DEV Community

Martin
Martin

Posted on

Microsoft Defender for DevOps (Preview)

Microsoft recently announced the new Defender for DevOps which is an extension built in directly into Microsoft Defender for Cloud now allowing you to monitor and manage security across a number of pipeline environments including Github and Azure DevOps.

Some of the features include:

  • Vulnerability management in open source code.
  • Exposed secrets in code that have been hard coded.
  • Container image scanning
  • Pull Request annotations

This has been long awaited and finally it's here. In this short post we will go through how to on-board the feature using Defender for Cloud in Azure.

The Microsoft Security DevOps extension currently supports the following open source tools:

Name Language License
Bandit Python Apache License 2.0
BinSkim Binary--Windows, ELF MIT License
ESlint JavaScript MIT License
Credscan Credential Scanner (also known as CredScan) is a tool developed and maintained by Microsoft to identify credential leaks such as those in source code and configuration files
common types: default passwords, SQL connection strings, Certificates with private keys
Not Open Source
Template Analyzer ARM template, Bicep file MIT License
Terrascan Terraform (HCL2), Kubernetes (JSON/YAML), Helm v3, Kustomize, Dockerfiles, Cloud Formation Apache License 2.0
Trivy container images, file systems, git repositories Apache License 2.0

You can customise the extension and only run a selection of these tools which we will look at later in this post.

Adding the Azure DevOps connector in Microsoft Defender

At the time of writing, Defender for DevOps is currently in preview and only available in the Central US Azure region.

You will need the following permissions to get this configure:

  • Organisation administrator in Azure DevOps
  • Security Administrator role in Defender for Cloud.
  • Contributor role on the subscription you are creating the connector in.
  • In Azure DevOps, configure: Third-party applications gain access via OAuth, which must be set to On . Learn more about OAuth

1: Open up Microsoft Defender for Cloud in the Azure Portal and navigate to DevOps Security

Image description

2: Select "Add Connector" and choose Azure DevOps

Image description

3: Choose a Resource Group and give your connector a name (globally unique).

Image description

4: Select the plan shown. Currently this is free as the service is in preview

Image description

5: On the next section select "Authorize". This will authorise your account and give Microsoft Defender permissions to your Azure DevOps organisation. You will see a pop up appear which will prompt for sign in. Make sure you sign in with the right account and have the right organisation selected if you are part of multiple. This caught me out on the first attempt and the creation failed.

Image description

6: Next on the same screen you will need to select which Azure DevOps projects and repositories you want to grant access to. You can either select specific ones or use auto discovery which will on-board everything and any future ones that are created.

7: Review the configuration and select "create".

Image description

8: You should then see the environment successfully connected in Microsoft Defender in the Azure DevOps security blade:

Image description

Next we will look at the installing the extensions in Azure DevOps and setting up the pipeline required to perform the scans.

Configuring the extensions and pipeline in Azure DevOps

1: Navigate to Azure DevOps and select manage extensions at the top right of your screen:

Image description

2: Select "Browse marketplace" and install the following extensions:

  • Microsoft Security DevOps
  • SARIF SAST Scans Tab (Add a tab to your build to show the scan results)

Image description

Configure the security scan pipeline

In order to scan our code we need to configure the pipeline with the required tooling from Microsoft that runs the extension.

1: Create a new starter pipeline in your repository and paste the following code (more detailed instructions provide by MS here:

# Starter pipeline
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml
trigger: none
pool:
  vmImage: 'windows-latest'
steps:
- task: UseDotNet@2
  displayName: 'Use dotnet'
  inputs:
    version: 3.1.x
- task: UseDotNet@2
  displayName: 'Use dotnet'
  inputs:
    version: 5.0.x
- task: UseDotNet@2
  displayName: 'Use dotnet'
  inputs:
    version: 6.0.x
- task: MicrosoftSecurityDevOps@1
  displayName: 'Microsoft Security DevOps' 
  inputs:
    categories: 'IaC,secrets'
    tools: 'terrascan,credscan'
Enter fullscreen mode Exit fullscreen mode

Image description

I mainly store Terraform code in my selected repository and so I have specified that I want to run the terrascan and 'credscan" tool and I want to specifically scan for Infrastructure As Code misconfiguration and exposed secrets in my code.

2: Run the pipeline and wait for the job to complete. Once this is done you can view the results in the scan tab:

Image description

3: You can now view the results in the scan tab. You can see I have quite a few areas in TF where adjustments are needed:

Image description

You can also customise the sensitivity of the scans. More information on how to configure the analysers on Github

Additionally the scan results are also published as an artifact:

Image description

Image description

4: Next you can navigate back to Microsoft Defender for Cloud in Azure and view the results and security posture directly there giving you a unified single pane of glass:

Image description

Enable pull request annotations

Defender for DevOps allows you to expose the above security findings as annotations in pull requests so developers know where issue need to be resolved before the code is merged into the main branch. This prevents issues before any code reaches production.

Enable build validation on your main branch in Azure DevOps

1: Sign in to Azure DevOps and navigate to project settings and then repositories

Image description

2: Select your repository and then navigate to policies and then select your main branch.

Image description

3: Navigate to the build validation section and enable the build validation with the default settings. Select the pipeline we created earlier in the build pipeline dropdown. Give it an appropriate name:

Image description

Image description

Enable pull request annotation in Defender for Cloud

1: Login to the Azure portal and navigate to Defender for Cloud > DevOps Security

2: Select the relevant repository to enable the pull request annotation and select configure:

Image description

3: Enable the annotations and select a category. Currently only secrets are supported whilst in preview.

Image description

Now we are all set. I have intentionally hard coded a secret in my repository and created a pull request to show the annotations working. The pull request triggered the build validation we set up earlier which performs a new scan.

Image description

This was just a crash course on this preview feature and there is defiantly a lot more left to explore however it's great to be able to perform these scans with a single extension and view them directly in Microsoft Defender now providing the capability not only to view your security posture in Azure but also in Azure DevOps.

Top comments (0)