defender-for-devops
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
Chinese🚨 CRITICAL GUIDELINES
🚨 重要指南
Windows File Path Requirements
Windows文件路径要求
MANDATORY: Always Use Backslashes on Windows for File Paths
When using Edit or Write tools on Windows, you MUST use backslashes () in file paths, NOT forward slashes ().
\/Examples:
- ❌ WRONG:
D:/repos/project/file.tsx - ✅ CORRECT:
D:\repos\project\file.tsx
This applies to:
- Edit tool file_path parameter
- Write tool file_path parameter
- All file operations on Windows systems
强制要求:在Windows系统中使用文件路径时必须使用反斜杠(\)
在Windows系统中使用编辑或写入工具时,文件路径必须使用反斜杠(),而不能使用正斜杠()。
\/示例:
- ❌ 错误:
D:/repos/project/file.tsx - ✅ 正确:
D:\repos\project\file.tsx
此要求适用于:
- 编辑工具的file_path参数
- 写入工具的file_path参数
- Windows系统上的所有文件操作
Documentation Guidelines
文档指南
NEVER create new documentation files unless explicitly requested by the user.
- Priority: Update existing README.md files rather than creating new documentation
- Repository cleanliness: Keep repository root clean - only README.md unless user requests otherwise
- Style: Documentation should be concise, direct, and professional - avoid AI-generated tone
- User preference: Only create additional .md files when user specifically asks for documentation
除非用户明确要求,否则绝不创建新的文档文件。
- 优先级:优先更新现有的README.md文件,而非创建新文档
- 仓库整洁性:保持仓库根目录整洁 - 除非用户要求,否则仅保留README.md
- 风格:文档应简洁、直接且专业 - 避免AI生成的语气
- 用户偏好:仅在用户明确要求文档时,才创建额外的.md文件
Microsoft Defender for DevOps Integration
Microsoft Defender for DevOps 集成
Complete guide to integrating Microsoft Defender for Cloud security scanning into Azure Pipelines.
将Microsoft Defender for Cloud安全扫描集成到Azure Pipelines的完整指南。
Overview
概述
Microsoft Security DevOps (MSDO) provides comprehensive security scanning capabilities:
- SAST: Static Application Security Testing
- Secret Detection: Identify hardcoded secrets and credentials
- Dependency Scanning: Vulnerable package detection
- IaC Scanning: Infrastructure as Code security analysis
- Container Scanning: Image vulnerability assessment with Trivy
Microsoft Security DevOps(MSDO)提供全面的安全扫描功能:
- SAST: 静态应用安全测试
- Secret Detection: 检测硬编码的密钥和凭据
- Dependency Scanning: 检测易受攻击的软件包
- IaC Scanning: 基础设施即代码(Infrastructure as Code)安全分析
- Container Scanning: 使用Trivy进行镜像漏洞评估
Microsoft Security DevOps Extension
Microsoft Security DevOps 扩展
Installation:
- Install from Azure DevOps Marketplace
- Configure in pipeline YAML
- View results in Scans tab
- Integrate with Defender for Cloud
Extension Capabilities:
- Converts results to SARIF format
- Displays findings in Scans tab
- Integrates multiple security tools
- Provides centralized security insights
安装步骤:
- 从Azure DevOps Marketplace安装
- 在流水线YAML中配置
- 在“扫描”标签页查看结果
- 与Defender for Cloud集成
扩展功能:
- 将结果转换为SARIF格式
- 在“扫描”标签页显示检测结果
- 集成多种安全工具
- 提供集中式安全洞察
YAML Integration
YAML集成
Basic MSDO Task
基础MSDO任务
yaml
trigger:
branches:
include:
- main
- develop
pool:
vmImage: 'ubuntu-24.04'
stages:
- stage: Build
jobs:
- job: BuildAndScan
steps:
- task: UseDotNet@2
displayName: 'Install .NET SDK'
inputs:
version: '8.x'
- task: DotNetCoreCLI@2
displayName: 'Build Project'
inputs:
command: 'build'
projects: '**/*.csproj'
# Microsoft Security DevOps Scan
- task: MicrosoftSecurityDevOps@1
displayName: 'Run Microsoft Security DevOps'
inputs:
categories: 'secrets,code,dependencies,IaC,containers'
break: false # Don't fail pipeline on findings
# Publish SARIF results
- task: PublishSecurityAnalysisLogs@3
displayName: 'Publish Security Analysis Logs'
inputs:
ArtifactName: 'CodeAnalysisLogs'
# Display results in Scans tab
- task: PostAnalysis@2
displayName: 'Post Analysis'
inputs:
break: falseyaml
trigger:
branches:
include:
- main
- develop
pool:
vmImage: 'ubuntu-24.04'
stages:
- stage: Build
jobs:
- job: BuildAndScan
steps:
- task: UseDotNet@2
displayName: 'Install .NET SDK'
inputs:
version: '8.x'
- task: DotNetCoreCLI@2
displayName: 'Build Project'
inputs:
command: 'build'
projects: '**/*.csproj'
# Microsoft Security DevOps Scan
- task: MicrosoftSecurityDevOps@1
displayName: 'Run Microsoft Security DevOps'
inputs:
categories: 'secrets,code,dependencies,IaC,containers'
break: false # Don't fail pipeline on findings
# Publish SARIF results
- task: PublishSecurityAnalysisLogs@3
displayName: 'Publish Security Analysis Logs'
inputs:
ArtifactName: 'CodeAnalysisLogs'
# Display results in Scans tab
- task: PostAnalysis@2
displayName: 'Post Analysis'
inputs:
break: falseAdvanced Configuration with Breaking Builds
含构建中断的高级配置
yaml
- task: MicrosoftSecurityDevOps@1
displayName: 'Security Scanning (Break on Critical)'
inputs:
# Scan categories
categories: 'secrets,code,dependencies,IaC,containers'
# Break build on severity
break: true
breakSeverity: 'critical' # Options: critical, high, medium, low
# Tool configuration
tools: 'all' # Or specific: 'credscan,eslint,trivy'
# Output configuration
publishResults: true
continueOnError: falseyaml
- task: MicrosoftSecurityDevOps@1
displayName: 'Security Scanning (Break on Critical)'
inputs:
# Scan categories
categories: 'secrets,code,dependencies,IaC,containers'
# Break build on severity
break: true
breakSeverity: 'critical' # Options: critical, high, medium, low
# Tool configuration
tools: 'all' # Or specific: 'credscan,eslint,trivy'
# Output configuration
publishResults: true
continueOnError: falseConditional Scanning
条件扫描
yaml
undefinedyaml
undefinedFull scan on main, quick scan on branches
Full scan on main, quick scan on branches
- task: MicrosoftSecurityDevOps@1 displayName: 'Security Scan' inputs: categories: ${{ if eq(variables['Build.SourceBranch'], 'refs/heads/main') }}: value: 'secrets,code,dependencies,IaC,containers' ${{ else }}: value: 'secrets,code' break: ${{ eq(variables['Build.SourceBranch'], 'refs/heads/main') }}
undefined- task: MicrosoftSecurityDevOps@1 displayName: 'Security Scan' inputs: categories: ${{ if eq(variables['Build.SourceBranch'], 'refs/heads/main') }}: value: 'secrets,code,dependencies,IaC,containers' ${{ else }}: value: 'secrets,code' break: ${{ eq(variables['Build.SourceBranch'], 'refs/heads/main') }}
undefinedIntegrated Security Tools
集成的安全工具
1. Secret Scanning
1. 密钥扫描
Replaced: CredScan deprecated September 2023
Current: GitHub Advanced Security for Azure DevOps or MSDO secrets scanning
yaml
undefined替代说明: CredScan已于2023年9月弃用
当前方案: Azure DevOps的GitHub Advanced Security或MSDO密钥扫描
yaml
undefinedMSDO secrets scanning
MSDO secrets scanning
- task: MicrosoftSecurityDevOps@1 inputs: categories: 'secrets' break: true # Always break on secrets
**Common secrets detected:**
- API keys and tokens
- Database connection strings
- Cloud provider credentials
- SSH private keys
- OAuth tokens- task: MicrosoftSecurityDevOps@1 inputs: categories: 'secrets' break: true # Always break on secrets
**常见检测到的密钥:**
- API密钥和令牌
- 数据库连接字符串
- 云服务商凭据
- SSH私钥
- OAuth令牌2. Static Code Analysis (SAST)
2. 静态代码分析(SAST)
yaml
- task: MicrosoftSecurityDevOps@1
displayName: 'SAST Scan'
inputs:
categories: 'code'
tools: 'eslint,bandit,semgrep'Supported languages:
- JavaScript/TypeScript (ESLint)
- Python (Bandit)
- Go (gosec)
- Java (SpotBugs)
- C# (.NET Security Guard)
yaml
- task: MicrosoftSecurityDevOps@1
displayName: 'SAST Scan'
inputs:
categories: 'code'
tools: 'eslint,bandit,semgrep'支持的语言:
- JavaScript/TypeScript(ESLint)
- Python(Bandit)
- Go(gosec)
- Java(SpotBugs)
- C#(.NET Security Guard)
3. Dependency Scanning
3. 依赖项扫描
yaml
- task: MicrosoftSecurityDevOps@1
displayName: 'Dependency Scan'
inputs:
categories: 'dependencies'
tools: 'trivy,govulncheck'Detects:
- Known CVEs in dependencies
- Outdated packages
- License compliance issues
- Transitive vulnerabilities
yaml
- task: MicrosoftSecurityDevOps@1
displayName: 'Dependency Scan'
inputs:
categories: 'dependencies'
tools: 'trivy,govulncheck'检测内容:
- 依赖项中的已知CVE漏洞
- 过时的软件包
- 许可证合规性问题
- 传递性漏洞
4. Infrastructure as Code (IaC) Scanning
4. 基础设施即代码(IaC)扫描
yaml
- task: MicrosoftSecurityDevOps@1
displayName: 'IaC Security Scan'
inputs:
categories: 'IaC'
tools: 'terrascan,checkov,templateanalyzer'Scans:
- Terraform configurations
- ARM templates
- Bicep files
- Kubernetes manifests
- CloudFormation templates
yaml
- task: MicrosoftSecurityDevOps@1
displayName: 'IaC Security Scan'
inputs:
categories: 'IaC'
tools: 'terrascan,checkov,templateanalyzer'扫描范围:
- Terraform配置
- ARM模板
- Bicep文件
- Kubernetes清单
- CloudFormation模板
5. Container Image Scanning
5. 容器镜像扫描
yaml
- task: MicrosoftSecurityDevOps@1
displayName: 'Container Security Scan'
inputs:
categories: 'containers'
tools: 'trivy'Trivy scans for:
- OS vulnerabilities
- Application dependencies
- Misconfigurations
- Secrets in images
- License issues
yaml
- task: MicrosoftSecurityDevOps@1
displayName: 'Container Security Scan'
inputs:
categories: 'containers'
tools: 'trivy'Trivy扫描内容:
- 操作系统漏洞
- 应用程序依赖项
- 配置错误
- 镜像中的密钥
- 许可证问题
Integration with Defender for Cloud
与Defender for Cloud的集成
Enable Defender for DevOps
启用Defender for DevOps
yaml
undefinedyaml
undefinedPipeline automatically sends results to Defender for Cloud
Pipeline automatically sends results to Defender for Cloud
when MSDO extension is connected
when MSDO extension is connected
- task: MicrosoftSecurityDevOps@1 displayName: 'Scan and send to Defender' inputs: categories: 'all' publishResults: true
- task: MicrosoftSecurityDevOps@1 displayName: 'Scan and send to Defender' inputs: categories: 'all' publishResults: true
Results appear in:
Results appear in:
Defender for Cloud → DevOps Security → Findings
Defender for Cloud → DevOps Security → Findings
**Benefits:**
- Centralized security dashboard
- Cross-pipeline insights
- Compliance reporting
- Security trend analysis
- Integration with Azure Security Center
**优势:**
- 集中式安全仪表板
- 跨流水线洞察
- 合规性报告
- 安全趋势分析
- 与Azure安全中心集成Complete Security Pipeline Example
完整安全流水线示例
yaml
trigger:
branches:
include:
- main
- develop
pool:
vmImage: 'ubuntu-24.04'
variables:
- name: breakOnCritical
value: ${{ eq(variables['Build.SourceBranch'], 'refs/heads/main') }}
stages:
- stage: SecurityScan
displayName: 'Security Analysis'
jobs:
- job: StaticAnalysis
displayName: 'Static Security Analysis'
steps:
- checkout: self
fetchDepth: 1
# Install dependencies
- task: NodeTool@0
inputs:
versionSpec: '20.x'
- script: npm ci
displayName: 'Install dependencies'
# Build application
- script: npm run build
displayName: 'Build application'
# Docker build for container scanning
- task: Docker@2
displayName: 'Build Docker image'
inputs:
command: 'build'
Dockerfile: 'Dockerfile'
tags: '$(Build.BuildId)'
# Comprehensive security scan
- task: MicrosoftSecurityDevOps@1
displayName: 'Microsoft Security DevOps Scan'
inputs:
categories: 'secrets,code,dependencies,IaC,containers'
break: $(breakOnCritical)
breakSeverity: 'high'
tools: 'all'
# Publish SARIF results
- task: PublishSecurityAnalysisLogs@3
displayName: 'Publish SARIF Logs'
inputs:
ArtifactName: 'CodeAnalysisLogs'
ArtifactType: 'Container'
# Post-analysis with results
- task: PostAnalysis@2
displayName: 'Security Post Analysis'
inputs:
break: $(breakOnCritical)
# Generate security report
- script: |
echo "Security scan completed"
echo "Results available in Scans tab"
displayName: 'Security Summary'
condition: always()
- stage: Deploy
dependsOn: SecurityScan
condition: succeeded()
jobs:
- deployment: DeployApp
environment: 'production'
strategy:
runOnce:
deploy:
steps:
- script: echo "Deploying secure application"yaml
trigger:
branches:
include:
- main
- develop
pool:
vmImage: 'ubuntu-24.04'
variables:
- name: breakOnCritical
value: ${{ eq(variables['Build.SourceBranch'], 'refs/heads/main') }}
stages:
- stage: SecurityScan
displayName: 'Security Analysis'
jobs:
- job: StaticAnalysis
displayName: 'Static Security Analysis'
steps:
- checkout: self
fetchDepth: 1
# Install dependencies
- task: NodeTool@0
inputs:
versionSpec: '20.x'
- script: npm ci
displayName: 'Install dependencies'
# Build application
- script: npm run build
displayName: 'Build application'
# Docker build for container scanning
- task: Docker@2
displayName: 'Build Docker image'
inputs:
command: 'build'
Dockerfile: 'Dockerfile'
tags: '$(Build.BuildId)'
# Comprehensive security scan
- task: MicrosoftSecurityDevOps@1
displayName: 'Microsoft Security DevOps Scan'
inputs:
categories: 'secrets,code,dependencies,IaC,containers'
break: $(breakOnCritical)
breakSeverity: 'high'
tools: 'all'
# Publish SARIF results
- task: PublishSecurityAnalysisLogs@3
displayName: 'Publish SARIF Logs'
inputs:
ArtifactName: 'CodeAnalysisLogs'
ArtifactType: 'Container'
# Post-analysis with results
- task: PostAnalysis@2
displayName: 'Security Post Analysis'
inputs:
break: $(breakOnCritical)
# Generate security report
- script: |
echo "Security scan completed"
echo "Results available in Scans tab"
displayName: 'Security Summary'
condition: always()
- stage: Deploy
dependsOn: SecurityScan
condition: succeeded()
jobs:
- deployment: DeployApp
environment: 'production'
strategy:
runOnce:
deploy:
steps:
- script: echo "Deploying secure application"Advanced Security Features (Coming 2025)
2025年即将推出的高级安全功能
Roadmap features:
- Pull request build validation
- Break pipeline on alert severity
