Getting Started with Azure DevOps Security Scanner
If you are new to the wonderful world of Security in Azure DevOps, Don’t worry following article is for you. ADO Security Scanner helps to keep ADO artifacts such as various org/project settings, build/release configurations, service connections, agent pools, configured securely .i.e. , with this we will have secure Azure DevOps environment
To get started we need a demo project , there are a lot of articles in azuredevopslabs , for our demo we would be using one of the demo project which deploys a simple PHP application to Azure App Service using Azure Pipelines.
Once the deployment is done, navigate to azure portal and verify the app service
Navigate to the above URL to view the PHP application
Now, we need to add the Azure Security Scanner Extension, (as I have already added its displayed), For this navigate to Organization settings ->Extensions - > Browse Marketplace
It redirects to market place and gives the following details on the extension, BTW It’s a Free extension !!
Now navigate to Pipeline, under Task , search for Azure DevOps Security Scanner and add it
Authentication is required for the same
Connection url is https://dev.azure.com/{organization} for Personal Access token generating token, navigate to organizational settings-> security -> personal access tokens, provide any name for the token and select your organization, the token validity can be also customized, as shown below
And click on create, token is generated
Verify the connection URL and token
Provide service connection name, it should be related to service, in this case something like ADO security scanner, click on verify and save
Now lets try to commit a simple change by updating the config file, here I have updated the name
Provide a comment and Click on Commit
Verify the pipeline , under last run we can see the commit details
Click on ADO Scanner Updated config, it gives the job details
Select phase 1, Here we can observe the ADO Security Scan job details
Once scan is completed as part of pipeline, following results are displayed
Also the deployment is done with the latest changes
Scan Results can also be visualized with the help of project dashboard widgets. Navigate to project dashboard under your organization and create on Edit
Add “ADO Security Org Security view” which Displays org level security control evaluation summary and also on “ADO Security Project Component” which Displays project components (Build/Release/Connections) security control evaluation summary
After couple of seconds , following charts are displayed on dashboard
Hope it helps. Happy Learning !!!
