Security DevOps extension, it will be listed in the Installed tab.

  4. Select Microsoft Security DevOps.

    Screenshot that shows where to select Microsoft Security DevOps.

  5. Select Install.

  6. Select the appropriate organization from the dropdown menu.

  7. Select Install.

  8. Select Proceed to organization.

Configure your pipelines using YAML

To configure your pipeline using YAML:

  1. Sign into Azure DevOps

  2. Select your project.

  3. Navigate to Pipelines

  4. Select New pipeline.

    Screenshot showing where to locate create pipeline in DevOps.

  5. Select Azure Repos Git.

    Screenshot that shows you where to navigate to, to select Azure repo git.

  6. Select the relevant repository.

    Screenshot showing where to select your repository.

  7. Select Starter pipeline.

    Screenshot showing where to select starter pipeline.

  8. Paste the following YAML into the pipeline:

    # Starter pipeline
    # Start with a minimal pipeline that you can customize to build and deploy your code.
    # Add steps that build, run tests, deploy, and more:
    # https://aka.ms/yaml
    trigger: none
    pool:
      vmImage: 'windows-latest'
    steps:
    - task: UseDotNet@2
      displayName: 'Use dotnet'
      inputs:
        version: 3.1.x
    - task: UseDotNet@2
      displayName: 'Use dotnet'
      inputs:
        version: 5.0.x
    - task: UseDotNet@2
      displayName: 'Use dotnet'
      inputs:
        version: 6.0.x
    - task: MicrosoftSecurityDevOps@1
      displayName: 'Microsoft Security DevOps'
    
  9. Select Save and run.

  10. To commit the pipeline, select Save and run.

The pipeline will run for a few minutes and save the results.

Note

Install the SARIF SAST Scans Tab extension on the Azure DevOps organization in order to ensure that the generated analysis results will be displayed automatically under the Scans tab.

Learn more

Next steps

Learn more about Defender for DevOps.

Learn how to connect your Azure DevOps to Defender for Cloud.

Discover misconfigurations in Infrastructure as Code (IaC).