DevSecOps With Microsoft Security Code Analysis

Extension

Security scanning is one of the most important parts of

DevSevOps practices. DevSecOps is about taking into account
application and infrastructure security aspect. It also means
automating security checks gates to keep the DevOps
workflow healthy. There are many different tools available to
apply security scanning in the DevOps cycle and one of them
soon will be generally available - Microsoft Security Code
Analysis Extension. I had a pleasure to access preview version
and make some tests to check what can be done with this
extension for Azure DevOps from Microsoft.

What is possible with Microsoft Security Code

Analysis Extension?
The Microsoft Security Code Analysis extension makes the
latest versions of important analysis tools readily available. It
means that if there is an updated version of a tool, you don’t
need to download and install it manually - extension takes
care of the updates.

The extension’s build tasks hide the complexities of:

 Running security static-analysis tools.

 Processing the results from log files to create a summary
report or break the build.

Available tools

Below list contains tools that are currently available in the

extension. More tools are expected to be added in the future.
Anti-Malware Scanner

The Anti-Malware Scanner build task is now included in the

Microsoft Security Code Analysis extension. This task must be
run on a build agent that has Windows Defender already
installed. For more information, see the Windows Defender
website.

BinSkim

BinSkim is a Portable Executable (PE) lightweight scanner that

validates compiler settings, linker settings, and other security-
relevant characteristics of binary files. This build task provides
a command-line wrapper around the binskim.exe console
application. BinSkim is an open-source tool. For more
information, see BinSkim on GitHub.
Credential Scanner

Passwords and other secrets stored in source code are a

significant problem. Credential Scanner is a proprietary static-
analysis tool that helps solve this problem. The tool detects
credentials, secrets, certificates, and other sensitive content in
your source code and your build output.

Microsoft Security Risk Detection

Microsoft Security Risk Detection (MSRD) is a cloud-based

service for fuzz testing. It identifies exploitable security bugs
in software. This service requires a separate subscription and
activation. For more information, see the MSRD Developer
Center.

Roslyn Analyzers

Roslyn Analyzers is Microsoft’s compiler-integrated tool for

statically analyzing managed C# and Visual Basic code. For
more information, see Roslyn-based analyzers.

TSLint

TSLint is an extensible static-analysis tool that checks

TypeScript code for readability, maintainability, and errors in
functionality. It’s widely supported by modern editors and
build systems. You can customize it with your own lint rules,
configurations, and formatters. TSLint is an open-source tool.
For more information, see TSLint on GitHub.

Analysis results

Once above tasks are added the pipeline it is easy to access

analysis results. The Microsoft Security Code Analysis
extension also has three postprocessing tasks.
Publish Security Analysis Logs

The Publish Security Analysis Logs build task preserves the

log files of the security tools that are run during the build.
You can read these logs for investigation and follow-up.

You can publish the log files to Azure Artifacts as a .zip file.
You can also copy them to an accessible file share from your
private build agent.
Security Report

The Security Report build task parses the log files. These files
are created by the security tools that run during the build.
The build task then creates a single summary report file. This
file shows all issues found by the analysis tools.

You can configure this task to report results for specific tools
or for all tools. You can also choose what issue level to report,
like errors only or both errors and warnings.

Post-Analysis (build break)

With the Post-Analysis build task, you can inject a build break
that purposely causes a build to fail. You inject a build break if
one or more analysis tools report issues in the code.

You can configure this task to break the build for issues found
by specific tools or all tools. You can also configure it based
on the severity of issues found, such as errors or warnings.

How to add Microsoft Security Code Analysis

Extension task?
Adding Microsoft Security Code Analysis tools to the Azure
DevOps CI pipeline is as simple as adding other new tasks.
Once task is added it is possible to use its default
configuration or customize it.

Enable Microsoft Security Code Analysis Extension

in Azure DevOps
At the moment of writing this article extension is in preview. If
you would like to enable it for your Azure DevOps
organization, please use this contact e-mail: sdt-
vsts@microsoft.com. You can find details under this link.
Installation steps

First we have to install extension. To do it sign in to your

Azure DevOps organization and select “Mange extensions” as
presented below:
Open “Shared” extensions section and click “Install” button:
That’s it! Now we are ready to start using Microsoft Security
Code Analysis Extension. Adding Microsoft Security Code
Analysis tools to the Azure DevOps CI pipeline is as simple as
adding other new tasks. Once task is added it is possible to
use its default configuration or customize it.
Example with scanning for ASP .NET Core Web API

Below I present integration of extension installed in my Azure

DevOps organization and analysis result of tests.

