DEV Community

Cover image for Defender for DevOps on AzureDevOps
Marcel.L
Marcel.L

Posted on • Edited on

Defender for DevOps on AzureDevOps

Overview

Welcome to the second part of this blog series on Microsoft Defender for DevOps.

In my previous post we looked at how you can integrate Defender for DevOps with GitHub and also how to use the Microsoft Security DevOps (MSDO) GitHub action to configure Terrascan to analyze a Terraform IaC Configuration and how the scan results are published on the Azure portal under the DevOps Security dashboard inside Microsoft Defender for Cloud.

Today we will look at how to integrate Defender for DevOps with Azure DevOps instead using the same MSDO toolkit.

Azure DevOps uses the Microsoft Security DevOps (MSDO) Marketplace Extension, instead of a GitHub action. So we will be able to use the same analysis tools on Azure DevOps as we did on GitHub as shown on the previous post.

We will also install another Azure DevOps Extension called SARIF SAST Scans Tab to better view the results of MSDO analyzer scans on Azure DevOps pipeline runs, outside of the console output and results file. It will look for *.sarif files in the CodeAnalysisLogs build artifact directory and display them as source annotations.

Microsoft Security DevOps (MSDO) Overview

Just to recap on what MSDO is, Microsoft Security DevOps (MSDO) is a command line application which integrates static analysis tools, for security and compliance into the development cycle.

MSDO installs, configures and runs the latest versions of static analysis tools. It is data-driven with portable configurations that enable deterministic execution across multiple environments.

The MSDO toolkit can output and convert results to Static Analysis Results Interchange Format (SARIF) which can display the results in your pipeline runs under a Scans tab using the SARIF SAST Scans Tab extension on Azure DevOps.

MSDO also integrates with Microsoft Defender for DevOps which enables a central console as part of Microsoft Defender for Cloud to provide security teams DevOps insights across multi-pipeline environments, such as GitHub and Azure DevOps.

These insights can then be correlated with other contextual cloud security intelligence to prioritise remediation in code and apply consistent security guardrails throughout the application lifecycle. The benefits of Defender for DevOps, available through Defender for Cloud are:

  • Unified visibility into DevOps security posture.
  • Visibility of rich security insights to help strengthen cloud resource configurations throughout the development lifecycle.
  • Prioritise remediation of critical issues in code.

MSDO tools

At the time of this writing, Microsoft Security DevOps uses the following tools:

Name Language License
Bandit Python Apache License 2.0
Binskim Binary--Windows, ELF MIT License
ESlint JavaScript MIT License
Credscan A tool developed and maintained by Microsoft to identify credential leaks such as those in source code and configuration files common types: default passwords, SQL connection strings, Certificates with private keys Free during Defender for DevOps preview
Template Analyzer ARM templates, Bicep files MIT License
Terrascan Terraform (HCL2), Kubernetes (JSON/YAML), Helm v3, Kustomize, Dockerfiles, Cloud Formation Apache License 2.0
Trivy Container images, File systems, Git repositories Apache License 2.0

Getting started

Before we dive into the MSDO toolkit we first need to connect our Azure DevOps repository to Microsoft Defender for Cloud.

  1. Log into the Azure portal.

  2. Navigate to Microsoft Defender for Cloud > Environment Settings.

  3. Select Add environment and then Select Azure DevOps. image.png

  4. Enter a name, select your subscription, resource group, and region. image.png

  5. Select Plans. image.png

  6. Select Next: Authorize connection and Authorize the Azure DevOps connection after reviewing the permission request. image.png IMPORTANT: If your authorizing account is part of multiple Azure DevOps Organisations, ensure that you are logged into the correct org using: https://aex.dev.azure.com/ image.png You will also be able to verify your permissions to link Defender for DevOps to the correct Azure DevOps Org by looking at the top of the permission request screen before accepting. image.png

  7. After Authorizing, Select your relevant organization(s), project(s) and repository(s) from the drop-down menus. image.png

  8. Select Next: Review and create. Review the information and select Create.

After creation you will see the Azure DevOps connector under Microsoft Defender for Cloud > Environment Settings.

image.png

You will also see newly created service hooks in the selected Azure DevOps Project(s) where Defender for Devops have been onboarded.

image.png

With Defender for DevOps now connected on the selected Azure DevOps projects you want to onboard, they will be integrated with Microsoft Defender for Cloud and insights will be accessible from the DevOps Security dashboard under Microsoft Defender for Cloud in the Azure portal.

image.png

Next we will install the MSDO Azure DevOps Marketplace Extension.

