Configure the Microsoft Security DevOps Azure DevOps extension

Microsoft Security DevOps is a command line application that integrates static analysis tools into the development lifecycle. Microsoft Security DevOps installs, configures, and runs the latest versions of static analysis tools (including, but not limited to, SDL/security and compliance tools). Microsoft Security DevOps is data-driven with portable configurations that enable deterministic execution across multiple environments.

The Microsoft Security DevOps uses the following Open Source tools:

Name Language License
AntiMalware AntiMalware protection in Windows from Microsoft Defender for Endpoint, that scans for malware and breaks the build if malware has been found. This tool scans by default on windows-latest agent. Not Open Source
Bandit Python Apache License 2.0
BinSkim Binary--Windows, ELF MIT License
ESlint JavaScript MIT License
IaCFileScanner Terraform, CloudFormation, ARM Template, Bicep Not Open Source
Template Analyzer ARM Template, Bicep MIT License
Terrascan Terraform (HCL2), Kubernetes (JSON/YAML), Helm v3, Kustomize, Dockerfiles, CloudFormation Apache License 2.0
Trivy container images, Infrastructure as Code (IaC) Apache License 2.0

Note

Effective September 20, 2023, the secrets scanning (CredScan) tool within the Microsoft Security DevOps (MSDO) Extension for Azure DevOps has been deprecated. MSDO secrets scanning will be replaced with GitHub Advanced Security for Azure DevOps.

Prerequisites

  • Project Collection Administrator privileges to the Azure DevOps organization are required to install the extension.

If you don't have access to install the extension, you must request access from your Azure DevOps organization's administrator during the installation process.

Configure the Microsoft Security DevOps Azure DevOps extension

To configure the Microsoft Security DevOps Azure DevOps extension:

  1. Sign in to Azure DevOps.

  2. Navigate to Shopping Bag > Manage extensions.

    Screenshot that shows how to navigate to the manage extensions screen.

  3. Select Shared.

    Note

    If you've already installed the Microsoft Security DevOps extension, it will be listed in the Installed tab.

  4. Select Microsoft Security DevOps.

    Screenshot that shows where to select Microsoft Security DevOps.

  5. Select Install.

  6. Select the appropriate organization from the dropdown menu.

  7. Select Install.

  8. Select Proceed to organization.

Configure your pipelines using YAML

To configure your pipeline using YAML:

  1. Sign into Azure DevOps

  2. Select your project.

  3. Navigate to Pipelines

  4. Select New pipeline.

    Screenshot showing where to locate create pipeline in DevOps.

  5. Select Azure Repos Git.

    Screenshot that shows you where to navigate to, to select Azure repo git.

  6. Select the relevant repository.

    Screenshot showing where to select your repository.

  7. Select Starter pipeline.

    Screenshot showing where to select starter pipeline.

  8. Paste the following YAML into the pipeline:

    # Starter pipeline
    # Start with a minimal pipeline that you can customize to build and deploy your code.
    # Add steps that build, run tests, deploy, and more:
    # https://aka.ms/yaml
    trigger: none
    pool:
      # ubuntu-latest also supported.
      vmImage: 'windows-latest'
    steps:
    - task: MicrosoftSecurityDevOps@1
      displayName: 'Microsoft Security DevOps'
      inputs:    
      # command: 'run' | 'pre-job' | 'post-job'. Optional. The command to run. Default: run
      # config: string. Optional. A file path to an MSDO configuration file ('*.gdnconfig').
      # policy: 'azuredevops' | 'microsoft' | 'none'. Optional. The name of a well-known Microsoft policy. If no configuration file or list of tools is provided, the policy may instruct MSDO which tools to run. Default: azuredevops.
      # categories: string. Optional. A comma-separated list of analyzer categories to run. Values: 'code', 'artifacts', 'IaC', 'containers'. Example: 'IaC, containers'. Defaults to all.
      # languages: string. Optional. A comma-separated list of languages to analyze. Example: 'javascript,typescript'. Defaults to all.
      # tools: string. Optional. A comma-separated list of analyzer tools to run. Values: 'bandit', 'binskim', 'eslint', 'templateanalyzer', 'terrascan', 'trivy'.
      # break: boolean. Optional. If true, will fail this build step if any error level results are found. Default: false.
      # publish: boolean. Optional. If true, will publish the output SARIF results file to the chosen pipeline artifact. Default: true.
      # artifactName: string. Optional. The name of the pipeline artifact to publish the SARIF result file to. Default: CodeAnalysisLogs*.
    
    

    Note

    The artifactName 'CodeAnalysisLogs' is required for integration with Defender for Cloud. For additional tool configuration options, see the Microsoft Security DevOps wiki

  9. To commit the pipeline, select Save and run.

The pipeline will run for a few minutes and save the results.

Note

Install the SARIF SAST Scans Tab extension on the Azure DevOps organization in order to ensure that the generated analysis results will be displayed automatically under the Scans tab.

Learn more

Next steps

Learn more about DevOps Security in Defender for Cloud.

Learn how to connect your Azure DevOps Organizations to Defender for Cloud.