Want to Contribute to us or want to have 15k+ Audience read your Article ? Or Just want to make a strong Backlink?

Defender for DevOps on GitHub (Terrascan edition)



Microsoft Safety DevOps (MSDO) GitHub motion

Microsoft Safety DevOps (MSDO) is a command line software which integrates static evaluation instruments, for safety and compliance into the event cycle.

At present we’ll take a more in-depth take a look at how we will use the MSDO GitHub action and the way it integrates with Microsoft Defender for DevOps.

MSDO installs, configures and runs the most recent variations of static evaluation instruments. It’s data-driven with transportable configurations that allow deterministic execution throughout a number of environments.

The MSDO toolkit can output and convert outcomes to Static Analysis Results Interchange Format (SARIF) which might show the leads to your repository on GitHub.

MSDO integrates with Microsoft Defender for DevOps which permits a central console as a part of Microsoft Defender for Cloud to supply safety groups DevOps insights throughout multi-pipeline environments, comparable to GitHub and Azure DevOps.

These insights can then be correlated with different contextual cloud safety intelligence to prioritise remediation in code and apply constant safety guardrails all through the applying lifecycle. The advantages of Defender for DevOps, accessible by way of Defender for Cloud are:

  • Unified visibility into DevOps safety posture.
  • Visibility of wealthy safety insights to assist strengthen cloud useful resource configurations all through the event lifecycle.
  • Prioritise remediation of important points in code.



MSDO instruments

On the time of this writing, Microsoft Safety DevOps makes use of the next instruments:



Getting began

Earlier than we dive into the MSDO toolkit we first want to attach our GitHub repository to Microsoft Defender for Cloud.

  1. Log into the Azure portal.

  2. Navigate to Microsoft Defender for Cloud > Setting Settings.

  3. Choose Add atmosphere after which Choose GitHub.

  4. Enter a title, choose your subscription, useful resource group, and area. image.png

  5. Choose Plans. image.png

  6. Choose Subsequent: Authorize connection and Authorize the GitHub connection after reviewing the permission request. image.png

  7. After Authorizing click on on Set up below Set up Defender for DevOps app. image.png

  8. You may set up the Defender for DevOps app on All or Particular person repositories as essential. image.png

  9. Choose Subsequent: Evaluation and create. Evaluation the data and choose Create.

NOTE: You will notice the GitHub connector below Microsoft Defender for Cloud > Setting Settings. For those who solely added one repository and wished to later change and add/onboard extra repositories onto the identical Defender for DevOps plan, you are able to do so by navigating to your GitHub Settings > Functions.

image.png

image.png

After putting in Defender for DevOps on the chosen repositories you need to onboard, they are going to be built-in with Microsoft Defender for Cloud and insights shall be accessible from the DevOps Safety dashboard below Defender for Cloud within the Azure portal.

image.png

Subsequent we’ll take a look at the MSDO GitHub motion and see how we will use sure instruments and populate the dashboard with wealthy safety insights about our code.



Configuring the MSDO GitHub motion (with Terrascan)

The next examples can be discovered on my MSDO-Lab GitHub page.

As talked about MSDO options a number of totally different instruments (I’ll cowl a few of the different instruments in a future weblog submit), however I need to consider a selected software as we speak referred to as Terrascan which is a part of the MSDO toolkit.

Terrascan is a static code analyzer for Infrastructure as Code (IaC). Let’s check out an instance on how we will use MSDO integration with Defender for DevOps to get safety insights and detect compliance and safety violations in a Terraform configuration to mitigate threat earlier than provisioning cloud infrastructure.

On my GitHub repository below the trail 01_Foundation I’ve the next terraform configuration that merely builds a Useful resource Group and a Key Vault.

### Information Sources ###
knowledge "azurerm_client_config" "present" {}

#Create a Useful resource Group
useful resource "azurerm_resource_group" "rg" {
  title     = var.resource_group_name
  location = var.location
  tags     = var.tags
}

#Create a Key Vault for the Useful resource Group
useful resource "azurerm_key_vault" "kv" {
  title                        = "${decrease(var.key_vault_name)}${random_integer.kv_num.outcome}"
  location                    = azurerm_resource_group.rg.location
  resource_group_name         = azurerm_resource_group.rg.title
  enable_rbac_authorization   = var.use_rbac_mode
  enabled_for_disk_encryption = true
  tenant_id                   = knowledge.azurerm_client_config.present.tenant_id
  soft_delete_retention_days  = 7
  purge_protection_enabled    = false
  sku_name                    = "normal"
  tags                        = var.tags
}

useful resource "random_integer" "kv_num" {
  min = 0001
  max = 9999
}
Enter fullscreen mode

Exit fullscreen mode

Let’s check out how we will use Terrascan utilizing the MSDO GitHub action to scan our terraform code and the way the outcomes shall be displayed on the Defender for DevOps dashboard within the Azure portal.

