playbooks

home / skills / josiahsiegel / claude-plugin-marketplace / defender-for-devops

defender-for-devops skill

/plugins/ado-master/skills/defender-for-devops

npx playbooks add skill josiahsiegel/claude-plugin-marketplace --skill defender-for-devops

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
11.1 KB
---
name: defender-for-devops
description: Microsoft Defender for DevOps integration with Azure Pipelines (2025)
---

## 🚨 CRITICAL GUIDELINES

### Windows File Path Requirements

**MANDATORY: Always Use Backslashes on Windows for File Paths**

When using Edit or Write tools on Windows, you MUST use backslashes (`\`) in file paths, NOT forward slashes (`/`).

**Examples:**
- ❌ WRONG: `D:/repos/project/file.tsx`
- ✅ CORRECT: `D:\repos\project\file.tsx`

This applies to:
- Edit tool file_path parameter
- Write tool file_path parameter
- All file operations on Windows systems


### Documentation Guidelines

**NEVER create new documentation files unless explicitly requested by the user.**

- **Priority**: Update existing README.md files rather than creating new documentation
- **Repository cleanliness**: Keep repository root clean - only README.md unless user requests otherwise
- **Style**: Documentation should be concise, direct, and professional - avoid AI-generated tone
- **User preference**: Only create additional .md files when user specifically asks for documentation


---

# Microsoft Defender for DevOps Integration

Complete guide to integrating Microsoft Defender for Cloud security scanning into Azure Pipelines.

## Overview

Microsoft Security DevOps (MSDO) provides comprehensive security scanning capabilities:
- **SAST:** Static Application Security Testing
- **Secret Detection:** Identify hardcoded secrets and credentials
- **Dependency Scanning:** Vulnerable package detection
- **IaC Scanning:** Infrastructure as Code security analysis
- **Container Scanning:** Image vulnerability assessment with Trivy

## Microsoft Security DevOps Extension

**Installation:**
1. Install from Azure DevOps Marketplace
2. Configure in pipeline YAML
3. View results in Scans tab
4. Integrate with Defender for Cloud

**Extension Capabilities:**
- Converts results to SARIF format
- Displays findings in Scans tab
- Integrates multiple security tools
- Provides centralized security insights

## YAML Integration

### Basic MSDO Task

```yaml
trigger:
  branches:
    include:
      - main
      - develop

pool:
  vmImage: 'ubuntu-24.04'

stages:
  - stage: Build
    jobs:
      - job: BuildAndScan
        steps:
          - task: UseDotNet@2
            displayName: 'Install .NET SDK'
            inputs:
              version: '8.x'

          - task: DotNetCoreCLI@2
            displayName: 'Build Project'
            inputs:
              command: 'build'
              projects: '**/*.csproj'

          # Microsoft Security DevOps Scan
          - task: MicrosoftSecurityDevOps@1
            displayName: 'Run Microsoft Security DevOps'
            inputs:
              categories: 'secrets,code,dependencies,IaC,containers'
              break: false  # Don't fail pipeline on findings

          # Publish SARIF results
          - task: PublishSecurityAnalysisLogs@3
            displayName: 'Publish Security Analysis Logs'
            inputs:
              ArtifactName: 'CodeAnalysisLogs'

          # Display results in Scans tab
          - task: PostAnalysis@2
            displayName: 'Post Analysis'
            inputs:
              break: false
```

### Advanced Configuration with Breaking Builds

```yaml
- task: MicrosoftSecurityDevOps@1
  displayName: 'Security Scanning (Break on Critical)'
  inputs:
    # Scan categories
    categories: 'secrets,code,dependencies,IaC,containers'

    # Break build on severity
    break: true
    breakSeverity: 'critical'  # Options: critical, high, medium, low

    # Tool configuration
    tools: 'all'  # Or specific: 'credscan,eslint,trivy'

    # Output configuration
    publishResults: true

  continueOnError: false
```

