DevOps Shield
An innovative cybersecurity platform for DevOps.
- Improve your DevOps security governance.
- Reduce your exposure to possible DevOps cyberattacks.
- Solve rising security and DevOps misconfiguration concerns.
- Generate DevOps security assessment reports.
DevOps Shield Security Scanner fills the gap between the DevSecOps and Cloud security governance solutions by hardening your Azure DevOps platform configuration and evaluating non-compliant DevOps resources.
DevOps Shield Security Scanner
An extension for Azure DevOps that adds a build task to run the DevOps Shield CLI
- Runs the DevOps Shield Docker container image
- Scans your Azure DevOps project and repository
- Evaluates 100+ DevOps Controls
- Exports the assessment results into SARIF and CSV formats
Usage
- Add the
DevOpsShield-SecurityScanner build task to your yaml pipeline:
steps:
- task: DevOpsShield-SecurityScanner@1
- Run the pipeline, view or download the assessment results:
View Results
To view the results of the scan, you can install the Azure DevOps extensions SARIF SAST Scans Tab. It will look for *.sarif files in the CodeAnalysisLogs build artifact directory and display them in the Scans tab of your pipeline.
Scheduled Pipeline
- For continuous security assurance, schedule the pipeline. For instance, you can create the following pipeline which will perform a DevOps Shield Security Scan every 8 hours:
trigger: none
# YAML file in the main branch
schedules:
- cron: "0 */8 * * *"
displayName: Run a DevOps Shield Security Scan every 8 hours
branches:
include:
- main
always: true
pool:
vmImage: ubuntu-latest
steps:
- task: DevOpsShield-SecurityScanner@1
Alternative Approach
If you cannot install the Azure DevOps extension and you want to run the DevOps Shield CLI directly into your yaml pipeline, then add the following tasks:
trigger: none
pool:
vmImage: ubuntu-latest
jobs:
- job:
displayName: 'DevOps Shield Security Scanner'
steps:
- checkout: self
- task: CmdLine@2
inputs:
script: |
docker run --name devopsshield \
-v "$(Build.ArtifactStagingDirectory):/devopsshield" \
--rm -t \
-e dosOrganizationName=$(System.CollectionUri) \
-e dosPatToken=$(System.AccessToken) \
devopsshield/devopsshield
displayName: "Run DevOps Shield Security Scanner"
- task: PublishBuildArtifacts@1
inputs:
ArtifactName: 'CodeAnalysisLogs'
displayName: 'Publish DevOps Shield Security Scanner Report'
If running a windows agent, you can use the following pipeline:
trigger: none
pool:
vmImage: windows-latest
jobs:
- job:
displayName: 'DevOps Shield Security Scanner'
steps:
- checkout: self
- task: PowerShell@2
inputs:
targetType: 'inline'
script: |
docker run --name devopsshield `
-v "$(Build.ArtifactStagingDirectory):C:/devopsshield" `
--rm -t `
-e dosOrganizationName=$(System.CollectionUri) `
-e dosPatToken=$(System.AccessToken) `
devopsshield/devopsshield:latest-nanoserver-ltsc2022
pwsh: true
displayName: "Run DevOps Shield Security Scanner"
- task: PublishBuildArtifacts@1
inputs:
ArtifactName: 'CodeAnalysisLogs'
displayName: 'Publish DevOps Shield Security Scanner Report'
- DevOps Shield on Docker Hub
- DevOps Shield YouTube Channel
- Live Demo - demo.devopsshield.com