  1. Check in to GitHub and choose a repository you added earlier to Defender for DevOps on which you need to configure the MSDO GitHub motion.

  2. Choose Actions > arrange a workflow your self image.png

  3. Give the workflow file a reputation. For instance, msdevopssec.yml. image.png

  4. Copy and paste the next sample action workflow into the Edit new file tab.

# My Microsoft Safety DevOps (MSDO) Terrascan workflow
title: MSDO windows-latest
on:
  workflow_dispatch:

jobs:
  MSDO:
    # MSDO runs on windows-latest and ubuntu-latest.
    # macos-latest supporting coming quickly
    runs-on: windows-latest

    steps:
      - title: Checkout
        makes use of: actions/checkout@v2

      # Run MSDO analyzers
      - title: Run Microsoft Safety DevOps Evaluation
        makes use of: microsoft/security-devops-action@preview
        id: msdo
        env:
          terrascan_scan: 'scan'
          terrascan_outputtype: 'sarif'
          terrascan_iacdir: '01_Foundation'

      # Add alerts to the Safety tab
      - title: Add alerts to Safety tab
        makes use of: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: ${{ steps.msdo.outputs.sarifFile }}
Enter fullscreen mode

Exit fullscreen mode

After creating the workflow you may run it manually below the Actions tab:

image.png

After working the workflow you may assessment the steps. Observe that the MSDO toolkit is put in and runs Terrascan towards the repo path 01_Foundation containing the terraform IaC configurations.

image.png

Let’s take a more in-depth take a look at the MSDO GitHub motion getting used:

# Run MSDO analyzers
- title: Run Microsoft Safety DevOps Evaluation
makes use of: microsoft/security-devops-action@preview
id: msdo
env:
    terrascan_scan: 'scan'
    terrascan_outputtype: 'sarif'
    terrascan_iacdir: '01_Foundation'
Enter fullscreen mode

Exit fullscreen mode



Learn how to configure totally different MSDO analyzers

There are a number of methods configure software inputs:

  1. By making a *.gdnconfig file to avoid wasting configurations:
  • Nice for reuse between crew members and native/distant runs.
  • Can save a number of software configurations in a single file to run all configurations.
  1. By utilizing atmosphere variables:
  • Nice for fast configurations in construct pipelines.
  • They comply with the format [GDN_]<ToolName>_<ArgumentId>, the place GDN_ is optionally available and ToolNameandArgumentId` are outlined by the software integration file to (*.gdntool).

As you may see within the workflow step we have now specified the software (Terrascan) inputs are outlined as atmosphere variables on the motion itself e.g.

`yml
steps:

  • makes use of: microsoft/security-devops-action
    env:
    : ”
    `

You may see all of the totally different software inputs/atmosphere variables for the MSDO toolkit on the next Wiki Documentation



Terrascan choices

The MSDO GitHub motion inputs particularly regarding Terrascan: https://github.com/microsoft/security-devops-action/wiki#terrascan-options



Defender for DevOps Dashboard

As talked about earlier than MSDO intently integrates with Microsoft Defender for Cloud and has its personal dashboard Defender or DevOps to assessment and get safety insights into the code.

Within the Azure portal navigate to Microsoft Defender for Cloud, choose the DevOps Safety pane after which click on on the GitHub connector:

image.png

Discover that I’ve some Unhealthy suggestions and must resolve infrastructure as code scanning points:

image.png

image.png

Let’s navigate again to the GitHub repository, choose the safety tab and Code Scanning:

image.png

As a result of we chosen the output format to be SARIF and used one other motion in our workflow; github/codeql-action/upload-sarif@v1 to add the SARIF file we will now see the MSDO Terrascan outcomes and points that must be resolved straight from the repository Safety tab:

image.png



Code scanning severities

You too can outline code scanning severities which ought to trigger a pull request verify to fail to forestall safety points from being commited into your code accidentally.

This may be configured below the GitHub repository Settings > Code safety and evaluation:

image.png

image.png

As soon as the IaC safety findings are resolved you’ll discover that the standing of the advice has modified from Unhealthy to Wholesome:

image.png

Keep tuned for my subsequent weblog submit the place we’ll use MSDO in Azure DevOps repositories as an alternative of GitHub and use the Azure DevOps MSDO Market extension as an alternative of the MSDO GitHub motion.

I hope you might have loved this submit and have discovered one thing new. You will discover the code samples used on this weblog submit on my GitHub web page. âĪïļ



Creator

Like, share, comply with me on: 🐙 GitHub | 🐧 Twitter | ðŸ‘ū LinkedIn

pwd9000 image



Add a Comment

Your email address will not be published. Required fields are marked *

Want to Contribute to us or want to have 15k+ Audience read your Article ? Or Just want to make a strong Backlink?