Microsoft Security Code Analysis for Azure Devops – Part 1
Microsoft has recently released a new set of security tooling for Azure Devops which is called Microsoft Security Code Analysis.
The Microsoft Security Code Analysis Extension is a collection of tasks for the Azure DevOps Services platform. These tasks automatically download and run secure development tools in the build pipeline.
In this post I’ll show you what they cover below, in part 2, I’ll show you them in action in Azure Devops.
Passwords and other secrets stored in source code is currently a big problem. Credential Scanner is a static analysis tool that detects credentials, secrets, certificates, and other sensitive content in your source code and your build output.
BinSkim is a Portable Executable (PE) light-weight scanner that validates compiler/linker settings and other security-relevant binary characteristics. The build task provides a command line wrapper around the BinSkim.exe application. BinSkim is an open source tool.
TSLint is an extensible static analysis tool that checks TypeScript code for readability, maintainability, and functionality errors. It is widely supported across modern editors and build systems and can be customized with your own lint rules, configurations, and formatters. TSLint is an open source tool.
Microsoft’s compiler-integrated static analysis tool for analyzing managed code (C# and VB).
Microsoft Security Risk Detection
Security Risk Detection is Microsoft’s unique cloud-based fuzz testing service for identifying exploitable security bugs in software.
The Anti-Malware Scanner build task is now included in the Microsoft Security Code Analysis Extension. It must be run on a build agent which has Windows Defender already installed.
Analysis and Post-Processing of Results
The Microsoft Security Code Analysis extension has three build tasks to help you process and analyze the results found by the security tools tasks.
- The Publish Security Analysis Logs build task preserves logs files from the build for investgiation and follow-up.
- The Security Report build task collects all issues reported by all tools and adds them to a single summary report file.
- The Post-Analysis build task allows customers to inject build breaks and fail the build should an anlysis tool report security issues found in the code that was scanned.
Publish Security Analysis Logs
The Publish Security Analysis Logs build task preserves the log files of the security tools run during the build. They can be published to the Azure DevOps Server artifacts (as a zip file), or copies to an accessible file share from your private build agent.
The Security Report build task parses the log files created by the security tools run during the build and creates a summary report file with all issues found by the analysis tools.
The task can be configured to report findings for specific tools or for all tools, and you can also choose what level of issues (errors or errors and warnings) should be reported.
Post-Analysis (Build Break)
The Post-analysis build task enables the customer to inject a build break and fail the build in case one ore more analysis tools reports findings or issues in the code.
Individual build tasks will succeed, by design, as long as the tool completes successfully, whether there are findings or not. This is so that the build can run to completion allowing all tools to run.
To fail the build based on security issues found by one of the tools run in the build, then you can add and configure this build task.
The task can be configured to break the build for issues found by specific tools or for all tools, and also based on the severity of issues found (errors or errors and warnings).