zhongwei/gh-josiahsiegel-claude-code-marketplace-plugins-ado-master
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
29638f4e58ce20375e19bd3dcbd721976733dfbc
gh-josiahsiegel-claude-code…/skills/defender-for-devops.md
Zhongwei Li 29638f4e58 Initial commit
2025-11-30 08:28:50 +08:00

458 lines
11 KiB
Markdown
Raw Blame History

---
name: defender-for-devops
description: Microsoft Defender for DevOps integration with Azure Pipelines (2025)
---
## 🚨 CRITICAL GUIDELINES
### Windows File Path Requirements
**MANDATORY: Always Use Backslashes on Windows for File Paths**
When using Edit or Write tools on Windows, you MUST use backslashes (`\`) in file paths, NOT forward slashes (`/`).
**Examples:**
- ❌ WRONG: `D:/repos/project/file.tsx`
- ✅ CORRECT: `D:\repos\project\file.tsx`
This applies to:
- Edit tool file_path parameter
- Write tool file_path parameter
- All file operations on Windows systems
### Documentation Guidelines
**NEVER create new documentation files unless explicitly requested by the user.**
- **Priority**: Update existing README.md files rather than creating new documentation
- **Repository cleanliness**: Keep repository root clean - only README.md unless user requests otherwise
- **Style**: Documentation should be concise, direct, and professional - avoid AI-generated tone
- **User preference**: Only create additional .md files when user specifically asks for documentation
---
# Microsoft Defender for DevOps Integration
Complete guide to integrating Microsoft Defender for Cloud security scanning into Azure Pipelines.
## Overview
Microsoft Security DevOps (MSDO) provides comprehensive security scanning capabilities:
- **SAST:** Static Application Security Testing
- **Secret Detection:** Identify hardcoded secrets and credentials
- **Dependency Scanning:** Vulnerable package detection
- **IaC Scanning:** Infrastructure as Code security analysis
- **Container Scanning:** Image vulnerability assessment with Trivy
## Microsoft Security DevOps Extension
**Installation:**
1. Install from Azure DevOps Marketplace
2. Configure in pipeline YAML
3. View results in Scans tab
4. Integrate with Defender for Cloud
**Extension Capabilities:**
- Converts results to SARIF format
- Displays findings in Scans tab
- Integrates multiple security tools
- Provides centralized security insights
## YAML Integration
### Basic MSDO Task
```yaml
trigger:
branches:
include:
- main
- develop
pool:
vmImage: 'ubuntu-24.04'
stages:
- stage: Build
jobs:
- job: BuildAndScan
steps:
- task: UseDotNet@2
displayName: 'Install .NET SDK'
inputs:
version: '8.x'
- task: DotNetCoreCLI@2
displayName: 'Build Project'
inputs:
command: 'build'
projects: '**/*.csproj'
# Microsoft Security DevOps Scan
- task: MicrosoftSecurityDevOps@1
displayName: 'Run Microsoft Security DevOps'
inputs:
categories: 'secrets,code,dependencies,IaC,containers'
break: false # Don't fail pipeline on findings
# Publish SARIF results
- task: PublishSecurityAnalysisLogs@3
displayName: 'Publish Security Analysis Logs'
inputs:
ArtifactName: 'CodeAnalysisLogs'
# Display results in Scans tab
- task: PostAnalysis@2
displayName: 'Post Analysis'
inputs:
break: false
```
### Advanced Configuration with Breaking Builds
```yaml
- task: MicrosoftSecurityDevOps@1
displayName: 'Security Scanning (Break on Critical)'
inputs:
# Scan categories
categories: 'secrets,code,dependencies,IaC,containers'
# Break build on severity
break: true
breakSeverity: 'critical' # Options: critical, high, medium, low
# Tool configuration
tools: 'all' # Or specific: 'credscan,eslint,trivy'
# Output configuration
publishResults: true
continueOnError: false
```
### Conditional Scanning
```yaml
# Full scan on main, quick scan on branches
- task: MicrosoftSecurityDevOps@1
displayName: 'Security Scan'
inputs:
categories: ${{ if eq(variables['Build.SourceBranch'], 'refs/heads/main') }}:
value: 'secrets,code,dependencies,IaC,containers'
${{ else }}:
value: 'secrets,code'
break: ${{ eq(variables['Build.SourceBranch'], 'refs/heads/main') }}
```
## Integrated Security Tools
### 1. Secret Scanning
**Replaced:** CredScan deprecated September 2023
**Current:** GitHub Advanced Security for Azure DevOps or MSDO secrets scanning
```yaml
# MSDO secrets scanning
- task: MicrosoftSecurityDevOps@1
inputs:
categories: 'secrets'
break: true # Always break on secrets
```
**Common secrets detected:**
- API keys and tokens
- Database connection strings
- Cloud provider credentials
- SSH private keys
- OAuth tokens
### 2. Static Code Analysis (SAST)
```yaml
- task: MicrosoftSecurityDevOps@1
displayName: 'SAST Scan'
inputs:
categories: 'code'
tools: 'eslint,bandit,semgrep'
```
**Supported languages:**
- JavaScript/TypeScript (ESLint)
- Python (Bandit)
- Go (gosec)
- Java (SpotBugs)
- C# (.NET Security Guard)
### 3. Dependency Scanning
```yaml
- task: MicrosoftSecurityDevOps@1
displayName: 'Dependency Scan'
inputs:
categories: 'dependencies'
tools: 'trivy,govulncheck'
```
**Detects:**
- Known CVEs in dependencies
- Outdated packages
- License compliance issues
- Transitive vulnerabilities
### 4. Infrastructure as Code (IaC) Scanning
```yaml
- task: MicrosoftSecurityDevOps@1
displayName: 'IaC Security Scan'
inputs:
categories: 'IaC'