Install required Devops extensions

Navigate to your Azure DevOps Org and install the following two Marketplace Extensions:

You can verify the installed extensions by navigating to the Shopping Bag Logo > Manage extensions in your DevOps Org.

image.png

image.png

Next we will look at how we can use the MSDO toolkit to populate the Defender for DevOps dashboard with rich security insights about our code.

Using the MSDO marketplace extension

As mentioned MSDO features a few different tools (I will cover some of the other tools in a future blog post), but I want to concentrate on the same tool as on the previous post called Terrascan.

Terrascan is a static code analyzer for Infrastructure as Code (IaC). Let's take a look at an example on how we can use MSDO integration with Defender for DevOps to get security insights and detect compliance and security violations in a Terraform configuration to mitigate risk before provisioning cloud infrastructure.

Let's look at an example. On my Azure DevOps repository I have a the following Terraform IaC configuration.

image.png

Next we'll configure a YAML pipeline to run the MSDO extension using a pipeline task that will trigger the Terrascan and Credscan analyzers to see if it can detect any issues on the Terraform configuration and check for any leaked secrets. We'll also look at how the results will be displayed on the pipeline run SARIF SAST Scan Tab.

  1. Navigate to your Azure DevOps project and under pipelines, select New pipeline image.png

  2. Select Azure Repos Git. image.png

  3. Select the relevant repository. image.png

  4. Select Starter pipeline. image.png

  5. Paste and commit the following YAML into the pipeline, select Save and run:



# Starter pipeline
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml
trigger: none

pool:
  vmImage: 'windows-latest'

steps:
  - checkout: self

  - task: UseDotNet@2
    displayName: 'Use dotnet 3.1.x'
    inputs:
      version: 3.1.x

  - task: UseDotNet@2
    displayName: 'Use dotnet 5.0.x'
    inputs:
      version: 5.0.x

  - task: UseDotNet@2
    displayName: 'Use dotnet 6.0.x'
    inputs:
      version: 6.0.x

  - task: MicrosoftSecurityDevOps@1
    displayName: 'Microsoft Security DevOps'
    inputs:
      categories: 'IaC,secrets'
      tools: 'terrascan'


Enter fullscreen mode Exit fullscreen mode

Take a closer look at the MSDO task and notice that we supply certain inputs:



- task: MicrosoftSecurityDevOps@1
  displayName: 'Microsoft Security DevOps'
  inputs:
    categories: 'IaC,secrets'
    tools: 'terrascan'


Enter fullscreen mode Exit fullscreen mode

At the time of writing the following inputs are supported:

Input Description Default
config: A file path to an MSDO configuration file (*.gdnconfig). See config file examples. -
policy: The name of a well known Microsoft policy. If no configuration is provided, the policy may instruct MSDO what tools to run. Values: 'none', 'microsoft' 'microsoft'
categories: A comma separated list of analyzer categories to run. Values: 'secrets', 'code', 'artifacts', 'IaC', 'containers'. Example: 'IaC,secrets'. Defaults to all.
languages: A comma separated list of languages to analyze. Example: 'javascript,typescript'. Defaults to all.
tools: A comma separated list of analyzer tools to run. Values: 'bandit', 'binskim', 'eslint', 'template-analyzer', 'terrascan', 'trivy'. detect
break: Values: true/false, will fail this build step if any error level results are found. false
publish: Values: true/false, will publish the output SARIF results file to the chosen pipeline artifact. true
artifactName: The name of the pipeline artifact to publish the SARIF result file to. If default left as "CodeAnalysisLogs", it integrates with the SARIF Scans Tab viewing experience CodeAnalysisLogs

After running the pipeline, notice that there is a new Scans tab next to the pipeline run Summary (SARIF SAST Scan Tab). This tab is from the extension we installed earlier as the MSDO toolkit exports results into a *.sarif file and will be picked up in this tab.

image.png

Notice that the Terrascan results will be displayed in the Scans tab, based on the *.sarif file artifact.

image.png

You can also find the *.sarif file as an artifact attached to the pipeline run.

image.png

image.png

Defender for DevOps Dashboard

As mentioned MSDO closely integrates with Microsoft Defender for Cloud and has its own 'DevOps Security' dashboard, to review and observe security insights across DevOps and your codebase.