I created sample ASP .NET Core Web API application and I

wanted to check Credential Scanner task. To do it I hard-
coded database connection string in the “appsettings.json”
file. Below I present step by step how I integrated the task.
{
"Logging": {
"LogLevel": {
"Default": "Warning"
}
},
"AllowedHosts": "*",
"ConnectionStrings": {
"DbContext":
"Server=(localdb)\\mssqllocaldb;Database=CarsIsland;username=daniel;password=test1
234;Trusted_Connection=True;"
}
}

I used YAML build definition in this case.

Add Credential Scanner task

In the build pipeline definition I added “Credential Scanner” -

it can be found with search box:

I selected default setup for this task:

Add Security Analysis Report task

Then I added task for creating a single summary report file

basing on the scanning from the previous task (above).

Add Publish Security Analysis Logs task

This task enables publishing the log files to Azure Artifacts as

a .zip file. With this task I was able to download HTML site
report about the scanning analysis.
Add Post-Analysis (build break) task

This task enables breaking the build if one or more analysis

tools reported issues in the code.

Queue the build and check the result

Once I queued the build - it was braked by the “Post-

Analysis” task because credentials were find:
When I opened details about this task there was a clear
information where credentials were detected:
Download and open full report

It is great that ready report is prepared and it can be

downloaded:

Once I downloaded it I opened HTML file with report:

As you can see clear information was provided where
credentials were used in the source code:

ConfigFile See appsettings.json line 9 for the code resulting in

match Found password, symmetric key or storage credential in
source file.

What is more! When I clicked “View” button new tab was

opened with the place in the source code repository where
credentials were detected:
This is the whole YAML build pipeline definition I have:
# ASP.NET Core
# Build and test ASP.NET Core projects targeting .NET Core.
# Add steps that run tests, create a NuGet package, deploy, and more:
# https://docs.microsoft.com/azure/devops/pipelines/languages/dotnet-core

trigger:
- master

pool:
vmImage: 'windows-latest'

variables:
buildConfiguration: 'Release'

steps:
- task: DotNetCoreCLI@2
displayName: 'Restore project dependencies'
inputs:
command: 'restore'
projects: '**/*.csproj'

- task: MSBuild@1
inputs:
solution: '**/*.sln'

- task: CredScan@2

- task: RoslynAnalyzers@2
inputs:
userProvideBuildInfo: 'auto'

- task: SdtReport@1
inputs:
TsvFile: false
AllTools: false
BinSkim: false
CredScan: true
MSRD: false
RoslynAnalyzers: true
RoslynAnalyzersBreakOn: 'WarningAbove'
TSLint: false
ToolLogsNotFoundAction: 'Standard'

- task: PublishSecurityAnalysisLogs@2
inputs:
ArtifactName: 'CodeAnalysisLogs'
ArtifactType: 'Container'
AllTools: true
ToolLogsNotFoundAction: 'Standard'

- task: PostAnalysis@1
inputs:
AllTools: false
BinSkim: false
CredScan: true
RoslynAnalyzers: true
RoslynAnalyzersBreakOn: 'Error'
TSLint: false
ToolLogsNotFoundAction: 'Standard'

- task: DotNetCoreCLI@2
displayName: 'dotnet publish'
inputs:
command: 'publish'
publishWebProjects: true
arguments: '--configuration $(BuildConfiguration) --output
$(Build.ArtifactStagingDirectory)'
zipAfterPublish: True

- task: PublishBuildArtifacts@1
displayName: 'publish artifacts'
inputs:
PathtoPublish: '$(Build.ArtifactStagingDirectory)'
ArtifactName: 'drop'
 publishLocation: 'Container'

You will notice that there is also “Roslyn Analyzers” task which
I added to do some static code analysis.

Summary
In this article I presented Microsoft Security Code Analysis
Extension which enables security scanning in the CI pipelines.
This extension is important part of DevSecOps flow and
definitely will be worth trying once it is generally available. If
you would like to read more about Security Engineering I
recommend to visit Microsoft Security Development Lifecycle
(SDL) website. If you would like to read more about the
extension, there is official documentation available.