Blog Post

Microsoft Defender for Cloud Blog
3 MIN READ

DevOps Security - Configuration of DevOps Pipeline Classic and YAML method

Safeena Begum Lepakshi's avatar
Feb 13, 2023

DevOps Security shows the security posture of pre-production application code and resource configurations. Security teams can use the service to enable security checks for their templates and container images designed to minimize the chance that cloud misconfigurations reach production environments.  Leveraging [insights] within Microsoft Defender for Cloud, security admins can help developers prioritize critical code fixes with actionable remediation and assign developer ownership by triggering custom workflows.

 

DevOps Security uses a central console to empower security teams with the ability to protect applications and resources from code to cloud across multi-pipeline environments, such as GitHub, Azure DevOps and more to come.

With an intent to help Security admins and developers, Azure DevOps provides two ways of configuration today. In this article we want to walk you through the configuration of Azure DevOps pipelines via the classic UI and YAML.

 

Option 1: Configure using Azure DevOps Pipeline Classic Editor:

  1. Select a Project
  2. Click Pipelines > Click Create Pipeline

     

    3. Click Use the classic editor to create a pipeline without YAML

 

    4. Select a source, Team project, Repository, and Default branch from the dropdown menus Click Continue

     5. Click Empty job

 

 

      6. On the Agent job 1, click the + to add a step

     

     7. In the search box type Use .NET Core

         Click Add 3 times

  

     

     8.  Type Microsoft Security in the search box

         Click Add on Microsoft Security DevOps to add it to the Agent job 1

   

     9. Click on each of the Use .NET Core sdk tasks and set the versions as 3.1.x, 5.0.x, 6.0.x

 

 

   10. Click Save & queue to open the dropdown menu

      Click Save & queue

 

   11. Type a Save comment (example: Microsoft Security DevOps added)  > Click Save and run

NOTE: It will take a few minutes to run pipelines and save the results. To make viewing the scan results easier, you can install this free extension in your Azure DevOps organization: SARIF SAST Scans Tab - Visual Studio Marketplace

 

Option 2: Configure your pipelines using YAML

To configure your pipeline using YAML:

  1. Sign in to Azure DevOps
  2. Select your project.
  3. Navigate to Pipelines
  4. Select New pipeline.

       

         5. Select Azure Repos Git.

 

   

        6. Select the relevant repository 

 

    7. Select Starter Pipeline

 

    8. Paste the following YAML into the pipeline:

 

# Starter pipeline

# Start with a minimal pipeline that you can customize to build and deploy your code.

# Add steps that build, run tests, deploy, and more:

# https://aka.ms/yaml

trigger: none

pool:

  vmImage: 'windows-latest'

steps:

- task: UseDotNet@2

  displayName: 'Use dotnet'

  inputs:

    version: 3.1.x

- task: UseDotNet@2

  displayName: 'Use dotnet'

  inputs:

    version: 5.0.x

- task: UseDotNet@2

  displayName: 'Use dotnet'

  inputs:

    version: 6.0.x

- task: MicrosoftSecurityDevOps@1

  displayName: 'Microsoft Security DevOps'

   

     9. Select Save and run

     10. To commit the pipeline, select Save and Run. 

 

The pipeline will run for a few minutes and save the results. 

 

Note:

Install the SARIF SAST Scans Tab extension on the Azure DevOps organization in order to ensure that the generated analysis results will be displayed automatically under the Scans tab.

 

What Next?

Additional Resources:

  • To learn more about DevOps Security capabilities please visit our documentation here
  • Would like to try the capabilities in a lab environment? Follow along with our MDC labs here specifically Modules 14 & 15
  • Check out our DevOps Security Interactive Guide here
  • Check out Defender for Cloud in the field features DevOps Security here
  • To connect your GitHub repositories to Microsoft Defender for Cloud, refer this
  • To connect your Azure DevOps repositories to Microsoft Defender for Cloud, refer this

Acknowledgements:

  • Special thanks to @Sukhandeep Singh, Senior Program Manager, for the partnership in reviewing and providing feedbacks on the article.
Updated Dec 07, 2023
Version 3.0