Understanding essential features in Secure DevOps pipeline

Written by

Rajnish Kumar Jha

Under the topic

Azure DevOps

Dated:

May 3, 2024

Table Of Content

Understanding essential features in Secure DevOps pipeline

In the context of Azure Pipelines, which is a key component of Azure DevOps Services, the goal of integrating security is to create a Secure DevOps pipeline. This involves adding additional features, practices, and tools that ensure security is incorporated at every stage of the CI/CD process. While standard Azure Pipelines primarily focuses on continuous integration, continuous delivery, and automation, Secure Azure Pipelines add several critical security features to protect applications, infrastructure, and data.

Let's explore the essential security features that differentiate Secure Azure Pipelines from Standard Azure Pipelines.

1. Pipeline as Code Security (Azure Pipelines YAML + Secrets Management)

Standard Azure Pipelines:

You can define your pipeline using YAML or through the classic UI-based approach. While you can use variables and manage environment-specific configurations, secrets are often handled less securely by default.

Secure Azure Pipelines:

Security is integrated through enhanced features like Azure Key Vault and Azure DevOps Service Connections for storing and managing secrets securely. Pipeline YAML files can reference secrets stored in Azure Key Vault rather than hardcoding them in the pipeline definition.

Key Features:

Secrets from Azure Key Vault:

Avoid storing secrets directly in the pipeline code by referencing Azure Key Vault in your YAML pipeline for secure management of sensitive data like API keys, passwords, and certificates.

Secure DevOps Kit for Azure (AzSK):

It’s a security tool for Azure DevOps that helps with secure pipeline setups, ensuring compliance and implementing policies that can help secure the pipeline infrastructure.

Example:


xxxxxxxxxx
13
1
variables:
2
  - group: my-variable-group  # Reference a variable group containing secure information
3
  - name: $(Build.DefinitionName)_$(Build.BuildId)
4
jobs:
5
  - job: Build
6
    pool:
7
      vmImage: 'ubuntu-latest'
8
    steps:
9
      - task: UseDotNet@2
10
        inputs:
11
          packageType: 'sdk'
12
          version: '6.x'
13
          installationPath: $(Agent.ToolsDirectory)/dotnet

Azure Key Vault is integrated into the pipeline for secrets handling:


xxxxxxxxxx
6
1
steps:
2
  - task: AzureKeyVault@2
3
    inputs:
4
      azureSubscription: 'YourAzureSubscription'
5
      KeyVaultName: 'YourKeyVaultName'
6
      SecretsFilter: ''

2. Secure Dependency Scanning & Software Composition Analysis (SCA)

Standard Azure Pipelines:

While Azure Pipelines allows for build automation, dependency management, and artifact storage, it doesn't directly include automated dependency scanning for security vulnerabilities.

Secure Azure Pipelines:

Integrating tools like Snyk, WhiteSource, Black Duck, or Sonatype Nexus into the pipeline allows you to continuously scan dependencies for known vulnerabilities (open-source libraries or third-party components).

Key Features:

Automated Dependency Scanning: Identify vulnerabilities in third-party libraries and dependencies that are included in your application.
Policy Enforcement for Dependencies: You can configure security policies to block builds if critical vulnerabilities are found in dependencies, ensuring that the code you deploy does not have known security issues.

Example:

Integrating Snyk with your Azure Pipeline to perform SCA:


xxxxxxxxxx
9
1
jobs:
2
  - job: SecureBuild
3
    pool:
4
      vmImage: 'ubuntu-latest'
5
    steps:
6
      - task: Snyk@1
7
        inputs:
8
          command: 'test'
9
          snykApiKey: $(SnykApiKey)  # stored securely in Azure Key Vault or pipeline variable

3. Static Application Security Testing (SAST) & Dynamic Application Security Testing (DAST)

Standard Azure Pipelines:

Azure Pipelines provides integration for general build, test, and deployment tasks, but security testing such as static or dynamic application security testing is not built in by default.

Secure Azure Pipelines:

You can integrate tools like SonarQube, Checkmarx, Fortify, or Veracode into your pipeline to run SAST (static) and DAST (dynamic) tests. These tools analyze your source code or the deployed application for vulnerabilities.

Key Features:

SAST tools integrated with the pipeline scan code at compile-time or build-time to catch vulnerabilities like SQL injection, Cross-Site Scripting (XSS), and other code-based issues before deployment.
DAST tools test running applications for vulnerabilities at runtime, including issues like authentication flaws and misconfigurations in APIs.

Example:

Running SonarQube for static code analysis in the pipeline:


xxxxxxxxxx
12
1
steps:
2
  - task: SonarQubePrepare@4
3
    inputs:
4
      SonarQube: 'YourSonarQubeServiceConnection'
5
      scannerMode: 'MSBuild'
6
      projectKey: 'YourProjectKey'
7
      projectName: 'YourProjectName'
8
  - task: SonarQubeAnalyze@4
9
    displayName: 'Run SonarQube Analysis'
10
  - task: SonarQubePublish@4
11
    inputs:
12
      pollingTimeoutSec: '300'

4. Container Security & Image Scanning

Standard Azure Pipelines:

Azure Pipelines supports containerization with Docker, but security features for scanning container images are not built into the pipeline out of the box.

Secure Azure Pipelines:

Container security tools like Aqua Security, Anchore, and Twistlock can be integrated into the pipeline to scan container images for vulnerabilities, misconfigurations, and compliance violations before they are pushed to production.

Key Features:

Image Scanning: Ensure container images are free from vulnerabilities or misconfigurations before deployment.
Compliance Checking: Automatically check container images for compliance with security benchmarks (e.g., CIS Docker benchmarks).

