(Part 9 in a 10-part series)
A relatively new module available now is the Microsoft Security DevOps for Azure DevOps module. It is available as a marketplace add-on for Azure DevOps and must be installed by your project or organization administrator. This module will check your bicep files for many common security issues and throw errors or warnings.
Using Azure DevOps Security Scan
To use this module, it’s very simple and reusable. A pre-defined template is called in the pipeline:
A template is defined with the necessary steps:
And that’s it! In this case, on line 27, the “continueOnError” flag is set. Because of that, all of the issues will be flagged as warnings or errors, but this step will NOT break the build and stop the deploy from continuing.
Many of the projects I’ve been working on are demos and are not designed for production use, so some things are flagged that are not issues for a demo. For example, Key Vaults in production should be protected so they cannot be easily deleted or purged. However, for demo projects, I want to be able to deploy them quickly (using an “azd up” command!) and then burn them down just as quickly (using an “azd down” command!) so I don’t turn on purge protection. If the Key Vault purge protection is enabled, then this deploy would work once, and then the second time it would throw an error and not let you redeploy.
GitHub Advanced Security Scan
One of the big draws for people to move their code to GitHub repositories is the security scanning features that exist in GitHub Actions. Microsoft has announced that the GitHub Advanced Security scanning will soon be available on Azure DevOps pipelines.
“GitHub Advanced Security for Azure DevOps brings the same secret scanning, dependency scanning and CodeQL code scanning solutions already available for GitHub users and natively integrates them into Azure DevOps to protect your Azure Repos and Pipelines.”
At the time of this post, this was still in private preview and not available to review. Once it is available, this post will be updated with the latest information.
Next step: Converting Azure DevOps Pipelines to GitHub Actions
References
Microsoft Security DevOps Add-In for Azure DevOps
github:microsoft/security-devops-action
Enable DevSecOps with Azure and GitHub
GitHub Advanced Security for Azure DevOps
Lyle's Blog 