Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Remediating Security Issues in Code with Pull Request Annotations
Published Feb 06 2023 10:06 AM 4,612 Views
Microsoft

**We want to hear from you! If you have tested DevOps security in Defender for Cloud please fill out this survey to provide feedback on the Pull Request Annotations feature.**

 

Written by: Lara Goldstein, Safeena Begum Lepakshi, Charles Oxyer 

 

Introduction:

It is no secret that security and development teams operate in silos. Security administrators often struggle with getting developers to remediate vulnerabilities in code because they are not able to provide remediation guidance and feedback directly within the tools are most familiar with (e.g., GitHub and Azure DevOps). Additionally, for developers that embrace the practice of DevOps, they are used to moving quickly and automating as many processes as possible, causing security to struggle to keep up with the speed of development.

 

To simplify the remediation process, reduce time to remediation, and help security teams build stronger relationships with developers, DevOps security in Defender for Cloud can expose security findings as annotations in Pull Requests (PR) within Azure DevOps and GitHub Enterprise.

 

Why Use Pull Request Annotations:

Vulnerabilities and misconfigurations are detected too late in the development cycle, often when code is already deployed. Not only does this make the deployed code a target for bad actors, but it also makes it more expensive to fix the issue. By using PR annotations, security teams can shift left in the development lifecycle and empower developers to remediate security vulnerabilities in their pre-production code.

 

With PR annotations, get surfaced back to the source code management system as a given line in the Pull Request. Each annotation has the following information:

  • Severity of the issue
  • A message about what the issue is
  • A description on how to fix the issue

 

End-to-End Scenario of using Pull Request Annotations:

An example of a common use-case for Pull Request Annotations is as follows:

 

  • Security Persona configures Pull Request annotations for an Azure DevOps repository within Microsoft Defender for Cloud in the DevOps Security Blade. To learn more about enabling PR annotations, see this document.

Lara_Goldstein_0-1675702638978.png

 

  • Developer commits file within Azure DevOps that contains secrets. In this scenario, the developer committed an AWS Secret Access Key

Lara_Goldstein_1-1675702638985.png

 

  • Developer creates Pull Request to merge the file into the appropriate branch.

Lara_Goldstein_2-1675702638987.png

 

Lara_Goldstein_3-1675702638997.png

 

 

  • Developer gets notified that the file contained a secret through an automated comment on the Pull Request coming from Microsoft Defender for Cloud. In the comment, the developer can see the exact line of code where the secret is located. In this example, the AWS Secret Access Key was discovered in Line 2.

Lara_Goldstein_4-1675702639011.png

 

  • Developer fixes issue using the guidance provided in the annotations. In this case, the guidance was to validate that the file containers secrets, remove and rotate the secret, and use an approved key store, such as AWS Key Management Service or Azure Key Vault.

 

  • Developer changes the status of the comment from Active to Resolved to reflect that the issue has been fixed.

Lara_Goldstein_0-1675727637560.png

 

 

Summary:

This blog discussed why Pull Request Annotations are useful for automating security in DevOps environments and provided an example of a common scenario.

 

More Information:

 

We want to hear from you! If you have tested DevOps security in Defender for Cloud, please fill out this survey to provide feedback on the Pull Request Annotations feature.

Version history
Last update:
‎Dec 07 2023 09:05 AM
Updated by: