Secure DevOps Kit for Azure (AzSK) - CICD VSTS extension

The CICD Extension from the Secure DevOps Kit for Azure (AzSK) contains two tasks:

• ARM Template Checker - a task that can check security settings in ARM templates and
• Security Verification Tests (SVTs) - a task that can check deployed resources for secure configuration

These capabilities exist in the DevOps Kit PowerShell module (AzSK) as cmdlets viz. 'Get-AzSKARMTemplateSecurityStatus' and 'Get-AzSKAzureServiceSecurityStatus' respectively. These cmdlets can be run manually by developers on their individual machines. However, if configured in the CICD pipeline as pre-deploy/release tasks, teams can ensure that insecurely configured resources are not created via pipeline-based deployments (via the ARM Template Checker task) and security of deployed/existing resources does not regress (via the SVTs task). In this way, the extension provides a way to inject pre- and post-deployment secure configuration checks for cloud resources inside the CICD pipeline.

The ARM Template Checker task should be included as a pre-deployment check in a pipeline that creates ARM resources. If the ARM Template Checker identifies security issues in the ARM templates used for the deployment, then the deployment will not succeed.

Likewise, the SVTs task can be run against a target deployment and, upon completion, it will report the pass/fail status for controls along with aggregate control results. Thus a team can decide to fail/hold the release until the issues are resolved and the SVTs extension passes all security controls. Outcomes of the control scans from the SVTs task can also be routed to an OMS workspace configured to receive various events generated by the AzSK.

For more information on how to use the AzSK VSTS Extension, please refer the docs here.