Configure the Microsoft Security DevOps Azure DevOps extension
Microsoft Security DevOps is a command line application that integrates static analysis tools into the development lifecycle. Microsoft Security DevOps installs, configures, and runs the latest versions of static analysis tools (including, but not limited to, SDL/security and compliance tools). Microsoft Security DevOps is data-driven with portable configurations that enable deterministic execution across multiple environments.
The Microsoft Security DevOps uses the following Open Source tools:
Name | Language | License |
---|---|---|
AntiMalware | AntiMalware protection in Windows from Microsoft Defender for Endpoint, that scans for malware and breaks the build if malware has been found. This tool scans by default on windows-latest agent. | Not Open Source |
Bandit | Python | Apache License 2.0 |
BinSkim | Binary--Windows, ELF | MIT License |
ESlint | JavaScript | MIT License |
IaCFileScanner | Terraform, CloudFormation, ARM Template, Bicep | Not Open Source |
Template Analyzer | ARM Template, Bicep | MIT License |
Terrascan | Terraform (HCL2), Kubernetes (JSON/YAML), Helm v3, Kustomize, Dockerfiles, CloudFormation | Apache License 2.0 |
Trivy | container images, Infrastructure as Code (IaC) | Apache License 2.0 |
Note
Effective September 20, 2023, the secrets scanning (CredScan) tool within the Microsoft Security DevOps (MSDO) Extension for Azure DevOps has been deprecated. MSDO secrets scanning will be replaced with GitHub Advanced Security for Azure DevOps.
Prerequisites
- Project Collection Administrator privileges to the Azure DevOps organization are required to install the extension.
If you don't have access to install the extension, you must request access from your Azure DevOps organization's administrator during the installation process.
Configure the Microsoft Security DevOps Azure DevOps extension
To configure the Microsoft Security DevOps Azure DevOps extension:
Sign in to Azure DevOps.
Navigate to Shopping Bag > Manage extensions.
Select Shared.
Note
If you've already installed the Microsoft Security DevOps extension, it will be listed in the Installed tab.
Select Microsoft Security DevOps.
Select Install.
Select the appropriate organization from the dropdown menu.
Select Install.
Select Proceed to organization.
Configure your pipelines using YAML
To configure your pipeline using YAML:
Sign into Azure DevOps
Select your project.
Navigate to Pipelines
Select New pipeline.
Select Azure Repos Git.
Select the relevant repository.
Select Starter pipeline.
Paste the following YAML into the pipeline:
# Starter pipeline # Start with a minimal pipeline that you can customize to build and deploy your code. # Add steps that build, run tests, deploy, and more: # https://aka.ms/yaml trigger: none pool: # ubuntu-latest also supported. vmImage: 'windows-latest' steps: - task: MicrosoftSecurityDevOps@1 displayName: 'Microsoft Security DevOps' inputs: # command: 'run' | 'pre-job' | 'post-job'. Optional. The command to run. Default: run # config: string. Optional. A file path to an MSDO configuration file ('*.gdnconfig'). # policy: 'azuredevops' | 'microsoft' | 'none'. Optional. The name of a well-known Microsoft policy. If no configuration file or list of tools is provided, the policy may instruct MSDO which tools to run. Default: azuredevops. # categories: string. Optional. A comma-separated list of analyzer categories to run. Values: 'code', 'artifacts', 'IaC', 'containers'. Example: 'IaC, containers'. Defaults to all. # languages: string. Optional. A comma-separated list of languages to analyze. Example: 'javascript,typescript'. Defaults to all. # tools: string. Optional. A comma-separated list of analyzer tools to run. Values: 'bandit', 'binskim', 'eslint', 'templateanalyzer', 'terrascan', 'trivy'. # break: boolean. Optional. If true, will fail this build step if any error level results are found. Default: false. # publish: boolean. Optional. If true, will publish the output SARIF results file to the chosen pipeline artifact. Default: true. # artifactName: string. Optional. The name of the pipeline artifact to publish the SARIF result file to. Default: CodeAnalysisLogs*.
Note
The artifactName 'CodeAnalysisLogs' is required for integration with Defender for Cloud. For additional tool configuration options, see the Microsoft Security DevOps wiki
To commit the pipeline, select Save and run.
The pipeline will run for a few minutes and save the results.
Note
Install the SARIF SAST Scans Tab extension on the Azure DevOps organization in order to ensure that the generated analysis results will be displayed automatically under the Scans tab.
Learn more
- Learn how to create your first pipeline.
Next steps
Learn more about DevOps Security in Defender for Cloud.
Learn how to connect your Azure DevOps Organizations to Defender for Cloud.
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for