Microsoft Security DevOps for Azure DevOps

An extension for Azure DevOps that contributes a build task to run the Microsoft Security DevOps CLI.

Installs the Microsoft Security DevOps CLI
Installs the latest Microsoft security policy
Installs the latest Microsoft and 3rd party security tools
Automatic or user-provided configuration of security tools
Execution of a full suite of security tools
Normalized processing of results into the SARIF format
Build breaks and more
Captures the container images pushed in a build run
- In Azure DevOps, this requires the Microsoft Defender for DevOps Container Mapping extension to extract metadata from pipelines, such as the container's digest ID and name, for connecting DevOps entities with their related cloud resources. This extension is automatically shared and installed with organizations that are connected to Microsoft Defender for Cloud. If an organization is not connected to Defender for Cloud, there is no way to configure this functionality as it does not work with manual modification of the Microsoft Security DevOps extension. Attempting to configure it through Microsoft Security DevOps may cause unexpected issues.

Basic

Add the MicrosoftSecurityDevOps build task to your pipeline's yaml:

steps:
- task: MicrosoftSecurityDevOps@1

Tools

Name	Language	License
AntiMalware	code, artifacts	-
Bandit	python	Apache License 2.0
BinSkim	binary - Windows, ELF	MIT License
ESlint	JavaScript	MIT License
IaCFileScanner	Terraform, CloudFormation, ARM Template, Bicep	-
Template Analyzer	Infrastructure-as-code (IaC), ARM templates, Bicep files	MIT License
Terrascan	Infrastructure-as-Code (IaC), Terraform (HCL2), Kubernetes (JSON/YAML), Helm v3, Kustomize, Dockerfiles, CloudFormation	Apache License 2.0
Trivy	Container Images, Infrastructure as Code (Iac)	Apache License 2.0

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Running it locally

Make sure to have a supported version of node and npm installed in your system. After cloning the repo, you can install all dependencies by running this command.

npm install

Note: If you run into 401 - Unauthorized error, then you will need to login to the https://npm.pkg.github.com/ by running this command -

npm login --registry=https://npm.pkg.github.com

More info here.

All other commands are specified in the package.json file.

 "scripts": {
        "build": "dotnet build ./build.proj",
        "compile": "dotnet build ./build.proj /t:Compile",
        "compile-tests": "dotnet build ./build.proj /t:CopyTestHelpers",
        "compile-and-test": "dotnet build ./build.proj /t:Test /p:RunTests=true",
        "test": "npx mocha **/*.tests.js"
    }

You can execute them by using npm run commands. For example: npm run build will execute the dotnet build ./build.proj command and generate a vsix file with your changes for testing.

Testing the extension

To test the extension after making changes in an ADO pipeline run -

1) Make the changes and compile the code. If no errors, a vsix file will be generated. Eg:

PS C:\Users\larohra\source\repos\security-devops-azdevops> npm run build

> microsoft-security-devops-azdevops@1.11.1 build
> dotnet build ./build.proj

MSBuild version 17.9.6+a4ecab324 for .NET
...

  === Completed operation: create extension ===
   - VSIX: C:\Users\larohra\source\repos\security-devops-azdevops\bin\debug\microsoft-security-devops-azdevops-debug.1.11.0.2.vsix
   - Extension ID: microsoft-security-devops-azdevops-larohra
   - Extension Version: 1.11.0.2
   - Publisher: ms-secdevops-test

Build succeeded.
    0 Warning(s)
    0 Error(s)

Time Elapsed 00:00:12.94

2) Publish the vsix in your marketplace account (Create a new publisher account if you dont have one) - https://marketplace.visualstudio.com/manage/

3) Share the debug extension with your organization - https://learn.microsoft.com/en-us/azure/devops/extend/publish/overview?view=azure-devops#share-your-extension

4) Install the extension in your org - https://learn.microsoft.com/en-us/azure/devops/extend/publish/overview?view=azure-devops#install-your-extension

5) Add it to the pipeline run and run the build. Sample:

  - task: MicrosoftSecurityDevOps@1
    displayName: 'Test Container Mapping End'
    timeoutInMinutes: 2
    condition: always()

Trademarks

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.

microsoft / security-devops-azdevops

readme