Categories
Articles

Automate security scanning in Azure Dev(Sec)Ops in minutes

Introduction

GitHub Advanced Security (GHAS) for Azure DevOps has recently become generally available (official release). This powerful tool serves as a Static Application Security Testing (SAST) solution designed to identify security vulnerabilities within your repositories. GHAS can prevent developers from inadvertently pushing secrets and detect security issues in your project’s dependencies (such as NuGet and npm packages).

With our example pipeline code below, you will within a few minutes have a fully automated way to detect security issues in your code and reduce the risk of being hacked.

Do you need a SAST solution?

A SAST solution is used in the development/coding phase to analyze the application for security issues. It can be used in multiple ways, e.g., by scanning new code that is going to be pushed into the code repository (and blocking if it does not pass the checks), scanning each new commit to a branch, or maybe performing a nightly scan.

Serious security flaws are detected every day in third-party software that you use. If you don’t update to a patched version, your software is vulnerable to hackers. So, yes! You need a SAST solution.

How to get started?

I promised you to get started in a few minutes, so let’s dive right in.

  • Go to your Azure DevOps project area as an administrator.
  • In Azure DevOps project settings, go to Repositories and select a repository. This example is a repository with an open-source .NET library called Ipify.
  • Select the Settings tab, set Advanced Security to On, and check the Block secrets on push (you don’t want to upload/publish any API keys or similar by mistake). Store and access them using e.g. Azure KeyVault instead.
A few clicks are enough to enable Advance Security in Azure DevOps.

Note: It’s also possible to set some extra (optional) related permission settings in the Security tab.

Open your IDE and add a new Azure DevOps Pipeline YAML file in the desired directory. I named it sec-scan-trigger.yml. Paste in the following content:

trigger:
  branches:
    include:
    - main

jobs:
- job: securityScanJob
  displayName: Scan Library
  pool:
    vmImage: windows-2022
  steps:

  - task: AdvancedSecurity-Codeql-Init@1
    inputs:
      languages: csharp
      querysuite: 'security-extended'

  - task: AdvancedSecurity-Codeql-Autobuild@1

  - task: AdvancedSecurity-Dependency-Scanning@1

  - task: AdvancedSecurity-Codeql-Analyze@1

This pipeline file will trigger on any new commit to main and contains of one job with four tasks.

  • The AdvancedSecurity-Codeql-Init task initializes the scanner and has multiple input parameters, here are only two used. Since this repo only contains of C# code only the csharp language is configured. Other languages such as JavaScript, Python, Go, etc are also supported. More information about the querysuite can be found here and here.
  • The AdvancedSecurity-Codeql-Autobuild task is really nice, it searches for .NET projects and builds them. It’s possible to use custom build tasks here instead if needed.
  • The AdvancedSecurity-Dependency-Scanning task searches for vulnerabilities in dependencies (e.g. NuGet and NPM packages). The task uses the GitHub Advisory Database.
  • The AdvancedSecurity-Codeql-Analyze task tries to find vulnerabilties and coding issues.

Commit your changes and push to the repository (any branch).

In Azure DevOps, create a new Pipeline.

  • Go to the meny Pipelines and select the sub-menu Pipelines.
  • Press New Pipeline button
  • Select Azure Repos Git (YAML)
  • Select your repository
  • Select Existing Azure Pipelines YAML file
  • Select Branch and the Path to your newly pushed sec-scan-trigger.yml file.
  • Press Continue.
  • (Run it manually so you don’t need to wait for the next commit to the report)

You can now view the report in the Azure Devops menu Repos > Advanced Security.

Security report for the scanned repository easily available for all team members. It consist of a Dependencies, Code scanning and Secrets tab.

The alerts come with a good explanation:

The Ipify library had one vulnerability – an outdated NuGet package.

It is advisable to run this scanning in a dedicated pipeline, separate from your current CI/CD or Pull Request pipelines. The reason is that scanning a large .NET MVC application, which includes both C# and JavaScript code, may take up to an hour, while a smaller .NET micro-service can be scanned in just 10 minutes.

When utilizing the standard Microsoft-hosted agents and scanning a sizable repository, such as a mono-repo, you may encounter disk space limitations with the default scanning configuration. In such cases, you have to either split the security scanning into separate pipelines, split the mono-repo into multiple repositories (results in separate pipelines), or configure a self-hosted agent with a larger disk capacity.

