Secure DevOps Kit (AzSK) is free set of tools, which can be used to check security configurations for Azure resources. Cool thing about this toolset is, that it can be easily integrated into the Azure DevOps.
AzSK can be installed as free extension from Azure DevOps Marketplace. Extension contains two tasks:
- ARM Template Checker – as task that can check security settings in ARM templates
- Security Verification Tests (SVTs) – Task that can check deployed
resources for security configuration
First task can be used in build and release definitions. Later one is available only in release definitions. For SVTs task the pipeline structure is usually something like this:
Getting started with Secure DevOps Kit for Azure
To get started with Secure DevOps Kit, we need to first install the extension from marketplace.
Then we need to add new AzSK Security Verification Tests task into agent job
Task has three mandatory settings which needs to be set.
- AzureRM Subscription is the Azure subscription, which contains checked resources. If you need to have multiple subscriptions, add new tasks for each subscription.
- Select Parameter Set Scanned resources can be defined by resource group name, or Tag name value pair. Tag name / value is just basically way to organize Azure Resources into groups. You can read more from Tags here.
- Subscription ID Id of the subscription hosting the resources against which Security Verification Tests (SVTs) should be run. Usually it’s the same value that above subscription box has.
If you don’t use the Azure Log Analytics, you can unselected the Enable OMS Logging option.
Now after every release the AzSK should run about 30 automated tests (+ manual checks) against Azure resources. By default if one of them fails, your deployment fails also. For simple resource group tests takes approx. 2 minutes and 30 seconds to complete with hosted agent.
For more info check Secure DevOps Kit for Azure documentation from https://azsk.azurewebsites.net/03-Security-In-CICD/Readme.html