Pre-Deployment Protection for Infrastructure as Code
Security Operators are inundated with security misconfigurations in their cloud resources. To reduce the number of security misconfigurations, identification and remediation can be shifted left so Developers can find and fix security misconfigurations earlier in the development lifecycle, reducing the burden on SecOps. Let's see how the newest service in Microsoft Defender for Cloud, Defender for DevOps, can help with pre-deployment protections. This blog walks Security Operators through setting up security tools in development workflows and integrated developer environments (IDE)—enabling SecOps to empower their Developers to fix security misconfigurations in pre-deployment, before the issues are deployed to production.
Configure the Defender for DevOps Microsoft Security DevOps (MSDO) tools to scan for Infrastructure as Code (IaC) templates
Leverage GitHub branch protection to require Checks for TemplateAnalyzer and Terrascan rules
Use a GitHub extension to manage pull requests and visualize Checks from the MSDO tools and indicate the exact lines of code that are misconfigured
Connector provisioned in MDC to your Source Code Management System (such as Azure DevOps or GitHub)
The Microsoft Security DevOps (MSDO) tools are a set of static code analysis tools that help you secure workloads in your CI/CD pipelines. The tool configuration supports enabling only Infrastructure as Code, without the other tools, to shorten runtime and concentrate on securing ARM, Cloud Formation, Terraform templates.
This section assumes you followed the steps in the previous section to configure the MSDO tools.
Next, navigate to the repository you used to setup the MSDO tools.
1. On GitHub.com, navigate to the main page of the repository
2. Under your repository name, click Settings
3. In the "Code and automation" section of the sidebar, click Branches
4. Next to "Branch protection rules," click Add rule
5. Under "Branch name pattern," type the branch name or pattern you want to protect
If you want to support all branches, type * or enter your default branch name
6. Under "Protect matching branches," select Require a pull request before merging
7. Select Require status checks to pass before merging
8. In the Search for status checks box, type Terrascan and TemplateAnalyzer
9. Optional: select Include administrators to apply the rules above to administrators
10. Click Save
Upload and Test an ARM Template
11. In the IaC tutorial, you downloaded an ARM template to get started
Make a change to the template and commit it to a new branch
12. Create a pull request
13. Check the pull request results of the MSDO workflow
14. Verify that Checks show up in VS Code
To review, we’ve walked through creating a branch protection rule to force the Infrastructure as Code MSDO tools to run when a pull request is submitted. The tools found misconfigurations in templates and did not allow the pull request to merge into the main branch because of the security findings in the templates. This not only helps reduce the fatigue of Security Operators, but also empowers Developers to find and fix security misconfigurations before they ship to production.