Defender for DevOps on AzureDevOps

Overview

Welcome to the second part of this blog series on Microsoft Defender for DevOps.

In my previous post we looked at how you can integrate Defender for DevOps with GitHub and also how to use the Microsoft Security DevOps (MSDO) GitHub action to configure Terrascan to analyze a Terraform IaC Configuration and how the scan results are published on the Azure portal under the DevOps Security dashboard inside Microsoft Defender for Cloud.

Today we will look at how to integrate Defender for DevOps with Azure DevOps instead using the same MSDO toolkit.

Azure DevOps uses the Microsoft Security DevOps (MSDO) Marketplace Extension, instead of a GitHub action. So we will be able to use the same analysis tools on Azure DevOps as we did on GitHub as shown on the previous post.

We will also install another Azure DevOps Extension called SARIF SAST Scans Tab to better view the results of MSDO analyzer scans on Azure DevOps pipeline runs, outside of the console output and results file. It will look for *.sarif files in the CodeAnalysisLogs build artifact directory and display them as source annotations.

Microsoft Security DevOps (MSDO) Overview

Just to recap on what MSDO is, Microsoft Security DevOps (MSDO) is a command line application which integrates static analysis tools, for security and compliance into the development cycle.

MSDO installs, configures and runs the latest versions of static analysis tools. It is data-driven with portable configurations that enable deterministic execution across multiple environments.

The MSDO toolkit can output and convert results to Static Analysis Results Interchange Format (SARIF) which can display the results in your pipeline runs under a Scans tab using the SARIF SAST Scans Tab extension on Azure DevOps.

MSDO also integrates with Microsoft Defender for DevOps which enables a central console as part of Microsoft Defender for Cloud to provide security teams DevOps insights across multi-pipeline environments, such as GitHub and Azure DevOps.

These insights can then be correlated with other contextual cloud security intelligence to prioritise remediation in code and apply consistent security guardrails throughout the application lifecycle. The benefits of Defender for DevOps, available through Defender for Cloud are:

• Unified visibility into DevOps security posture.
• Visibility of rich security insights to help strengthen cloud resource configurations throughout the development lifecycle.
• Prioritise remediation of critical issues in code.

MSDO tools

At the time of this writing, Microsoft Security DevOps uses the following tools:

Getting started

Before we dive into the MSDO toolkit we first need to connect our Azure DevOps repository to Microsoft Defender for Cloud.

1. Log into the Azure portal.

2. Navigate to Microsoft Defender for Cloud > Environment Settings.

3. Select Add environment and then Select Azure DevOps.

4. Enter a name, select your subscription, resource group, and region.

5. Select Plans.

6. Select Next: Authorize connection and Authorize the Azure DevOps connection after reviewing the permission request. IMPORTANT: If your authorizing account is part of multiple Azure DevOps Organisations, ensure that you are logged into the correct org using: https://aex.dev.azure.com/ You will also be able to verify your permissions to link Defender for DevOps to the correct Azure DevOps Org by looking at the top of the permission request screen before accepting.

7. After Authorizing, Select your relevant organization(s), project(s) and repository(s) from the drop-down menus.

8. Select Next: Review and create. Review the information and select Create.

After creation you will see the Azure DevOps connector under Microsoft Defender for Cloud > Environment Settings.

You will also see newly created service hooks in the selected Azure DevOps Project(s) where Defender for Devops have been onboarded.

With Defender for DevOps now connected on the selected Azure DevOps projects you want to onboard, they will be integrated with Microsoft Defender for Cloud and insights will be accessible from the DevOps Security dashboard under Microsoft Defender for Cloud in the Azure portal.

Next we will install the MSDO Azure DevOps Marketplace Extension.

Install required Devops extensions

Navigate to your Azure DevOps Org and install the following two Marketplace Extensions:

• Microsoft Security DevOps (MSDO)
• SARIF SAST Scans Tab

You can verify the installed extensions by navigating to the Shopping Bag Logo > Manage extensions in your DevOps Org.

Next we will look at how we can use the MSDO toolkit to populate the Defender for DevOps dashboard with rich security insights about our code.

Using the MSDO marketplace extension

As mentioned MSDO features a few different tools (I will cover some of the other tools in a future blog post), but I want to concentrate on the same tool as on the previous post called Terrascan.

Terrascan is a static code analyzer for Infrastructure as Code (IaC). Let's take a look at an example on how we can use MSDO integration with Defender for DevOps to get security insights and detect compliance and security violations in a Terraform configuration to mitigate risk before provisioning cloud infrastructure.

Let's look at an example. On my Azure DevOps repository I have a the following Terraform IaC configuration.

Next we'll configure a YAML pipeline to run the MSDO extension using a pipeline task that will trigger the Terrascan and Credscan analyzers to see if it can detect any issues on the Terraform configuration and check for any leaked secrets. We'll also look at how the results will be displayed on the pipeline run SARIF SAST Scan Tab.

1. Navigate to your Azure DevOps project and under pipelines, select New pipeline

2. Select Azure Repos Git.

3. Select the relevant repository.

4. Select Starter pipeline.

5. Paste and commit the following YAML into the pipeline, select Save and run:
   

# Starter pipeline# Start with a minimal pipeline that you can customize to build and deploy your code.# Add steps that build, run tests, deploy, and more:# https://aka.ms/yamltrigger: nonepool:  vmImage: 'windows-latest'steps:  - checkout: self  - task: UseDotNet@2    displayName: 'Use dotnet 3.1.x'    inputs:      version: 3.1.x  - task: UseDotNet@2    displayName: 'Use dotnet 5.0.x'    inputs:      version: 5.0.x  - task: UseDotNet@2    displayName: 'Use dotnet 6.0.x'    inputs:      version: 6.0.x  - task: MicrosoftSecurityDevOps@1    displayName: 'Microsoft Security DevOps'    inputs:      categories: 'IaC,secrets'      tools: 'terrascan'

Take a closer look at the MSDO task and notice that we supply certain inputs:

- task: MicrosoftSecurityDevOps@1  displayName: 'Microsoft Security DevOps'  inputs:    categories: 'IaC,secrets'    tools: 'terrascan'

At the time of writing the following inputs are supported:

After running the pipeline, notice that there is a new Scans tab next to the pipeline run Summary (SARIF SAST Scan Tab). This tab is from the extension we installed earlier as the MSDO toolkit exports results into a *.sarif file and will be picked up in this tab.

Notice that the Terrascan results will be displayed in the Scans tab, based on the *.sarif file artifact.

You can also find the *.sarif file as an artifact attached to the pipeline run.

Defender for DevOps Dashboard

As mentioned MSDO closely integrates with Microsoft Defender for Cloud and has its own 'DevOps Security' dashboard, to review and observe security insights across DevOps and your codebase.

In the Azure portal navigate to Microsoft Defender for Cloud, select the DevOps Security pane and then click on the GitHub connector:

I hope you have enjoyed this post and have learned something new. You can find the code samples used in this blog post on my GitHub page.

Author

Like, share, follow me on: GitHub | Twitter | LinkedIn

Marcel.LFollow

Microsoft DevOps MVP | Cloud Solutions & DevOps Architect | Technical speaker focused on Microsoft technologies, IaC and automation in Azure. Find me on GitHub: https://github.com/Pwd9000-ML