Kickstart collaborative DevSecOps practices with GitHub and Azure
Companies on the forefront of digital transformation have seen DevOps provide software engineers and operations teams with a faster and more efficient way to develop code. Unfortunately, while DevOps practices have enabled faster, more efficient development cycles, they’ve also uncovered a new bottleneck—security. While many organizations have opted to push security to the end of application development and management, this can be very costly. NIST estimated the cost of fixing a security defect in production can be up to 60 times more expensive than during the development cycle. Conversely, Digital leaders recognize the importance of shifting security left and tackling vulnerabilities as soon as they arise. These leaders are integrating security into delivery pipelines, leveraging modern platform capabilities and fostering collaboration between the development and security teams in the latest evolution of the DevOps methodology, DevSecOps. Embracing DevSecOps is a software delivery advantage! By uncovering vulnerabilities earlier, your team can save time remediating issues and realizing compliancy, while also minimizing any associated costs.
So how can your organization begin their DevSecOps adoption journey?
It starts with incorporating security into the early stages of the development lifecycle (shift left) along with providing end-to-end observability to facilitate collaboration between the development and security teams. At last year’s Ignite, we discussed ways to shift left by adding security scans to container images created as part of Continuous Integration (CI) workflow. This helps developers scan for common vulnerabilities in their container images before pushing to a container registry. Securing Container images is one great way of shifting security left, but organizations also need to give visibility into delivery pipelines and registry scans to their security teams.
At Microsoft Build 2021, we are excited to announce the public preview of Microsoft Defender for Cloud integration with GitHub Actions. The new capabilities are our first steps towards building shared tooling and experience by extending the reporting from container scans into Defender for Cloud providing security teams better insight and understanding as to the source of vulnerable container images and the workflows and repositories they come from.
Provide DevSecOps teams observability into GitHub Action workflows
With this tighter integration we are allowing DevSecOps teams to run vulnerability scans, resolve findings, and visualize the security posture of workflows within their CI/CD pipeline.
CI/CD vulnerability scanning of container images helps shift security left by offering increased visibility and control and by providing CI/CD scan assessments to Defender for Cloud. Now, your security teams can access a holistic, 360-degree view across CI/CD pipelines and runtime resources through CI/CD scan assessments in Defender for Cloud. DevSecOps teams will now receive greater, shared insight into development practices and potentially vulnerable code, containers, and infrastructure.
Going forward, any workflow that pushes a container image without a scan action present will alert the user with a Defender for Cloud recommendation. Each recommendation details the affected resources along with a proposed remediation path and steps to help each path achieve a “healthy” state. Below are details on how to enable the new capabilities across GitHub and Azure to get you started with your DevSecOps journey.
How to setup Microsoft Defender for Cloud for GitHub integration
You can easily onboard this feature by navigating to Settings->Integrations in Microsoft Defender for Cloud
After clicking on Configure CI/CD integration, select the Microsoft Managed Application Insights account pertaining your region of choice.
To enable CI/CD Scanning in GitHub, start by adding the connection string and authentication token to publish the CI/CD scan results back to your Microsoft Managed Application Insights account.
Now it’s time to harvest insights into container image vulnerabilities. After you’ve enabled CI/CD scanning for images built and published from GitHub workflows, Defender for Cloud showcases any vulnerabilities found in those images. Of course, it’s important to form a holistic picture of your data, and you can use these CI/CD scan results along with registry scan results to trace the lifecycle of the image from CI/CD to registry.
It’s important to think of this expanded scanning capability as the conduit to foster collaboration among your developer and SecOps teams. CI/CD vulnerability scanning gives much needed visibility into container images and the GitHub workflows that are pushing these images. You can also help developers scan their container images for common vulnerabilities—eliminating issues before deploying to a container registry, a containerized web app, or a Kubernetes cluster.