This blog post will show you how to secure your code in GitHub or Azure DevOps using a new service for DevOps, which is part of the Defender for cloud umbrella.
In August 2022, Microsoft added a new service to their Defender for Cloud service offering. Defender for DevOps offers organisations threat protection, comprehensive visibility and posture management.
In practice, Defender for DevOps offers proactive threat management of source code (Including Terraform) by scanning your repositories, pulling requests, and offering recommendations to remediate vulnerabilities.
The above concept is similar to Defender for Cloud Secure Score posture management.
You will find the new service (DevOps Security) in the Defender for Cloud console under the Cloud Security section.
Since the service is still in preview mode, it is free.
To get started, You will need to add an Environment. At this stage, you can only add GitHub or Azure DevOps. To add an environment, you will need permission to connect to either GitHub or Azure DevOps and add a single or all repositories.
I recommend starting by adding one repo and understanding how the service works before adding all repos under your GitHub account or Azure Repos.
Once you add your environment, the final step to get Defender for DevOps to scan your code is to add the scanning task to your pipeline.
In my case, I’m using Azure Pipelines. To get the scan to work. I had to install the following two extensions from the marketplace.
Once the extensions were installed, I added the following task to my Azure Pipeline.
trigger: - none pool: vmImage: ubuntu-latest steps: - task: MicrosoftSecurityDevOps@1 displayName: 'Microsoft Security DevOps'
By default, the scan will run the following scans.
- Bandit (Python code)
- BinSkim (Windows)
- Credscan (Identity scanning tool)
- Template Analyzer (ARM and Bicep)
- Terrascan (Terraform, Helm, Doickerfile, Cloud formation and Kubernetes)
After the pipeline runs, you will see the results under the scan tab on the pipeline summary page.
The Defender for DevOps console will also show recommendations that are less specific to your actual code and more to the overall management of your repo.