Edit

Discover misconfigurations in Infrastructure as Code (IaC)

  • Article

Once you have set up the Microsoft Security DevOps GitHub action or Azure DevOps extension, you can configure the YAML configuration file to run a single tool or multiple tools. For example, you can set up the action or extension to run Infrastructure as Code (IaC) scanning tools only. This can help reduce pipeline run time.

Prerequisites

Configure IaC scanning and view the results in GitHub

  1. Sign in to GitHub.

  2. Navigate to your repository's home page > .github/workflows > msdevopssec.yml that was created in the prerequisites.

  3. Select Edit file.

    Screenshot that shows where to find the edit button for the msdevopssec.yml file.

  4. Under the Run Analyzers section, add:

    with:
    categories: 'IaC'

    Note

    Categories are case sensitive. Screenshot that shows the information that needs to be added to the yaml file.

  5. Select Start Commit

  6. Select Commit changes.

    Screenshot that shows where to select commit change on the githib page.

  7. (Optional) Add an IaC template to your repository. Skip if you already have an IaC template in your repository.

    For example, commit an IaC template to deploy a basic Linux web application to your repository.

    1. Select azuredeploy.json.

      Screenshot that shows where the azuredeploy.json file is located.

    2. Select Raw

    3. Copy all the information in the file.

      {
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "webAppName": {
      "type": "string",
      "defaultValue": "AzureLinuxApp",
      "metadata": {
        "description": "Base name of the resource such as web app name and app service plan "
      },
      "minLength": 2
    },
    "sku": {
      "type": "string",
      "defaultValue": "S1",
      "metadata": {
        "description": "The SKU of App Service Plan "
      }
    },
    "linuxFxVersion": {
      "type": "string",
      "defaultValue": "php|7.4",
      "metadata": {
        "description": "The Runtime stack of current web app"
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Location for all resources."
      }
    }
  },
  "variables": {
    "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
  },
  "resources": [
    {
      "type": "Microsoft.Web/serverfarms",
      "apiVersion": "2020-06-01",
      "name": "[variables('appServicePlanName')]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "[parameters('sku')]"
      },
      "kind": "linux",
      "properties": {
        "reserved": true
      }
    },
    {
      "type": "Microsoft.Web/sites",
      "apiVersion": "2020-06-01",
      "name": "[variables('webAppPortalName')]",
      "location": "[parameters('location')]",
      "kind": "app",
      "dependsOn": [
        "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
      ],
      "properties": {
        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]",
        "siteConfig": {
          "linuxFxVersion": "[parameters('linuxFxVersion')]"
        }
      }
    }
  ]
}

    4. On GitHub, navigate to your repository.

    5. Select Add file > Create new file.

      Screenshot that shows you where to navigate to, to create a new file.

    6. Enter a name for the file.

    7. Paste the copied information into the file.

    8. Select Commit new file.

    The file is now added to your repository.

    Screenshot that shows that the new file you created has been added to your repository.

  8. Confirm the Microsoft Security DevOps scan completed:

    1. Select Actions.
    2. Select the workflow to see the results.

  9. Navigate to Security > Code scanning alerts to view the results of the scan (filter by tool as needed to see just the IaC findings).

Configure IaC scanning and view the results in Azure DevOps

To view the results of the IaC scan in Azure DevOps

  1. Sign in to Azure DevOps.

  2. Select the desired project

  3. Select Pipeline.

  4. Select the pipeline where the Microsoft Security DevOps Azure DevOps Extension is configured.

  5. Edit the pipeline configuration YAML file adding the following lines:

  6. Add the following lines to the YAML file

    inputs:
    categories: 'IaC'

    Screenshot showing you where to add this line to the YAML file.

  7. Select Save.

  8. (Optional) Add an IaC template to your repository. Skip if you already have an IaC template in your repository.

  9. Select Save to commit directly to the main branch or Create a new branch for this commit.

  10. Select Pipeline > Your created pipeline to view the results of the IaC scan.

  11. Select any result to see the details.

View details and remediation information on IaC rules included with Microsoft Security DevOps

The IaC scanning tools that are included with Microsoft Security DevOps, are Template Analyzer (which contains PSRule) and Terrascan.

Template Analyzer runs rules on ARM and Bicep templates. You can learn more about Template Analyzer's rules and remediation details.

Terrascan runs rules on ARM, CloudFormation, Docker, Helm, Kubernetes, Kustomize, and Terraform templates. You can learn more about the Terrascan rules.

Learn more

In this tutorial you learned how to configure the Microsoft Security DevOps GitHub Action and Azure DevOps Extension to scan for Infrastructure as Code (IaC) security misconfigurations and how to view the results.

Next steps

Learn more about Defender for DevOps.

Learn how to connect your GitHub to Defender for Cloud.

Learn how to connect your Azure DevOps to Defender for Cloud.