Microsoft Safety DevOps (MSDO) GitHub motion
Microsoft Safety DevOps (MSDO) is a command line software which integrates static evaluation instruments, for safety and compliance into the event cycle.
At present we’ll take a more in-depth take a look at how we will use the MSDO GitHub action and the way it integrates with Microsoft Defender for DevOps.
MSDO installs, configures and runs the most recent variations of static evaluation instruments. It’s data-driven with transportable configurations that allow deterministic execution throughout a number of environments.
The MSDO toolkit can output and convert outcomes to Static Analysis Results Interchange Format (SARIF) which might show the leads to your repository on GitHub.
MSDO integrates with Microsoft Defender for DevOps which permits a central console as a part of Microsoft Defender for Cloud to supply safety groups DevOps insights throughout multi-pipeline environments, comparable to GitHub and Azure DevOps.
These insights can then be correlated with different contextual cloud safety intelligence to prioritise remediation in code and apply constant safety guardrails all through the applying lifecycle. The advantages of Defender for DevOps, accessible by way of Defender for Cloud are:
- Unified visibility into DevOps safety posture.
- Visibility of wealthy safety insights to assist strengthen cloud useful resource configurations all through the event lifecycle.
- Prioritise remediation of important points in code.
MSDO instruments
On the time of this writing, Microsoft Safety DevOps makes use of the next instruments:
Getting began
Earlier than we dive into the MSDO toolkit we first want to attach our GitHub repository to Microsoft Defender for Cloud.
-
Log into the Azure portal.
-
Navigate to Microsoft Defender for Cloud > Setting Settings.
-
Choose Add atmosphere after which Choose GitHub.
-
Enter a title, choose your subscription, useful resource group, and area.
-
Choose Plans.
-
Choose Subsequent: Authorize connection and Authorize the GitHub connection after reviewing the permission request.
-
After Authorizing click on on Set up below Set up Defender for DevOps app.
-
You may set up the Defender for DevOps app on All or Particular person repositories as essential.
-
Choose Subsequent: Evaluation and create. Evaluation the data and choose Create.
NOTE: You will notice the GitHub connector below Microsoft Defender for Cloud > Setting Settings. For those who solely added one repository and wished to later change and add/onboard extra repositories onto the identical Defender for DevOps plan, you are able to do so by navigating to your GitHub Settings > Functions.
After putting in Defender for DevOps on the chosen repositories you need to onboard, they are going to be built-in with Microsoft Defender for Cloud and insights shall be accessible from the DevOps Safety dashboard below Defender for Cloud within the Azure portal.
Subsequent we’ll take a look at the MSDO GitHub motion and see how we will use sure instruments and populate the dashboard with wealthy safety insights about our code.
Configuring the MSDO GitHub motion (with Terrascan)
The next examples can be discovered on my MSDO-Lab GitHub page.
As talked about MSDO options a number of totally different instruments (I’ll cowl a few of the different instruments in a future weblog submit), however I need to consider a selected software as we speak referred to as Terrascan which is a part of the MSDO toolkit.
Terrascan is a static code analyzer for Infrastructure as Code (IaC). Let’s check out an instance on how we will use MSDO integration with Defender for DevOps to get safety insights and detect compliance and safety violations in a Terraform configuration to mitigate threat earlier than provisioning cloud infrastructure.
On my GitHub repository below the trail 01_Foundation I’ve the next terraform configuration that merely builds a Useful resource Group and a Key Vault.
### Information Sources ###
knowledge "azurerm_client_config" "present" {}
#Create a Useful resource Group
useful resource "azurerm_resource_group" "rg" {
title = var.resource_group_name
location = var.location
tags = var.tags
}
#Create a Key Vault for the Useful resource Group
useful resource "azurerm_key_vault" "kv" {
title = "${decrease(var.key_vault_name)}${random_integer.kv_num.outcome}"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.title
enable_rbac_authorization = var.use_rbac_mode
enabled_for_disk_encryption = true
tenant_id = knowledge.azurerm_client_config.present.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = false
sku_name = "normal"
tags = var.tags
}
useful resource "random_integer" "kv_num" {
min = 0001
max = 9999
}
Let’s check out how we will use Terrascan utilizing the MSDO GitHub action to scan our terraform code and the way the outcomes shall be displayed on the Defender for DevOps dashboard within the Azure portal.
