defender-for-devops

🚨 CRITICAL GUIDELINES

Windows File Path Requirements

MANDATORY: Always Use Backslashes on Windows for File Paths

When using Edit or Write tools on Windows, you MUST use backslashes (\) in file paths, NOT forward slashes (/).

Examples:

• ❌ WRONG: D:/repos/project/file.tsx
• ✅ CORRECT: D:\repos\project\file.tsx

This applies to:

• Edit tool file_path parameter
• Write tool file_path parameter
• All file operations on Windows systems

Documentation Guidelines

NEVER create new documentation files unless explicitly requested by the user.

• Priority: Update existing README.md files rather than creating new documentation
• Repository cleanliness: Keep repository root clean - only README.md unless user requests otherwise
• Style: Documentation should be concise, direct, and professional - avoid AI-generated tone
• User preference: Only create additional .md files when user specifically asks for documentation

---

Microsoft Defender for DevOps Integration

Complete guide to integrating Microsoft Defender for Cloud security scanning into Azure Pipelines.

Overview

Microsoft Security DevOps (MSDO) provides comprehensive security scanning capabilities:

• SAST: Static Application Security Testing
• Secret Detection: Identify hardcoded secrets and credentials
• Dependency Scanning: Vulnerable package detection
• IaC Scanning: Infrastructure as Code security analysis
• Container Scanning: Image vulnerability assessment with Trivy

Microsoft Security DevOps Extension

Installation:

1. Install from Azure DevOps Marketplace
2. Configure in pipeline YAML
3. View results in Scans tab
4. Integrate with Defender for Cloud

Extension Capabilities:

• Converts results to SARIF format
• Displays findings in Scans tab
• Integrates multiple security tools
• Provides centralized security insights

YAML Integration

Basic MSDO Task

trigger:
  branches:
    include:
      - main
      - develop

pool:
  vmImage: 'ubuntu-24.04'

stages:
  - stage: Build
    jobs:
      - job: BuildAndScan
        steps:
          - task: UseDotNet@2
            displayName: 'Install .NET SDK'
            inputs:
              version: '8.x'

          - task: DotNetCoreCLI@2
            displayName: 'Build Project'
            inputs:
              command: 'build'
              projects: '**/*.csproj'

          # Microsoft Security DevOps Scan
          - task: MicrosoftSecurityDevOps@1
            displayName: 'Run Microsoft Security DevOps'
            inputs:
              categories: 'secrets,code,dependencies,IaC,containers'
              break: false  # Don't fail pipeline on findings

          # Publish SARIF results
          - task: PublishSecurityAnalysisLogs@3
            displayName: 'Publish Security Analysis Logs'
            inputs:
              ArtifactName: 'CodeAnalysisLogs'

          # Display results in Scans tab
          - task: PostAnalysis@2
            displayName: 'Post Analysis'
            inputs:
              break: false

Advanced Configuration with Breaking Builds

- task: MicrosoftSecurityDevOps@1
  displayName: 'Security Scanning (Break on Critical)'
  inputs:
    # Scan categories
    categories: 'secrets,code,dependencies,IaC,containers'

    # Break build on severity
    break: true
    breakSeverity: 'critical'  # Options: critical, high, medium, low

    # Tool configuration
    tools: 'all'  # Or specific: 'credscan,eslint,trivy'

    # Output configuration
    publishResults: true

  continueOnError: false

Conditional Scanning

# Full scan on main, quick scan on branches
- task: MicrosoftSecurityDevOps@1
  displayName: 'Security Scan'
  inputs:
    categories: ${{ if eq(variables['Build.SourceBranch'], 'refs/heads/main') }}:
      value: 'secrets,code,dependencies,IaC,containers'
    ${{ else }}:
      value: 'secrets,code'
    break: ${{ eq(variables['Build.SourceBranch'], 'refs/heads/main') }}

Integrated Security Tools

1. Secret Scanning

Replaced: CredScan deprecated September 2023 Current: GitHub Advanced Security for Azure DevOps or MSDO secrets scanning

# MSDO secrets scanning
- task: MicrosoftSecurityDevOps@1
  inputs:
    categories: 'secrets'
    break: true  # Always break on secrets

Common secrets detected:

• API keys and tokens
• Database connection strings
• Cloud provider credentials
• SSH private keys
• OAuth tokens

2. Static Code Analysis (SAST)

- task: MicrosoftSecurityDevOps@1
  displayName: 'SAST Scan'
  inputs:
    categories: 'code'
    tools: 'eslint,bandit,semgrep'

Supported languages:

• JavaScript/TypeScript (ESLint)
• Python (Bandit)
• Go (gosec)
• Java (SpotBugs)
• C# (.NET Security Guard)

3. Dependency Scanning

- task: MicrosoftSecurityDevOps@1
  displayName: 'Dependency Scan'
  inputs:
    categories: 'dependencies'
    tools: 'trivy,govulncheck'

Detects:

• Known CVEs in dependencies
• Outdated packages
• License compliance issues
• Transitive vulnerabilities

4. Infrastructure as Code (IaC) Scanning

- task: MicrosoftSecurityDevOps@1
  displayName: 'IaC Security Scan'
  inputs:
    categories: 'IaC'
    tools: 'terrascan,checkov,templateanalyzer'

