Compliance for Exposed Secrets Discovered by Defender for DevOps

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

Compliance for Exposed Secrets Discovered by Defender for DevOps

Azure Policy helps enforce organizational standards and assess compliance at-scale. You can now create a custom Azure Policy to add DevOps security to your centralized compliance dashboards.  This blog walks through creating a custom Azure Policy that leverages the Defender for DevOps Recommendation in MDC called “Secret scanning findings should be resolved.” This policy gives Security and Compliance Teams visibility into discovered secrets found in both Azure DevOps and GitHub repositories that have been onboarded to Microsoft Defender for Cloud.

Objectives:

• Create a custom AuditIfNotExist Azure Policy
• Visualize the custom policy in the Compliance view in Azure Policy

Prerequisites:

• Connector provisioned in MDC to your Source Code Management System (such as Azure DevOps or GitHub) 
• If your SCMS is Azure DevOps: configure the Microsoft Security DevOps ADO extension to scan for credentials
• If your SCMS is GitHub: enable secret scanning in GitHub Advanced Security

Create a Custom Azure Compliance Policy for Exposed Secrets

1. Navigate to Azure Policy
2. Click Definitions
3. Click + Policy definition
4. For Definition location, choose a subscription or management group
5. For Name, type code repositories should have secret scanning findings resolved
6. Type a Description, such as: Defender for DevOps has found a secret in code repositories. This should be remediated immediately to prevent a security breach.
7. For Category, click Create new, then type DevOps Security
8. For Policy Rule, cut and paste the following JSON:

{
  "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.SecurityDevOps/azuredevopsConnectors/orgs/projects/repos",
          "Microsoft.SecurityDevOps/githubConnectors/owners/repos"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "4e07c7d0-e06c-47d7-a4a9-8c7b748d1b27",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  }

For more information on Azure Policy definition structure, effects, scope, and more, review this documentation.

The policy we just created uses the assessment ID for the Defender for DevOps Recommendation in MDC called “Code repositories should have secret scanning findings resolved” to determine whether there are any resources that are not NotApplicable or Healthy and that have the field type Microsoft.SecurityDevOps/azuredevopsConnectors/orgs/projects/repos or

Microsoft.SecurityDevOps/githubConnectors/owners/repos.  If the policy finds an Unhealthy status code, that repository will be flagged as non-compliant because a secret was discovered.

9. Click Save
10. Navigate to Azure Policy
11. Click Assignments
12. Click Assign Policy
13. For Scope, choose the subscription that has your connector or a top-level management group
14. For Policy definition, choose code repositories should have secret scanning findings resolved
15. Click Review + create
16. Click Create
17. Click Compliance
18. Find the policy and click on it to view details

The custom Policy gives you reporting capabilities on both compliant and non-compliant repositories.

It should look like the following in the Policy Compliance details:

Conclusion

To review, we’ve walked through setting up a custom Azure Policy to audit repositories against an MDC assessment that finds exposed secrets.  We assigned the policy to a subscription and visualized the results in Azure Policy’s centralized Compliance view.  This helps Compliance Managers, Security Operators, and Governance Teams identify non-compliant repositories across connected DevOps environments. You can then use Azure Policy reporting on these discovered secrets to implement governance for resource consistency, regulatory compliance, security, and management.

Additional Resources

• To learn more about Defender for DevOps, read this documentation
• Download (free) a special Appendix about Defender for DevOps from the latest Microsoft Defender for Cloud book published by Microsoft Press
• To learn how to onboard your Source Code Management System to Defender for Cloud, read this documentation for GitHub and this documentation for Azure DevOps
• To learn more about the Microsoft Security DevOps (MSDO) tools, read this documentation for GitHub and this documentation for Azure DevOps