-
Check in to GitHub and choose a repository you added earlier to Defender for DevOps on which you need to configure the MSDO GitHub motion.
-
Choose Actions > arrange a workflow your self
-
Give the workflow file a reputation. For instance,
msdevopssec.yml.
-
Copy and paste the next sample action workflow into the Edit new file tab.
# My Microsoft Safety DevOps (MSDO) Terrascan workflow
title: MSDO windows-latest
on:
workflow_dispatch:
jobs:
MSDO:
# MSDO runs on windows-latest and ubuntu-latest.
# macos-latest supporting coming quickly
runs-on: windows-latest
steps:
- title: Checkout
makes use of: actions/checkout@v2
# Run MSDO analyzers
- title: Run Microsoft Safety DevOps Evaluation
makes use of: microsoft/security-devops-action@preview
id: msdo
env:
terrascan_scan: 'scan'
terrascan_outputtype: 'sarif'
terrascan_iacdir: '01_Foundation'
# Add alerts to the Safety tab
- title: Add alerts to Safety tab
makes use of: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${{ steps.msdo.outputs.sarifFile }}
After creating the workflow you may run it manually below the Actions tab:
After working the workflow you may assessment the steps. Observe that the MSDO toolkit is put in and runs Terrascan towards the repo path 01_Foundation containing the terraform IaC configurations.
Let’s take a more in-depth take a look at the MSDO GitHub motion getting used:
# Run MSDO analyzers
- title: Run Microsoft Safety DevOps Evaluation
makes use of: microsoft/security-devops-action@preview
id: msdo
env:
terrascan_scan: 'scan'
terrascan_outputtype: 'sarif'
terrascan_iacdir: '01_Foundation'
Learn how to configure totally different MSDO analyzers
There are a number of methods configure software inputs:
- By making a
*.gdnconfigfile to avoid wasting configurations:
- Nice for reuse between crew members and native/distant runs.
- Can save a number of software configurations in a single file to run all configurations.
- By utilizing atmosphere variables:
- Nice for fast configurations in construct pipelines.
- They comply with the format
[GDN_]<ToolName>_<ArgumentId>, the placeGDN_is optionally available and ToolNameandArgumentId` are outlined by the software integration file to (*.gdntool).
As you may see within the workflow step we have now specified the software (Terrascan) inputs are outlined as atmosphere variables on the motion itself e.g.
`yml
steps:
- makes use of: microsoft/security-devops-action
env:
: ”
`
You may see all of the totally different software inputs/atmosphere variables for the MSDO toolkit on the next Wiki Documentation
Terrascan choices
The MSDO GitHub motion inputs particularly regarding Terrascan: https://github.com/microsoft/security-devops-action/wiki#terrascan-options
Defender for DevOps Dashboard
As talked about earlier than MSDO intently integrates with Microsoft Defender for Cloud and has its personal dashboard Defender or DevOps to assessment and get safety insights into the code.
Within the Azure portal navigate to Microsoft Defender for Cloud, choose the DevOps Safety pane after which click on on the GitHub connector:
Discover that I’ve some Unhealthy suggestions and must resolve infrastructure as code scanning points:
Let’s navigate again to the GitHub repository, choose the safety tab and Code Scanning:
As a result of we chosen the output format to be SARIF and used one other motion in our workflow; github/codeql-action/upload-sarif@v1 to add the SARIF file we will now see the MSDO Terrascan outcomes and points that must be resolved straight from the repository Safety tab:
Code scanning severities
You too can outline code scanning severities which ought to trigger a pull request verify to fail to forestall safety points from being commited into your code accidentally.
This may be configured below the GitHub repository Settings > Code safety and evaluation:
As soon as the IaC safety findings are resolved you’ll discover that the standing of the advice has modified from Unhealthy to Wholesome:
Keep tuned for my subsequent weblog submit the place we’ll use MSDO in Azure DevOps repositories as an alternative of GitHub and use the Azure DevOps MSDO Market extension as an alternative of the MSDO GitHub motion.
I hope you might have loved this submit and have discovered one thing new. You will discover the code samples used on this weblog submit on my GitHub web page. âĪïļ
Creator
Like, share, comply with me on: ð GitHub | ð§ Twitter | ðū LinkedIn