Pricing

Microsoft’s pricing model for Advanced Security is based on the number of unique active committers within your repositories. Active committers are users who committed to an Advanced-Security-enabled repository in the last 90 days. The cost is a flat rate of USD 49 per active committer per month. Advanced Security is billed directly to the Azure subscription associated with your Azure DevOps organization. The cost is not per repository (the user cost is shared for the whole Azure DevOps organization subscription).

For open-source projects with hundreds or thousands of contributors, it will be expensive. But for smaller teams with a huge code base, it’s very cost effective. And you don’t need to spend time on patching or configuring a server.

Alternatives

GitHub Advanced Security is a robust choice, but it’s not the only option available. Numerous alternatives are available in NIST’s list of Source Code Security Analyzers. Your selection should align with the unique requirements of your company, project, and team to ensure the best fit for your specific needs.

Summary

GitHub Advanced Security for DevOps is a good complement to e.g. SonarQube when it comes to security scanning. It provides advanced security analysis (using the semantic code analysis engine CodeQL) with minimal configuration through Azure DevOps.

Don’t let your software run with worldwide known security flaws – detect and fix it as soon as possible.

See also

Categories
Articles

Improve your code quality through static code analysis

In our game, great code is a key factor to success. Quality coding speeds up your development and saves time and money.

There are multiple ways of improving your source code, from more education and training, applying a coding standard, code reviewing, and static code analysis to unit testing.

Hopefully all the above are already in place, but if you’re missing the static code analysis part or are interested in SonarQube as static code analysis tool, this article is for you.

SonarQube is a great tool for analysing and visualizing your code quality. It supports 27 programming languages (C, C++, C#, Python, Java, JavaScript et al) and offers both great overview and detailed information if needed – perfect for both managers and developers.

SonarQube Overview dashboard with helpful KPI’s (Key Performance Indicators).

If your project has been in a hectic release phase with focus on delivering features rather than on design discussions, unit testing and refactoring, the KPI’s on the SonarQube overview dashboard will probably show that. Some examples of KPI’s are Security Hotspots, Technical depts (measured in time), number of bugs, number of code smells and duplicated code (measured in % and lines of code).

Pricing and hosting

Is SonarQube expensive? On the contrary, it’s free in most cases. You can choose between using SonarCloud or hosting your own SonarQube server and databasee on-premises or in cloud (e.g., in a virtual machine in Azure/GCP/AWS). In the latter case, costs for the virtual machine and database will be added to your cloud bill. SonarCloud is free for public repositories but costs for private/non-public ones.

SonarQube consists of a scanner to scans the source code, a server receiving the results, and a database. The scanner is preferrably installed and run by your Continous Integration (CI) and Pull/Merge Request pipelines. If you choose to host your own server, remember that you are responsible for keeping the operating system and SonarQube server and database updated and secure.

It is also possible to integrate SonarQube into your IDE such as Visual Code or Visual Studio to get real-time feedback.

Example deployment diagram of self-hosted (on-premis or in cloud) of SonarQube.

If you choose SonarCloud you only need to install the scanner in the CI/Pull/Merge Request pipeline. The server part is managed by SonarSource (the company behind SonarQube/SonarCloud).

Below is an example of when SonarCloud is used for scanning the code in a Pull Request (on GitHub). The comment below is inserted as a comment into the Pull Request. The result can also be viewed with more details on SonarCloud.io.

A SonarCloud comment into a GitHub Pull Request (SonarCloud is free for public repositories).

Where to start the refactoring?

When it’s time to start refactoring the code, but you don’t know where to start, SonarQube will guide you. Under the Measures tab, there is a very nice graph of different files with reliability and security ratings. I usually start with the worst file.

Visualization of the Worse of Reliability Rating and Security Rating.

Pimp your repo documentation with a badge

Brag about your top-notch code quality with an impressive and beautiful badge.

My SonarQube experience

At Wolfberry, we’ve used and installed SonarQube for many years, each time resulting in higher code quality. Both managers and developers have been very satisfied with the tool, and we have only received positive feedback.

If you don’t have a static code analysis tool today, we really recommend you start right away with SonarQube. If, however, you know of an even better tool, please drop us a message on LinkedIn.