Pre-Deployment Protection for Infrastructure as Code
Published Oct 12 2022 09:00 AM 9,353 Views
Microsoft

Pre-Deployment Protection for Infrastructure as Code

Security Operators are inundated with security misconfigurations in their cloud resources. To reduce the number of security misconfigurations, identification and remediation can be shifted left so Developers can find and fix security misconfigurations earlier in the development lifecycle, reducing the burden on SecOps. Let's see how the newest service in Microsoft Defender for Cloud, Defender for DevOps, can help with pre-deployment protections. This blog walks Security Operators through setting up security tools in development workflows and integrated developer environments (IDE)—enabling SecOps to empower their Developers to fix security misconfigurations in pre-deployment, before the issues are deployed to production. 

 

Objectives:

  • Configure the Defender for DevOps Microsoft Security DevOps (MSDO) tools to scan for Infrastructure as Code (IaC) templates
  • Leverage GitHub branch protection to require Checks for TemplateAnalyzer and Terrascan rules
  • Use a GitHub extension to manage pull requests and visualize Checks from the MSDO tools and indicate the exact lines of code that are misconfigured

Prerequisites:

  • Connector provisioned in MDC to your Source Code Management System (such as Azure DevOps or GitHub)
  • If your SCMS is GitHub: GitHub Advanced Security

VS Code GitHub Extension

The GitHub Pull Requests and Issues extension allows you to review and manage GitHub pull requests and issues in Visual Studio Code.  It allows you to manage pull requests and finds issues with checks annotated in IaC templates. The extension can be found at this link: https://marketplace.visualstudio.com/items?itemName=GitHub.vscode-pull-request-github

George__Wilburn_0-1664147447507.png

 

Defender for DevOps IaC Tools

The Microsoft Security DevOps (MSDO) tools are a set of static code analysis tools that help you secure workloads in your CI/CD pipelines.  The tool configuration supports enabling only Infrastructure as Code, without the other tools, to shorten runtime and concentrate on securing ARM, Cloud Formation, Terraform templates. 

  1. Configure the MSDO tools for only IaC scanning, follow the tutorial at this link: https://docs.microsoft.com/en-us/azure/defender-for-cloud/iac-vulnerabilities

 

GitHub Branch Protection Rule

This section assumes you followed the steps in the previous section to configure the MSDO tools. 

Next, navigate to the repository you used to setup the MSDO tools.  

1. On GitHub.com, navigate to the main page of the repository

2. Under your repository name, click Settings

George__Wilburn_10-1664148477793.png

 

3. In the "Code and automation" section of the sidebar, click Branches

4. Next to "Branch protection rules," click Add rule

George__Wilburn_2-1664147447517.png

5. Under "Branch name pattern," type the branch name or pattern you want to protect

    If you want to support all branches, type * or enter your default branch name

George__Wilburn_11-1664148506298.png

 

6. Under "Protect matching branches," select Require a pull request before merging

George__Wilburn_12-1664148516950.png

 

7. Select Require status checks to pass before merging

 

George__Wilburn_5-1664147447523.png

8. In the Search for status checks box, type Terrascan and TemplateAnalyzer

 

George__Wilburn_14-1664148541406.png

 

9. Optional: select Include administrators to apply the rules above to administrators

George__Wilburn_15-1664148560587.png

 

10. Click Save

 

Upload and Test an ARM Template

11. In the IaC tutorial, you downloaded an ARM template to get started

      Make a change to the template and commit it to a new branch

12. Create a pull request

13. Check the pull request results of the MSDO workflow

George__Wilburn_8-1664147447556.png

14. Verify that Checks show up in VS Code

George__Wilburn_9-1664147447585.png

 

 

Conclusion

To review, we’ve walked through creating a branch protection rule to force the Infrastructure as Code MSDO tools to run when a pull request is submitted.  The tools found misconfigurations in templates and did not allow the pull request to merge into the main branch because of the security findings in the templates.  This not only helps reduce the fatigue of Security Operators, but also empowers Developers to find and fix security misconfigurations before they ship to production.  

 

Additional Resources

Co-Authors
Version history
Last update:
‎Oct 12 2022 10:09 AM
Updated by: