This document discusses using DevOps and security/compliance features in Azure to ensure automated deployments follow rules and policies. It recommends using Azure Pipelines and Azure Policy to check for policy compliance during deployment and deny deployment if policies are not met. It also suggests using extensions to scan for vulnerabilities and license issues, and tracking deployments in the audit log or exporting it to other services like Logic Apps for record keeping.
2. Who am I?
personal:
name: KAMEGAWA Kazushi(Last-First)
alias: kkamegawa
community:
MVP: Microsoft MVP for Developer Technologies(2009-)
Users Group: Team Foundation Server Users Group
URL: https://dev.azure.com/tfsug/tfsuginfo
Blog:
URL: https://kkamegawa.hatenablog.jp
devblog radio: https://devblog.connpass.com/
12. Compliance and Security for CI/CD
DO NOT deploy illegal environment.
Tracking when it is deployed.
Make them follow the rules of the
deployment procedure.
Perform a vulnerability check.
13. Collaborate Azure Pipelines and Azure Policy
1. Policy checking when deploying
artifacts.
2. Deploy if the policy is satisfied.
3. Deny if the policy is not
satisfied.
14. Define Azure Policy(sample)
Azure Policy | Microsoft Docs
Define Azure
Policy with
Resource group or
Subscription
Evaluate the policy
over a period.
It seems like not
evaluate
immediately the
policy at Pipelines.
15. Evaluation deploy with Azure Policy.
Policy is satisfied
(Deploy go)
Policy is not satisfied
(can’t deploy)
16. Azure Pipelines and Azure Policy
Azure Policy Task only
supports Classic
Release.
But Pipeline supports,
Build definition is YAML,
Release is Classic.
21. Azure Pipelines and Container registry
mcr.microsoft.com
malware.example.com
ghcr.io/xxxxx
Artifact policy checks | Microsoft Docs
Don't use Environments to
deploy anything other than
images from specific allowed
container registries.
Queries are written in a
language called Rego.
There is a template that you can
use at first.
23. Define in Azure Pipelines
Unknown
Container Image Environment
Deploy failed when use
container image other side
mcr.microsoft.com
24. Creating a pipeline by yourself will cause problems.
Service connection Limit the pipelines
that can be referenced.
Prepare a YAML template that defines
the environment for deployment,
manage it separately from the build,
and separate it from those who can
deploy it.
Pull Request driven
28. OSS source code scan in Azure Pipelines
If you specify an
extension in a YAML
template and build it,
you will see a report in
the result.
It is up to the service
to send the source to
another service or not.
Also check for
software license
29. Extension for security scan
Let’s install extension for WhiteSource Bolt
https://marketplace.visualstudio.com/items?itemName=whitesource
.ws-bolt
There are a variety of other paid and free
extensions available as well.
https://marketplace.visualstudio.com/search?term=security&target
=AzureDevOps&category=All%20categories&sortBy=Relevance
If you want to use it all the time, specify
Template as environment.
32. Track release events in the audit log
90 days for storage
in Azure DevOps
It must be exported
periodically.
Event Grid
Splunk
Azure Monitor
REST API
Create audit streaming |
Microsoft Docs
33. Stream Audit log or Export with Logic Apps.
Logic AppsでAzure DevOpsの監査ログをCosmos DBへ保存する
34. Summary
Automation is great, but keep records
so you don't end up wondering when
you did it!
It's silly for a human to do it, so let's
have a machine do it (also tamper-
proof).
To be able to think, "If I make a mistake,
35. Appendix and Reference
Security through templates
https://docs.microsoft.com/en-
us/azure/devops/pipelines/security/templates?WT.mc_id=DOP-MVP-
4039781?view=azure-devops
Other security considerations
https://docs.microsoft.com/en-
us/azure/devops/pipelines/security/misc?WT.mc_id=DOP-MVP-
4039781?view=azure-devops
Create and target an environment
https://docs.microsoft.com/en-
us/azure/devops/pipelines/process/environments?WT.mc_id=DOP-MVP-
4039781?view=azure-devops