### Conditional Scanning

```yaml
# Full scan on main, quick scan on branches
- task: MicrosoftSecurityDevOps@1
  displayName: 'Security Scan'
  inputs:
    categories: ${{ if eq(variables['Build.SourceBranch'], 'refs/heads/main') }}:
      value: 'secrets,code,dependencies,IaC,containers'
    ${{ else }}:
      value: 'secrets,code'
    break: ${{ eq(variables['Build.SourceBranch'], 'refs/heads/main') }}
```

## Integrated Security Tools

### 1. Secret Scanning

**Replaced:** CredScan deprecated September 2023
**Current:** GitHub Advanced Security for Azure DevOps or MSDO secrets scanning

```yaml
# MSDO secrets scanning
- task: MicrosoftSecurityDevOps@1
  inputs:
    categories: 'secrets'
    break: true  # Always break on secrets
```

**Common secrets detected:**
- API keys and tokens
- Database connection strings
- Cloud provider credentials
- SSH private keys
- OAuth tokens

### 2. Static Code Analysis (SAST)

```yaml
- task: MicrosoftSecurityDevOps@1
  displayName: 'SAST Scan'
  inputs:
    categories: 'code'
    tools: 'eslint,bandit,semgrep'
```

**Supported languages:**
- JavaScript/TypeScript (ESLint)
- Python (Bandit)
- Go (gosec)
- Java (SpotBugs)
- C# (.NET Security Guard)

### 3. Dependency Scanning

```yaml
- task: MicrosoftSecurityDevOps@1
  displayName: 'Dependency Scan'
  inputs:
    categories: 'dependencies'
    tools: 'trivy,govulncheck'
```

**Detects:**
- Known CVEs in dependencies
- Outdated packages
- License compliance issues
- Transitive vulnerabilities

### 4. Infrastructure as Code (IaC) Scanning

```yaml
- task: MicrosoftSecurityDevOps@1
  displayName: 'IaC Security Scan'
  inputs:
    categories: 'IaC'
    tools: 'terrascan,checkov,templateanalyzer'
```

**Scans:**
- Terraform configurations
- ARM templates
- Bicep files
- Kubernetes manifests
- CloudFormation templates

### 5. Container Image Scanning

```yaml
- task: MicrosoftSecurityDevOps@1
  displayName: 'Container Security Scan'
  inputs:
    categories: 'containers'
    tools: 'trivy'
```

**Trivy scans for:**
- OS vulnerabilities
- Application dependencies
- Misconfigurations
- Secrets in images
- License issues

## Integration with Defender for Cloud

### Enable Defender for DevOps

```yaml
# Pipeline automatically sends results to Defender for Cloud
# when MSDO extension is connected

- task: MicrosoftSecurityDevOps@1
  displayName: 'Scan and send to Defender'
  inputs:
    categories: 'all'
    publishResults: true

# Results appear in:
# Defender for Cloud → DevOps Security → Findings
```

**Benefits:**
- Centralized security dashboard
- Cross-pipeline insights
- Compliance reporting
- Security trend analysis
- Integration with Azure Security Center