Example:

Using Anchore in the pipeline for container image scanning:


xxxxxxxxxx
12
1
steps:
2
  - task: Docker@2
3
    displayName: 'Build Docker Image'
4
    inputs:
5
      command: 'build'
6
      repository: '$(Build.Repository.Name)'
7
      dockerfile: 'Dockerfile'
8
      tags: '$(Build.BuildId)'
9
  - task: AnchoreTask@1
10
    inputs:
11
      imageName: '$(Build.Repository.Name):$(Build.BuildId)'
12
      anchoreApiKey: $(AnchoreApiKey)  # Securely retrieved from Key Vault

5. Infrastructure as Code (IaC) Security

Standard Azure Pipelines:

Azure Pipelines can integrate with Infrastructure as Code (IaC) tools like Terraform, Azure Resource Manager (ARM), and Bicep to automate infrastructure provisioning.

Secure Azure Pipelines:

IaC security is a crucial part of securing the pipeline. Tools like Checkov, TFLint, and Terraform Cloud can be used to scan infrastructure code for security misconfigurations, such as open ports, insecure cloud permissions, or improper access controls.

Key Features:

IaC Scanning: Ensure that any cloud infrastructure or configuration code is free from security misconfigurations that could lead to data exposure or security breaches.
Policy Enforcement: Enforce security policies such as least-privilege access, encrypted storage, or proper identity and access management configurations.

Example:

Scanning Terraform code for security issues using Checkov:


xxxxxxxxxx
5
1
steps:
2
  - task: Checkov@2
3
    inputs:
4
      targetFolder: '$(Build.SourcesDirectory)/terraform'
5
      terraformVersion: '1.0.0'

6. Security Gates & Approvals

Standard Azure Pipelines:

In standard pipelines, you can set up manual approvals, but security-specific gates are not automated.

Secure Azure Pipelines:

You can set up security gates in the pipeline to enforce manual approvals or automated checks for compliance, code analysis, vulnerability scanning, or container image checks. These gates ensure that only secure code reaches production.

Key Features:

Automated Security Gates: Blocks deployments if security checks (e.g., SAST, DAST, dependency scanning) fail.
Manual Approval for Sensitive Deployments: Before deploying to production, a security team member can approve the deployment after verifying that all security checks have been passed.

Example:

Adding an Approval Gate in a pipeline:


xxxxxxxxxx
19
1
resources:
2
  pipelines:
3
    - pipeline: 'BuildPipeline'
4
      source: 'BuildPipeline'
5
      trigger:
6
        branches:
7
          include:
8
            - main
9
jobs:
10
  - job: DeployToProduction
11
    condition: succeeded('BuildPipeline')
12
    pool:
13
      vmImage: 'ubuntu-latest'
14
    steps:
15
      - task: AzureWebApp@1
16
        inputs:
17
          azureSubscription: 'YourAzureSubscription'
18
          appName: 'YourWebAppName'
19
          package: '$(System.ArtifactsDirectory)/drop/YourApp.zip'

7. Continuous Monitoring & Logging

Standard Azure Pipelines:

Azure Pipelines does not have built-in capabilities for monitoring or security event logging.

Secure Azure Pipelines:

Continuous monitoring and logging are critical for ensuring security post-deployment. By integrating tools like Azure Monitor, Azure Security Center, and Log Analytics, you can track potential security issues and incidents in real-time.

Key Features:

Real-time Monitoring: Ensure your deployments are continuously monitored for potential security vulnerabilities or breaches after they go live.
Security Event Logging: Collect and analyze logs from deployments, applications, and infrastructure for auditing and incident response.

Example:

Sending logs to Azure Monitor or Azure Security Center for security event tracking:


xxxxxxxxxx
7
1
steps:
2
  - task: AzureMonitor@1
3
    inputs:
4
      azureSubscription: 'YourAzureSubscription'
5
      resourceGroup: 'YourResourceGroup'
6
      monitorAction: 'Log Analytics Query'
7
      query: 'SecurityEvents | where EventLevelName == "Critical"'

Summary

The Secure Azure Pipeline introduces several essential security features that are not present in a standard Azure Pipeline. These include secret management via Azure Key Vault, automated dependency scanning, integration of static and dynamic security testing tools, container image scanning, IaC security, security gates for approvals, and enhanced monitoring/logging for post-deployment security. By embedding security practices and tools into every phase of the CI/CD pipeline, Secure Azure Pipelines help you build, test, and deploy applications that are not only functional but also secure by design.

This integrated approach to security helps address vulnerabilities early in the development lifecycle, improving the security posture and reducing the risk of breaches in production.

Course Navigation Learn Azure DevOps from scratch

Familiarize yourself with the Database Deployme…

Familiarize yourself with the Database Deployment Task …

Learn about build-related Tooling in Azure DevOps

Learn about build-related Tooling in Azure DevOps Azure…

Hands-on Demo – Create Bicep templates

Hands-on Demo – Create Bicep templates Let’s go…

Integrating GitHub and Azure DevOps with Micros…

Integrating GitHub and Azure DevOps with Microsoft Team…

Tags attached to this Post

About the Author

Rajnish Kumar Jha

MCT, MCSA, MCSE, MCAD, MCPD, MCTS, MCSD

My name is Rajnish Kumar Jha. I am Technical architect on Azure Cloud and .NET since 21+ years. I’ve worked for pioneer companies and as freelance trainer/consultant helping my clients to achieve their IT goals.

I find blogging, a great way to share back what I’ve learned all through my professional journey. You are welcome to connect or share feedback/suggestion here or through an email.