In the Azure portal navigate to Microsoft Defender for Cloud, select the DevOps Security pane and then click on the GitHub connector:

image.png

I hope you have enjoyed this post and have learned something new. You can find the code samples used in this blog post on my GitHub page. โค๏ธ

Author

Like, share, follow me on: ๐Ÿ™ GitHub | ๐Ÿง X/Twitter | ๐Ÿ‘พ LinkedIn

Top comments (7)

Collapse
 
tjementum profile image
Thomas Jespersen

Not even sure that this is the right place to give feedback, but I cannot find another place, so hoping Microsoft is listening :)

I've been playing a bit more and ran into another small issue. I got the following informational warning from my Terraform (that I can also see you also get in your screenshot):

Rule AC_AZURE_0389: Ensure that Azure Resource Group has resource lock enabled

While this is easy to fix in Terraform, I want to disable this rule. As far as I can tell, it's not currently possible to disable rules when using the "Microsoft Security DevOps" extension. It is, however, possible to ignore policies in Terrascan that I believe is used behind the scene.

Why I want to disable this:

  • Setting lock-level requires the Azure Pipeline to have owner rights on resources (default is Contributor). I do not like having to grant elevated rights, and in general, I do no like Azure Locks.
  • For some resources like DNS you cannot have a Lock level. We programmatically add and delete DNS records from our app, but deleting a DNS record is not possible if there is a Lock level on the resource.

I'm sure there are other reasons why you would want to disable rules.

Again. Awesome that Microsoft is looking into this, as it's such an important area.

Collapse
 
sizzl profile image
Sizzl • Edited

Came across this article when also refreshing my knowledge on Defender for DevOps... The pipeline integration isn't at all well documented, but I'd previously found through source trawling and FAQs that you can also just define pipeline variables if there's only a small amount of checks to skip:

e.g.,

GDN_TERRASCAN_SKIPRULES = AC_AZURE_0389

Ref: github.com/microsoft/security-devo...

Collapse
 
pwd9000 profile image
Marcel.L • Edited

Hey @tjementum
Thank you for the great feedback and as the product matures from preview I am sure that there will be exclusions that can be passed as inputs. But for the time being this is possible by using a (*.gdnconfig) config file: github.com/microsoft/security-devo...

  - task: MicrosoftSecurityDevOps@1
    displayName: 'Microsoft Security DevOps'
    inputs:
      config: <path to an MSDO configuration file (*.gdnconfig)>
Enter fullscreen mode Exit fullscreen mode

You are looking for this setting: "SkipRules": "",

Example config for Terrascan using a gdconfig file:

{
  "tools": [
    {
      "tool": {
        "name": "Terrascan",
        "version": "Latest"
      },
      "arguments": {
        "Init": "",
        "Scan": "scan",
        "Server": "",
        "Version": "",
        "ConfigPath": "",
        "LogLevel": "",
        "LogType": "",
        "OutputType": "sarif",
        "Categories": "",
        "ConfigOnly": "",
        "FindVuln": "",
        "Help": "",
        "IacDir": "$(WorkingDirectory)",
        "IacFile": "",
        "IacType": "",
        "IacVersion": "",
        "NonRecursive": "",
        "PolicyPath": "",
        "PolicyType": "",
        "RemoteType": "",
        "RemoteUrl": "",
        "ScanRules": "",
        "Severity": "",
        "ShowPassed": "",
        "SkipRules": "",
        "UseColors": "auto",
        "UseTerraformCache": "",
        "Verbose": ""
      }
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode
Collapse
 
tjementum profile image
Thomas Jespersen

I love it, thanks. I just configured this and got the following error:

The pipeline is not valid. Job Job: Step 'MicrosoftSecurityDevOps' references task 'MicrosoftSecurityDevOps' at version '1.6.0' contains an execution handler that relies on NodeJS version '6' which is restricted by your administrator.

This is caused by this Azure DevOps organizational setting. I tried to disable that, and it works like a charm. But maybe you should consider upgrading to the latest version of NodeJS :)

Image description

Collapse
 
pwd9000 profile image
Marcel.L

Thatโ€™s awesome, thanks for picking this up!

Collapse
 
jakubi profile image
Jakub Iwanczuk

Hi Marcel

Thanks for this article it did help me a lot understanding more about this tool.

I have a question regarding the combination of the configuration options. I find it confusing regarding some combinations for categories and tools (and you can probably add languages to that). For instance, in your example you configure the tool to run "IaC, secrets", but specify "terrascan" as tool, I am assuming that the effect of that will be tha credscan will not run, so what is the point on specifying "secrets" in categories.
Maybe there is some kind of good purpose with these options, but it is simply hard for me to figure out because the documentation is not available.

Anyways thanks again.

\Jakub

Collapse
 
ahmedsza profile image
ahmedsza

Fantastic article. Question - when you run these pipelines, and they have issues, do you see these in the defender for devops UI in Azure. The results for me are not filtering through -wanted to confirm what you see

Some comments have been hidden by the post's author - find out more