An extension for Azure DevOps that contributes a build task to run the Microsoft Security DevOps CLI.
- Installs the Microsoft Security DevOps CLI
- Installs the latest Microsoft security policy
- Installs the latest Microsoft and 3rd party security tools
- Automatic or user-provided configuration of security tools
- Execution of a full suite of security tools
- Normalized processing of results into the SARIF format
- Build breaks and more
- Captures the container images pushed in a build run
- In Azure DevOps, this requires the Microsoft Defender for DevOps Container Mapping extension to extract metadata from pipelines, such as the container's digest ID and name, for connecting DevOps entities with their related cloud resources. This extension is automatically shared and installed with organizations that are connected to Microsoft Defender for Cloud. If an organization is not connected to Defender for Cloud, there is no way to configure this functionality as it does not work with manual modification of the Microsoft Security DevOps extension. Attempting to configure it through Microsoft Security DevOps may cause unexpected issues.
Add the MicrosoftSecurityDevOps build task to your pipeline's yaml:
steps:
- task: MicrosoftSecurityDevOps@1| Name | Language | License |
|---|---|---|
| AntiMalware | code, artifacts | - |
| Bandit | python | Apache License 2.0 |
| BinSkim | binary - Windows, ELF | MIT License |
| ESlint | JavaScript | MIT License |
| IaCFileScanner | Terraform, CloudFormation, ARM Template, Bicep | - |
| Template Analyzer | Infrastructure-as-code (IaC), ARM templates, Bicep files | MIT License |
| Terrascan | Infrastructure-as-Code (IaC), Terraform (HCL2), Kubernetes (JSON/YAML), Helm v3, Kustomize, Dockerfiles, CloudFormation | Apache License 2.0 |
| Trivy | Container Images, Infrastructure as Code (Iac) | Apache License 2.0 |
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.
Make sure to have a supported version of node and npm installed in your system. After cloning the repo, you can install all dependencies by running this command.
npm install
Note: If you run into 401 - Unauthorized error, then you will need to login to the https://npm.pkg.github.com/ by running this command -
npm login --registry=https://npm.pkg.github.com
More info here.
All other commands are specified in the package.json file.
"scripts": {
"build": "dotnet build ./build.proj",
"compile": "dotnet build ./build.proj /t:Compile",
"compile-tests": "dotnet build ./build.proj /t:CopyTestHelpers",
"compile-and-test": "dotnet build ./build.proj /t:Test /p:RunTests=true",
"test": "npx mocha **/*.tests.js"
}You can execute them by using npm run commands.
For example: npm run build will execute the dotnet build ./build.proj command and generate a vsix file with your changes for testing.
To test the extension after making changes in an ADO pipeline run -
- Make the changes and compile the code. If no errors, a vsix file will be generated. Eg:
PS C:\Users\larohra\source\repos\security-devops-azdevops> npm run build
> [email protected] build
> dotnet build ./build.proj
MSBuild version 17.9.6+a4ecab324 for .NET
...
=== Completed operation: create extension ===
- VSIX: C:\Users\larohra\source\repos\security-devops-azdevops\bin\debug\microsoft-security-devops-azdevops-debug.1.11.0.2.vsix
- Extension ID: microsoft-security-devops-azdevops-larohra
- Extension Version: 1.11.0.2
- Publisher: ms-secdevops-test
Build succeeded.
0 Warning(s)
0 Error(s)
Time Elapsed 00:00:12.94-
Publish the vsix in your marketplace account (Create a new publisher account if you dont have one) - https://marketplace.visualstudio.com/manage/
-
Share the debug extension with your organization - https://learn.microsoft.com/en-us/azure/devops/extend/publish/overview?view=azure-devops#share-your-extension
-
Install the extension in your org - https://learn.microsoft.com/en-us/azure/devops/extend/publish/overview?view=azure-devops#install-your-extension
-
Add it to the pipeline run and run the build. Sample:
- task: MicrosoftSecurityDevOps@1
displayName: 'Test Container Mapping End'
timeoutInMinutes: 2
condition: always()This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.