Getting Started with Azure DevOps Security Scanner

If you are new to the wonderful world of Security in Azure DevOps, Don’t worry following article is for you. ADO Security Scanner helps to keep ADO artifacts such as various org/project settings, build/release configurations, service connections, agent pools, configured securely .i.e. , with this we will have secure Azure DevOps environment

To get started we need a demo project , there are a lot of articles in azuredevopslabs , for our demo we would be using one of the demo project which deploys a simple PHP application to Azure App Service using Azure Pipelines.

Once the deployment is done, navigate to azure portal and verify the app service

portal.azure.com

Navigate to the above URL to view the PHP application

Now, we need to add the Azure Security Scanner Extension, (as I have already added its displayed), For this navigate to Organization settings ->Extensions - > Browse Marketplace

It redirects to market place and gives the following details on the extension, BTW It’s a Free extension !!

https://marketplace.visualstudio.com/items?itemName=azsdktm.ADOSecurityScanner

Now navigate to Pipeline, under Task , search for Azure DevOps Security Scanner and add it

Authentication is required for the same

Connection url is https://dev.azure.com/{organization} for Personal Access token generating token, navigate to organizational settings-> security -> personal access tokens, provide any name for the token and select your organization, the token validity can be also customized, as shown below

And click on create, token is generated

Verify the connection URL and token

Provide service connection name, it should be related to service, in this case something like ADO security scanner, click on verify and save

Now lets try to commit a simple change by updating the config file, here I have updated the name

Provide a comment and Click on Commit

Verify the pipeline , under last run we can see the commit details

Click on ADO Scanner Updated config, it gives the job details

Select phase 1, Here we can observe the ADO Security Scan job details

Once scan is completed as part of pipeline, following results are displayed

Also the deployment is done with the latest changes

Scan Results can also be visualized with the help of project dashboard widgets. Navigate to project dashboard under your organization and create on Edit

Add “ADO Security Org Security view” which Displays org level security control evaluation summary and also on “ADO Security Project Component” which Displays project components (Build/Release/Connections) security control evaluation summary

After couple of seconds , following charts are displayed on dashboard

Hope it helps. Happy Learning !!!