Compliance for Exposed Secrets Discovered by Defender for DevOps

Posted by

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

Compliance for Exposed Secrets Discovered by Defender for DevOps

 

Azure Policy helps enforce organizational standards and assess compliance at-scale. You can now create a custom Azure Policy to add DevOps security to your centralized compliance dashboards.  This blog walks through creating a custom Azure Policy that leverages the Defender for DevOps Recommendation in MDC called “Secret scanning findings should be resolved.” This policy gives Security and Compliance Teams visibility into discovered secrets found in both Azure DevOps and GitHub repositories that have been onboarded to Microsoft Defender for Cloud.

 

Objectives:

  • Create a custom AuditIfNotExist Azure Policy
  • Visualize the custom policy in the Compliance view in Azure Policy

Prerequisites:

  • Connector provisioned in MDC to your Source Code Management System (such as Azure DevOps or GitHub) 
  • If your SCMS is Azure DevOps: configure the Microsoft Security DevOps ADO extension to scan for credentials
  • If your SCMS is GitHub: enable secret scanning in GitHub Advanced Security

 

Create a Custom Azure Compliance Policy for Exposed Secrets

  1. Navigate to Azure Policy
  2. Click Definitions
  3. Click + Policy definition
  4. For Definition location, choose a subscription or management group
  5. For Name, type code repositories should have secret scanning findings resolved
  6. Type a Description, such as: Defender for DevOps has found a secret in code repositories. This should be remediated immediately to prevent a security breach.
  7. For Category, click Create new, then type DevOps Security
  8. For Policy Rule, cut and paste the following JSON:

 

 

 

{
  "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.SecurityDevOps/azuredevopsConnectors/orgs/projects/repos",
          "Microsoft.SecurityDevOps/githubConnectors/owners/repos"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "4e07c7d0-e06c-47d7-a4a9-8c7b748d1b27",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  }

 

 

 

 

For more information on Azure Policy definition structure, effects, scope, and more, review this documentation.

 

The policy we just created uses the assessment ID for the Defender for DevOps Recommendation in MDC called “Code repositories should have secret scanning findings resolved” to determine whether there are any resources that are not NotApplicable or Healthy and that have the field type Microsoft.SecurityDevOps/azuredevopsConnectors/orgs/projects/repos or

Microsoft.SecurityDevOps/githubConnectors/owners/repos.  If the policy finds an Unhealthy status code, that repository will be flagged as non-compliant because a secret was discovered.

 

  1. Click Save
  2. Navigate to Azure Policy
  3. Click Assignments
  4. Click Assign Policy
  5. For Scope, choose the subscription that has your connector or a top-level management group
  6. For Policy definition, choose code repositories should have secret scanning findings resolved
  7. Click Review + create
  8. Click Create
  9. Click Compliance
  10. Find the policy and click on it to view details

The custom Policy gives you reporting capabilities on both compliant and non-compliant repositories.

It should look like the following in the Policy Compliance details:

George__Wilburn_0-1664150523498.png

 

Conclusion

To review, we’ve walked through setting up a custom Azure Policy to audit repositories against an MDC assessment that finds exposed secrets.  We assigned the policy to a subscription and visualized the results in Azure Policy’s centralized Compliance view.  This helps Compliance Managers, Security Operators, and Governance Teams identify non-compliant repositories across connected DevOps environments. You can then use Azure Policy reporting on these discovered secrets to implement governance for resource consistency, regulatory compliance, security, and management.

 

Additional Resources

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.