Scans:

• Terraform configurations
• ARM templates
• Bicep files
• Kubernetes manifests
• CloudFormation templates

5. Container Image Scanning

- task: MicrosoftSecurityDevOps@1
  displayName: 'Container Security Scan'
  inputs:
    categories: 'containers'
    tools: 'trivy'

Trivy scans for:

• OS vulnerabilities
• Application dependencies
• Misconfigurations
• Secrets in images
• License issues

Integration with Defender for Cloud

Enable Defender for DevOps

# Pipeline automatically sends results to Defender for Cloud
# when MSDO extension is connected

- task: MicrosoftSecurityDevOps@1
  displayName: 'Scan and send to Defender'
  inputs:
    categories: 'all'
    publishResults: true

# Results appear in:
# Defender for Cloud → DevOps Security → Findings

Benefits:

• Centralized security dashboard
• Cross-pipeline insights
• Compliance reporting
• Security trend analysis
• Integration with Azure Security Center

Complete Security Pipeline Example

trigger:
  branches:
    include:
      - main
      - develop

pool:
  vmImage: 'ubuntu-24.04'

variables:
  - name: breakOnCritical
    value: ${{ eq(variables['Build.SourceBranch'], 'refs/heads/main') }}

stages:
  - stage: SecurityScan
    displayName: 'Security Analysis'
    jobs:
      - job: StaticAnalysis
        displayName: 'Static Security Analysis'
        steps:
          - checkout: self
            fetchDepth: 1

          # Install dependencies
          - task: NodeTool@0
            inputs:
              versionSpec: '20.x'

          - script: npm ci
            displayName: 'Install dependencies'

          # Build application
          - script: npm run build
            displayName: 'Build application'

          # Docker build for container scanning
          - task: Docker@2
            displayName: 'Build Docker image'
            inputs:
              command: 'build'
              Dockerfile: 'Dockerfile'
              tags: '$(Build.BuildId)'

          # Comprehensive security scan
          - task: MicrosoftSecurityDevOps@1
            displayName: 'Microsoft Security DevOps Scan'
            inputs:
              categories: 'secrets,code,dependencies,IaC,containers'
              break: $(breakOnCritical)
              breakSeverity: 'high'
              tools: 'all'

          # Publish SARIF results
          - task: PublishSecurityAnalysisLogs@3
            displayName: 'Publish SARIF Logs'
            inputs:
              ArtifactName: 'CodeAnalysisLogs'
              ArtifactType: 'Container'

          # Post-analysis with results
          - task: PostAnalysis@2
            displayName: 'Security Post Analysis'
            inputs:
              break: $(breakOnCritical)

          # Generate security report
          - script: |
              echo "Security scan completed"
              echo "Results available in Scans tab"
            displayName: 'Security Summary'
            condition: always()

  - stage: Deploy
    dependsOn: SecurityScan
    condition: succeeded()
    jobs:
      - deployment: DeployApp
        environment: 'production'
        strategy:
          runOnce:
            deploy:
              steps:
                - script: echo "Deploying secure application"

Advanced Security Features (Coming 2025)

Roadmap features:

• Pull request build validation
• Break pipeline on alert severity
• Advanced Security dashboard
• Custom CodeQL queries
• Integration with GitHub Advanced Security

GitHub Advanced Security for Azure DevOps

Alternative to MSDO for secret scanning:

# Requires GitHub Advanced Security license
# Provides:
# - Secret scanning
# - Code scanning with CodeQL
# - Dependency vulnerability alerts
# - Security overview dashboard

# Configuration in Azure DevOps organization settings
# Scans run automatically on commits and PRs

Best Practices

Pipeline Security:

• Run security scans on every commit
• Break builds on critical/high severity findings
• Scan both code and dependencies
• Include IaC security validation
• Scan container images before push
• Review findings regularly

Configuration:

# Recommended configuration
- task: MicrosoftSecurityDevOps@1
  inputs:
    categories: 'secrets,code,dependencies,IaC,containers'
    break: true
    breakSeverity: 'high'  # Adjust based on risk tolerance
    publishResults: true

Integration:

• Enable Defender for DevOps in Azure portal
• Configure organization-level policies
• Set up automated notifications
• Create security dashboards
• Establish remediation workflows

Viewing Results

In Pipeline:

1. Navigate to pipeline run
2. Click "Scans" tab
3. Review findings by severity
4. Click findings for details and remediation

In Defender for Cloud:

1. Azure Portal → Defender for Cloud
2. DevOps Security
3. View findings across all pipelines
4. Filter by severity, project, repository
5. Track remediation progress

Troubleshooting

Common Issues:

MSDO task fails:

# Enable verbose logging
- task: MicrosoftSecurityDevOps@1
  env:
    MSDO_VERBOSE: true
  inputs:
    categories: 'all'

False positives:

# Suppress findings with .gdnconfig file
# In repository root:
{
  "tools": {
    "trivy": {
      "enabled": true,
      "severities": ["CRITICAL", "HIGH"]
    }
  }
}

Performance:

• Cache tool downloads
• Limit scan categories on branches
• Use parallel stages for large repos

Resources

• Microsoft Security DevOps Extension
• Defender for DevOps Documentation
• SARIF Format Specification
• Security Tools Integration