AzSK in Devops

Introduction

Azure resource are easy to configure, but much harder to properly secure and maintain over time. AzSK is a set of Powershell scripts that can be run against Azure resources to check ARM templates and security configuration.

Links

• https://marketplace.visualstudio.com/items?itemName=azsdktm.AzSDK-task&targetId=2b25d705-725b-4fca-9d62-3460844bb835
• https://github.com/azsk/DevOpsKit-docs/blob/master/02-Secure-Development/Readme.md#overview
• https://github.com/azsk/DevOpsKit-docs/blob/master/03-Security-In-CICD/Readme.md#enable-azsk-extension-for-your-vsts
• https://www.powershellgallery.com/packages/AzSDK/2.11.0

Configure AzSK in Devops

1. Create a new Azure Release Pipeline
2. Configure to automatically run in response to you continuous deployment build when an artifact is created
3. Rename Stage 1 to Azure Security Verification
4. Add a AzSK Security Verification Tests task to the agent job.
5. Configure for your environment.
   • Configuring for a resource group name is the simplest, although you can configure it for tags.
6. Customize via pipeline variables. Reference
   • For example, you will want to exclude some tests (called Controls) explicitly. This can be done setting an ExtendedCommand variable with a value like -ExcludeControlIds "Azure_KeyVault_DP_Keys_Protect_By_HSM,Azure_Storage_AuthN_Dont_Allow_Anonymous".

Review results

To review the result you can either look at the log output in Azure Devops, or download all logs for the release attempt locally. The latter contains a zip file for the security scan, which in turn contains a CSV with all the results, plus more detailed text logs about each resource type.