tools: 'terrascan,checkov,templateanalyzer'
```
**Scans:**
- Terraform configurations
- ARM templates
- Bicep files
- Kubernetes manifests
- CloudFormation templates
### 5. Container Image Scanning
```yaml
- task: MicrosoftSecurityDevOps@1
displayName: 'Container Security Scan'
inputs:
categories: 'containers'
tools: 'trivy'
```
**Trivy scans for:**
- OS vulnerabilities
- Application dependencies
- Misconfigurations
- Secrets in images
- License issues
## Integration with Defender for Cloud
### Enable Defender for DevOps
```yaml
# Pipeline automatically sends results to Defender for Cloud
# when MSDO extension is connected
- task: MicrosoftSecurityDevOps@1
displayName: 'Scan and send to Defender'
inputs:
categories: 'all'
publishResults: true
# Results appear in:
# Defender for Cloud → DevOps Security → Findings
```
**Benefits:**
- Centralized security dashboard
- Cross-pipeline insights
- Compliance reporting
- Security trend analysis
- Integration with Azure Security Center
## Complete Security Pipeline Example
```yaml
trigger:
branches:
include:
- main
- develop
pool:
vmImage: 'ubuntu-24.04'
variables:
- name: breakOnCritical
value: ${{ eq(variables['Build.SourceBranch'], 'refs/heads/main') }}
stages:
- stage: SecurityScan
displayName: 'Security Analysis'
jobs:
- job: StaticAnalysis
displayName: 'Static Security Analysis'
steps:
- checkout: self
fetchDepth: 1
# Install dependencies
- task: NodeTool@0
inputs:
versionSpec: '20.x'
- script: npm ci
displayName: 'Install dependencies'
# Build application
- script: npm run build
displayName: 'Build application'
# Docker build for container scanning
- task: Docker@2
displayName: 'Build Docker image'
inputs:
command: 'build'
Dockerfile: 'Dockerfile'
tags: '$(Build.BuildId)'
# Comprehensive security scan
- task: MicrosoftSecurityDevOps@1
displayName: 'Microsoft Security DevOps Scan'
inputs:
categories: 'secrets,code,dependencies,IaC,containers'
break: $(breakOnCritical)
breakSeverity: 'high'
tools: 'all'
# Publish SARIF results
- task: PublishSecurityAnalysisLogs@3
displayName: 'Publish SARIF Logs'
inputs:
ArtifactName: 'CodeAnalysisLogs'
ArtifactType: 'Container'
# Post-analysis with results
- task: PostAnalysis@2
displayName: 'Security Post Analysis'
inputs:
break: $(breakOnCritical)
# Generate security report
- script: |
echo "Security scan completed"
echo "Results available in Scans tab"
displayName: 'Security Summary'
condition: always()
- stage: Deploy
dependsOn: SecurityScan
condition: succeeded()
jobs:
- deployment: DeployApp
environment: 'production'
strategy:
runOnce:
deploy:
steps:
- script: echo "Deploying secure application"
```
## Advanced Security Features (Coming 2025)
**Roadmap features:**
- Pull request build validation
- Break pipeline on alert severity
- Advanced Security dashboard
- Custom CodeQL queries
- Integration with GitHub Advanced Security
## GitHub Advanced Security for Azure DevOps
**Alternative to MSDO for secret scanning:**
```yaml
# Requires GitHub Advanced Security license
# Provides:
# - Secret scanning
# - Code scanning with CodeQL
# - Dependency vulnerability alerts
# - Security overview dashboard
# Configuration in Azure DevOps organization settings
# Scans run automatically on commits and PRs
```
## Best Practices
**Pipeline Security:**
- Run security scans on every commit
- Break builds on critical/high severity findings
- Scan both code and dependencies
- Include IaC security validation
- Scan container images before push
- Review findings regularly
**Configuration:**
```yaml
# Recommended configuration
- task: MicrosoftSecurityDevOps@1
inputs:
categories: 'secrets,code,dependencies,IaC,containers'
break: true
breakSeverity: 'high' # Adjust based on risk tolerance
publishResults: true
```
**Integration:**
- Enable Defender for DevOps in Azure portal
- Configure organization-level policies
- Set up automated notifications
- Create security dashboards
- Establish remediation workflows
## Viewing Results
**In Pipeline:**
1. Navigate to pipeline run
2. Click "Scans" tab
3. Review findings by severity
4. Click findings for details and remediation
**In Defender for Cloud:**
1. Azure Portal → Defender for Cloud
2. DevOps Security
3. View findings across all pipelines
4. Filter by severity, project, repository
5. Track remediation progress
## Troubleshooting
**Common Issues:**
**MSDO task fails:**
```yaml
# Enable verbose logging
- task: MicrosoftSecurityDevOps@1
env:
MSDO_VERBOSE: true
inputs:
categories: 'all'
```
**False positives:**
```yaml
# Suppress findings with .gdnconfig file
# In repository root:
{
"tools": {
"trivy": {
"enabled": true,
"severities": ["CRITICAL", "HIGH"]
}
}
}
```
**Performance:**
- Cache tool downloads
- Limit scan categories on branches
- Use parallel stages for large repos
## Resources
- [Microsoft Security DevOps Extension](https://learn.microsoft.com/azure/defender-for-cloud/azure-devops-extension)
- [Defender for DevOps Documentation](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-devops-introduction)
- [SARIF Format Specification](https://sarifweb.azurewebsites.net/)
- [Security Tools Integration](https://learn.microsoft.com/azure/defender-for-cloud/azure-devops-extension)
Reference in New Issue View Git Blame Copy Permalink