## Complete Security Pipeline Example

```yaml
trigger:
  branches:
    include:
      - main
      - develop

pool:
  vmImage: 'ubuntu-24.04'

variables:
  - name: breakOnCritical
    value: ${{ eq(variables['Build.SourceBranch'], 'refs/heads/main') }}

stages:
  - stage: SecurityScan
    displayName: 'Security Analysis'
    jobs:
      - job: StaticAnalysis
        displayName: 'Static Security Analysis'
        steps:
          - checkout: self
            fetchDepth: 1

          # Install dependencies
          - task: NodeTool@0
            inputs:
              versionSpec: '20.x'

          - script: npm ci
            displayName: 'Install dependencies'

          # Build application
          - script: npm run build
            displayName: 'Build application'

          # Docker build for container scanning
          - task: Docker@2
            displayName: 'Build Docker image'
            inputs:
              command: 'build'
              Dockerfile: 'Dockerfile'
              tags: '$(Build.BuildId)'

          # Comprehensive security scan
          - task: MicrosoftSecurityDevOps@1
            displayName: 'Microsoft Security DevOps Scan'
            inputs:
              categories: 'secrets,code,dependencies,IaC,containers'
              break: $(breakOnCritical)
              breakSeverity: 'high'
              tools: 'all'

          # Publish SARIF results
          - task: PublishSecurityAnalysisLogs@3
            displayName: 'Publish SARIF Logs'
            inputs:
              ArtifactName: 'CodeAnalysisLogs'
              ArtifactType: 'Container'

          # Post-analysis with results
          - task: PostAnalysis@2
            displayName: 'Security Post Analysis'
            inputs:
              break: $(breakOnCritical)

          # Generate security report
          - script: |
              echo "Security scan completed"
              echo "Results available in Scans tab"
            displayName: 'Security Summary'
            condition: always()

  - stage: Deploy
    dependsOn: SecurityScan
    condition: succeeded()
    jobs:
      - deployment: DeployApp
        environment: 'production'
        strategy:
          runOnce:
            deploy:
              steps:
                - script: echo "Deploying secure application"
```

## Advanced Security Features (Coming 2025)

**Roadmap features:**
- Pull request build validation
- Break pipeline on alert severity
- Advanced Security dashboard
- Custom CodeQL queries
- Integration with GitHub Advanced Security

## GitHub Advanced Security for Azure DevOps

**Alternative to MSDO for secret scanning:**

```yaml
# Requires GitHub Advanced Security license
# Provides:
# - Secret scanning
# - Code scanning with CodeQL
# - Dependency vulnerability alerts
# - Security overview dashboard

# Configuration in Azure DevOps organization settings
# Scans run automatically on commits and PRs
```

## Best Practices

**Pipeline Security:**
- Run security scans on every commit
- Break builds on critical/high severity findings
- Scan both code and dependencies
- Include IaC security validation
- Scan container images before push
- Review findings regularly

**Configuration:**
```yaml
# Recommended configuration
- task: MicrosoftSecurityDevOps@1
  inputs:
    categories: 'secrets,code,dependencies,IaC,containers'
    break: true
    breakSeverity: 'high'  # Adjust based on risk tolerance
    publishResults: true
```

**Integration:**
- Enable Defender for DevOps in Azure portal
- Configure organization-level policies
- Set up automated notifications
- Create security dashboards
- Establish remediation workflows

## Viewing Results

**In Pipeline:**
1. Navigate to pipeline run
2. Click "Scans" tab
3. Review findings by severity
4. Click findings for details and remediation

**In Defender for Cloud:**
1. Azure Portal → Defender for Cloud
2. DevOps Security
3. View findings across all pipelines
4. Filter by severity, project, repository
5. Track remediation progress

## Troubleshooting

**Common Issues:**

**MSDO task fails:**
```yaml
# Enable verbose logging
- task: MicrosoftSecurityDevOps@1
  env:
    MSDO_VERBOSE: true
  inputs:
    categories: 'all'
```

**False positives:**
```yaml
# Suppress findings with .gdnconfig file
# In repository root:
{
  "tools": {
    "trivy": {
      "enabled": true,
      "severities": ["CRITICAL", "HIGH"]
    }
  }
}
```

**Performance:**
- Cache tool downloads
- Limit scan categories on branches
- Use parallel stages for large repos

## Resources

- [Microsoft Security DevOps Extension](https://learn.microsoft.com/azure/defender-for-cloud/azure-devops-extension)
- [Defender for DevOps Documentation](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-devops-introduction)
- [SARIF Format Specification](https://sarifweb.azurewebsites.net/)
- [Security Tools Integration](https://learn.microsoft.com/azure/defender-for-cloud/azure-devops-extension)