Cuir in eagar

Comhroinn trí


Configure the Microsoft Security DevOps Azure DevOps extension

Microsoft Security DevOps is a command line application that integrates static analysis tools into the development lifecycle. Microsoft Security DevOps installs, configures, and runs the latest versions of static analysis tools (including, but not limited to, SDL/security and compliance tools). Microsoft Security DevOps is data-driven with portable configurations that enable deterministic execution across multiple environments.

The Microsoft Security DevOps uses the following Open Source tools:

Name Language License
AntiMalware AntiMalware protection in Windows from Microsoft Defender for Endpoint, that scans for malware and breaks the build if malware has been found. This tool scans by default on windows-latest agent. Not Open Source
Bandit Python Apache License 2.0
BinSkim Binary--Windows, ELF MIT License
Checkov Terraform, Terraform plan, CloudFormation, AWS SAM, Kubernetes, Helm charts, Kustomize, Dockerfile, Serverless, Bicep, OpenAPI, ARM Apache License 2.0
ESlint JavaScript MIT License
IaCFileScanner Template mapping tool for Terraform, CloudFormation, ARM Template, Bicep Not Open Source
Template Analyzer ARM Template, Bicep MIT License
Terrascan Terraform (HCL2), Kubernetes (JSON/YAML), Helm v3, Kustomize, Dockerfiles, CloudFormation Apache License 2.0
Trivy container images, Infrastructure as Code (IaC) Apache License 2.0

Note

Effective September 20, 2023, the secrets scanning (CredScan) tool within the Microsoft Security DevOps (MSDO) Extension for Azure DevOps has been deprecated. MSDO secrets scanning will be replaced with GitHub Advanced Security for Azure DevOps.

Prerequisites

  • Project Collection Administrator privileges to the Azure DevOps organization are required to install the extension.

If you don't have access to install the extension, you must request access from your Azure DevOps organization's administrator during the installation process.

Configure the Microsoft Security DevOps Azure DevOps extension

To configure the Microsoft Security DevOps Azure DevOps extension:

  1. Sign in to Azure DevOps.

  2. Navigate to Shopping Bag > Manage extensions.

    Screenshot that shows how to navigate to the manage extensions screen.

  3. Select Shared.

    Note

    If you've already installed the Microsoft Security DevOps extension, it will be listed in the Installed tab.

  4. Select Microsoft Security DevOps.

    Screenshot that shows where to select Microsoft Security DevOps.

  5. Select Install.

  6. Select the appropriate organization from the dropdown menu.

  7. Select Install.

  8. Select Proceed to organization.

Configure your pipelines using YAML

To configure your pipeline using YAML:

  1. Sign into Azure DevOps

  2. Select your project.

  3. Navigate to Pipelines

  4. Select New pipeline.

    Screenshot showing where to locate create pipeline in DevOps.

  5. Select Azure Repos Git.

    Screenshot that shows you where to navigate to, to select Azure repo git.

  6. Select the relevant repository.

    Screenshot showing where to select your repository.

  7. Select Starter pipeline.

    Screenshot showing where to select starter pipeline.

  8. Paste the following YAML into the pipeline:

    # Starter pipeline
    # Start with a minimal pipeline that you can customize to build and deploy your code.
    # Add steps that build, run tests, deploy, and more:
    # https://aka.ms/yaml
    trigger: none
    pool:
      # ubuntu-latest also supported.
      vmImage: 'windows-latest'
    steps:
    - task: MicrosoftSecurityDevOps@1
      displayName: 'Microsoft Security DevOps'
      # inputs:    
        # config: string. Optional. A file path to an MSDO configuration file ('*.gdnconfig'). Vist the MSDO GitHub wiki linked below for additional configuration instructions
        # policy: 'azuredevops' | 'microsoft' | 'none'. Optional. The name of a well-known Microsoft policy to determine the tools/checks to run. If no configuration file or list of tools is provided, the policy may instruct MSDO which tools to run. Default: azuredevops.
        # categories: string. Optional. A comma-separated list of analyzer categories to run. Values: 'code', 'artifacts', 'IaC', 'containers'. Example: 'IaC, containers'. Defaults to all.
        # languages: string. Optional. A comma-separated list of languages to analyze. Example: 'javascript,typescript'. Defaults to all.
        # tools: string. Optional. A comma-separated list of analyzer tools to run. Values: 'bandit', 'binskim', 'checkov', 'eslint', 'templateanalyzer', 'terrascan', 'trivy'. Example 'templateanalyzer, trivy'
        # break: boolean. Optional. If true, will fail this build step if any high severity level results are found. Default: false.
        # publish: boolean. Optional. If true, will publish the output SARIF results file to the chosen pipeline artifact. Default: true.
        # artifactName: string. Optional. The name of the pipeline artifact to publish the SARIF result file to. Default: CodeAnalysisLogs*.
      
    

    Note

    The artifactName 'CodeAnalysisLogs' is required for integration with Defender for Cloud. For additional tool configuration options and environment variables, see the Microsoft Security DevOps wiki

  9. To commit the pipeline, select Save and run.

    The pipeline will run for a few minutes and save the results.

    Note

    Install the SARIF SAST Scans Tab extension on the Azure DevOps organization in order to ensure that the generated analysis results will be displayed automatically under the Scans tab.

Uploading findings from third-party security tooling into Defender for Cloud

While Defender for Cloud provides the MSDO CLI for standardized functionality and policy controls across a set of open source security analyzers, you have the flexibility to upload results from other third-party security tooling that you might have configured in CI/CD pipelines to Defender for Cloud for comprehensive code-to-cloud contextualization. All results uploaded to Defender for Cloud must be in standard SARIF format.

First, ensure your Azure DevOps repositories are onboarded to Defender for Cloud. After you successfully onboard Defender for Cloud, it continuously monitors the 'CodeAnalysisLogs' artifact for SARIF output.

You can use the 'PublishBuildArtifacts@1' task to ensure SARIF output is published to the correct artifact. For example, if a security analyzer outputs results.sarif, you can configure the following task in your job to ensure results are uploaded to Defender for Cloud:

- task: PublishBuildArtifacts@1
  inputs:
    PathtoPublish: 'results.sarif'
    ArtifactName: 'CodeAnalysisLogs'

Findings from third-party security tools will appear as 'Azure DevOps repositories should have code scanning findings resolved' assessments associated with the repository the security finding was identified in.