Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Security DevOps is a command line application that integrates static analysis tools into the development lifecycle. Microsoft Security DevOps installs, configures, and runs the latest versions of static analysis tools (including, but not limited to, SDL/security and compliance tools). Microsoft Security DevOps is data-driven with portable configurations that enable deterministic execution across multiple environments.
The Microsoft Security DevOps uses the following Open Source tools:
| Name | Language | License |
|---|---|---|
| AntiMalware | AntiMalware protection in Windows from Microsoft Defender for Endpoint, that scans for malware and breaks the build if malware has been found. This tool scans by default on windows-latest agent. | Not Open Source |
| Bandit | Python | Apache License 2.0 |
| BinSkim | Binary--Windows, ELF | MIT License |
| Checkov | Terraform, Terraform plan, CloudFormation, AWS SAM, Kubernetes, Helm charts, Kustomize, Dockerfile, Serverless, Bicep, OpenAPI, ARM | Apache License 2.0 |
| ESlint | JavaScript | MIT License |
| IaCFileScanner | Template mapping tool for Terraform, CloudFormation, ARM Template, Bicep | Not Open Source |
| Template Analyzer | ARM Template, Bicep | MIT License |
| Terrascan | Terraform (HCL2), Kubernetes (JSON/YAML), Helm v3, Kustomize, Dockerfiles, CloudFormation | Apache License 2.0 |
| Trivy | container images, Infrastructure as Code (IaC) | Apache License 2.0 |
Note
Effective September 20, 2023, the secrets scanning (CredScan) tool within the Microsoft Security DevOps (MSDO) Extension for Azure DevOps has been deprecated. MSDO secrets scanning will be replaced with GitHub Advanced Security for Azure DevOps.
Prerequisites
- Project Collection Administrator privileges to the Azure DevOps organization are required to install the extension.
If you don't have access to install the extension, you must request access from your Azure DevOps organization's administrator during the installation process.
Configure the Microsoft Security DevOps Azure DevOps extension
To configure the Microsoft Security DevOps Azure DevOps extension:
Sign in to Azure DevOps.
Navigate to Shopping Bag > Manage extensions.
Select Shared.
Note
If you've already installed the Microsoft Security DevOps extension, it will be listed in the Installed tab.
Select Microsoft Security DevOps.
Select Install.
Select the appropriate organization from the dropdown menu.
Select Install.
Select Proceed to organization.
Configure your pipelines using YAML
To configure your pipeline using YAML:
Sign into Azure DevOps
Select your project.
Navigate to Pipelines
Select New pipeline.
Select Azure Repos Git.
Select the relevant repository.
Select Starter pipeline.
Paste the following YAML into the pipeline:
# Starter pipeline # Start with a minimal pipeline that you can customize to build and deploy your code. # Add steps that build, run tests, deploy, and more: # https://aka.ms/yaml trigger: none pool: # ubuntu-latest also supported. vmImage: 'windows-latest' steps: - task: MicrosoftSecurityDevOps@1 displayName: 'Microsoft Security DevOps' # inputs: # config: string. Optional. A file path to an MSDO configuration file ('*.gdnconfig'). Vist the MSDO GitHub wiki linked below for additional configuration instructions # policy: 'azuredevops' | 'microsoft' | 'none'. Optional. The name of a well-known Microsoft policy to determine the tools/checks to run. If no configuration file or list of tools is provided, the policy may instruct MSDO which tools to run. Default: azuredevops. # categories: string. Optional. A comma-separated list of analyzer categories to run. Values: 'code', 'artifacts', 'IaC', 'containers'. Example: 'IaC, containers'. Defaults to all. # languages: string. Optional. A comma-separated list of languages to analyze. Example: 'javascript,typescript'. Defaults to all. # tools: string. Optional. A comma-separated list of analyzer tools to run. Values: 'bandit', 'binskim', 'checkov', 'eslint', 'templateanalyzer', 'terrascan', 'trivy'. Example 'templateanalyzer, trivy' # break: boolean. Optional. If true, will fail this build step if any high severity level results are found. Default: false. # publish: boolean. Optional. If true, will publish the output SARIF results file to the chosen pipeline artifact. Default: true. # artifactName: string. Optional. The name of the pipeline artifact to publish the SARIF result file to. Default: CodeAnalysisLogs*.Note
The artifactName 'CodeAnalysisLogs' is required for integration with Defender for Cloud. For additional tool configuration options and environment variables, see the Microsoft Security DevOps wiki
To commit the pipeline, select Save and run.
The pipeline will run for a few minutes and save the results.
Note
Install the SARIF SAST Scans Tab extension on the Azure DevOps organization in order to ensure that the generated analysis results will be displayed automatically under the Scans tab.
Uploading findings from third-party security tooling into Defender for Cloud
While Defender for Cloud provides the MSDO CLI for standardized functionality and policy controls across a set of open source security analyzers, you have the flexibility to upload results from other third-party security tooling that you might have configured in CI/CD pipelines to Defender for Cloud for comprehensive code-to-cloud contextualization. All results uploaded to Defender for Cloud must be in standard SARIF format.
First, ensure your Azure DevOps repositories are onboarded to Defender for Cloud. After you successfully onboard Defender for Cloud, it continuously monitors the 'CodeAnalysisLogs' artifact for SARIF output.
You can use the 'PublishBuildArtifacts@1' task to ensure SARIF output is
published to the correct artifact. For example, if a security analyzer
outputs results.sarif, you can configure the following task in your job
to ensure results are uploaded to Defender for Cloud:
- task: PublishBuildArtifacts@1
inputs:
PathtoPublish: 'results.sarif'
ArtifactName: 'CodeAnalysisLogs'
Findings from third-party security tools will appear as 'Azure DevOps repositories should have code scanning findings resolved' assessments associated with the repository the security finding was identified in.