- Advanced Security dashboard
- Custom CodeQL queries
- Integration with GitHub Advanced Security
路线图功能:
- 拉取请求构建验证
- 根据警报严重程度中断流水线
- 高级安全仪表板
- 自定义CodeQL查询
- 与GitHub Advanced Security集成
GitHub Advanced Security for Azure DevOps
Azure DevOps的GitHub Advanced Security
Alternative to MSDO for secret scanning:
yaml
undefinedMSDO密钥扫描的替代方案:
yaml
undefinedRequires GitHub Advanced Security license
Requires GitHub Advanced Security license
Provides:
Provides:
- Secret scanning
- Secret scanning
- Code scanning with CodeQL
- Code scanning with CodeQL
- Dependency vulnerability alerts
- Dependency vulnerability alerts
- Security overview dashboard
- Security overview dashboard
Configuration in Azure DevOps organization settings
Configuration in Azure DevOps organization settings
Scans run automatically on commits and PRs
Scans run automatically on commits and PRs
undefinedundefinedBest Practices
最佳实践
Pipeline Security:
- Run security scans on every commit
- Break builds on critical/high severity findings
- Scan both code and dependencies
- Include IaC security validation
- Scan container images before push
- Review findings regularly
Configuration:
yaml
undefined流水线安全:
- 每次提交都运行安全扫描
- 检测到严重/高危问题时中断构建
- 同时扫描代码和依赖项
- 包含IaC安全验证
- 推送前扫描容器镜像
- 定期审查检测结果
配置:
yaml
undefinedRecommended configuration
Recommended configuration
- task: MicrosoftSecurityDevOps@1 inputs: categories: 'secrets,code,dependencies,IaC,containers' break: true breakSeverity: 'high' # Adjust based on risk tolerance publishResults: true
**Integration:**
- Enable Defender for DevOps in Azure portal
- Configure organization-level policies
- Set up automated notifications
- Create security dashboards
- Establish remediation workflows- task: MicrosoftSecurityDevOps@1 inputs: categories: 'secrets,code,dependencies,IaC,containers' break: true breakSeverity: 'high' # Adjust based on risk tolerance publishResults: true
**集成:**
- 在Azure门户中启用Defender for DevOps
- 配置组织级策略
- 设置自动通知
- 创建安全仪表板
- 建立修复工作流Viewing Results
查看结果
In Pipeline:
- Navigate to pipeline run
- Click "Scans" tab
- Review findings by severity
- Click findings for details and remediation
In Defender for Cloud:
- Azure Portal → Defender for Cloud
- DevOps Security
- View findings across all pipelines
- Filter by severity, project, repository
- Track remediation progress
在流水线中:
- 导航到流水线运行记录
- 点击“扫描”标签页
- 按严重程度查看检测结果
- 点击结果查看详情和修复建议
在Defender for Cloud中:
- Azure门户 → Defender for Cloud
- DevOps安全
- 查看所有流水线的检测结果
- 按严重程度、项目、仓库筛选
- 跟踪修复进度
Troubleshooting
故障排除
Common Issues:
MSDO task fails:
yaml
undefined常见问题:
MSDO任务失败:
yaml
undefinedEnable verbose logging
Enable verbose logging
- task: MicrosoftSecurityDevOps@1 env: MSDO_VERBOSE: true inputs: categories: 'all'
**False positives:**
```yaml- task: MicrosoftSecurityDevOps@1 env: MSDO_VERBOSE: true inputs: categories: 'all'
**误报:**
```yamlSuppress findings with .gdnconfig file
Suppress findings with .gdnconfig file
In repository root:
In repository root:
{
"tools": {
"trivy": {
"enabled": true,
"severities": ["CRITICAL", "HIGH"]
}
}
}
**Performance:**
- Cache tool downloads
- Limit scan categories on branches
- Use parallel stages for large repos{
"tools": {
"trivy": {
"enabled": true,
"severities": ["CRITICAL", "HIGH"]
}
}
}
**性能优化:**
- 缓存工具下载包
- 在分支上限制扫描类别
- 对大型仓库使用并行阶段