NML

AzSK in Devops

Introduction

Azure resource are easy to configure, but much harder to properly secure and maintain over time. AzSK is a set of Powershell scripts that can be run against Azure resources to check ARM templates and security configuration.

Links

Configure AzSK in Devops

  1. Create a new Azure Release Pipeline
  2. Configure to automatically run in response to you continuous deployment build when an artifact is created
  3. Rename Stage 1 to Azure Security Verification
  4. Add a AzSK Security Verification Tests task to the agent job.
  5. Configure for your environment.
    • Configuring for a resource group name is the simplest, although you can configure it for tags.
  6. Customize via pipeline variables. Reference
    • For example, you will want to exclude some tests (called Controls) explicitly. This can be done setting an ExtendedCommand variable with a value like -ExcludeControlIds "Azure_KeyVault_DP_Keys_Protect_By_HSM,Azure_Storage_AuthN_Dont_Allow_Anonymous".

Review results

To review the result you can either look at the log output in Azure Devops, or download all logs for the release attempt locally. The latter contains a zip file for the security scan, which in turn contains a CSV with all the results, plus more detailed text logs about each resource type.