├── Desktop └── desktop.md ├── GitHub └── github.md ├── AzureDevOps └── azure-devops.md ├── CODE_OF_CONDUCT.md ├── SUPPORT.md ├── LICENSE ├── ci-cd-integrations ├── README.md ├── jenkins │ └── jenkinspipeline.groovy └── bitbucket │ └── bitbucket-pipelines.yml ├── README.md └── SECURITY.md /Desktop/desktop.md: -------------------------------------------------------------------------------- 1 | # Desktop 2 | 3 | -------------------------------------------------------------------------------- /GitHub/github.md: -------------------------------------------------------------------------------- 1 | # GitHub 2 | 3 | -------------------------------------------------------------------------------- /AzureDevOps/azure-devops.md: -------------------------------------------------------------------------------- 1 | # Azure DevOps 2 | 3 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Microsoft Open Source Code of Conduct 2 | 3 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). 4 | 5 | Resources: 6 | 7 | - [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/) 8 | - [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) 9 | - Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns 10 | -------------------------------------------------------------------------------- /SUPPORT.md: -------------------------------------------------------------------------------- 1 | # Support 2 | 3 | ## How to file issues and get help 4 | 5 | This project uses GitHub Issues to track bugs and feature requests. Please search the existing 6 | issues before filing new issues to avoid duplicates. For new issues, file your bug or 7 | feature request as a new Issue. 8 | 9 | For help and questions about using this project, please **REPO MAINTAINER: INSERT INSTRUCTIONS HERE 10 | FOR HOW TO ENGAGE REPO OWNERS OR COMMUNITY FOR HELP. COULD BE A STACK OVERFLOW TAG OR OTHER 11 | CHANNEL. WHERE WILL YOU HELP PEOPLE?**. 12 | 13 | ## Microsoft Support Policy 14 | 15 | Support for this **PROJECT or PRODUCT** is limited to the resources listed above. 16 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) Microsoft Corporation. 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE 22 | -------------------------------------------------------------------------------- /ci-cd-integrations/README.md: -------------------------------------------------------------------------------- 1 | # Defender for Cloud Command Line Interface (CLI) 2 | 3 | Defender for Cloud Command Line Interface (CLI) is a tool designed for continuous integration and continuous deployment (CI/CD) pipelines. It performs static analysis and connects your code to cloud services. You can use it in any build process to scan container images for security vulnerabilities using built-in scanners. The results are sent to the Defender for Cloud portal, where the Cloud Security Explorer provides access to the container image and details about its vulnerabilities. 4 | 5 | [For more detailed information](https://learn.microsoft.com/en-us/azure/defender-for-cloud/cli-cicd-integration) 6 | 7 | * Authenticates with Microsoft Defender for Cloud 8 | * Installs the latest Microsoft and 3rd party security tools 9 | * Normalized processing of results into the SARIF format 10 | * Uploads results to Microsoft Defender for Cloud 11 | 12 | ## Required environment variables for all Pipelines 13 | 14 | | Name | Value | 15 | | --- | --- | 16 | | GDN_MDC_CLI_CLIENT_ID | Generated MDC Client ID | 17 | | GDN_MDC_CLI_CLIENT_SECRET | Generated Client Secret | 18 | | GDN_MDC_CLI_TENANT_ID | Azure AD Tenant ID | 19 | | GDN_PIPELINENAME | `bitbucket` `jenkins` `gcp` `bamboo` `circle` `travis` `teamcity` `oci` or `aws` | 20 | 21 | ## Running Trivy 22 | 23 | To run Trivy, you must first build the container. In your CI/CD tooling, add the following enviornment variables 24 | 25 | Additional Environment Variables 26 | 27 | | Name | Value | 28 | | --- | --- | 29 | | GDN_TRIVY_ACTION | `image` | 30 | | GDN_TRIVY_TARGET | Name of image | 31 | 32 | ## Trademarks 33 | 34 | This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft 35 | trademarks or logos is subject to and must follow 36 | [Microsoft's Trademark & Brand Guidelines](https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/usage/general). 37 | Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. 38 | Any use of third-party trademarks or logos are subject to those third-party's policies. 39 | 40 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Microsoft Security DevOps Samples 2 | 3 | Samples for Microsoft Security DevOps integrations. 4 | 5 | ## Integrations 6 | 7 | * [Desktop](./Desktop/desktop.md) - [Microsoft Security DevOps CLI](https://aka.ms/msdo-nuget) 8 | * [GitHub](./GitHub/github.md) - [Microsoft Security DevOps GitHub Action](https://github.com/microsoft/security-devops-action) 9 | * [Azure DevOps](./AzureDevOps/azure-devops.md) - Microsoft Security DevOps Azure DevOps Extension (in Limited Private Preview) 10 | 11 | > This repo has been populated by an initial template to help get you started. Please 12 | > make sure to update the content to build a great experience for community-building. 13 | 14 | ## Contributing 15 | 16 | This project welcomes contributions and suggestions. Most contributions require you to agree to a 17 | Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us 18 | the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com. 19 | 20 | When you submit a pull request, a CLA bot will automatically determine whether you need to provide 21 | a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions 22 | provided by the bot. You will only need to do this once across all repos using our CLA. 23 | 24 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). 25 | For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or 26 | contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. 27 | 28 | ## Trademarks 29 | 30 | This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft 31 | trademarks or logos is subject to and must follow 32 | [Microsoft's Trademark & Brand Guidelines](https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/usage/general). 33 | Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. 34 | Any use of third-party trademarks or logos are subject to those third-party's policies. 35 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Security 4 | 5 | Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/). 6 | 7 | If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below. 8 | 9 | ## Reporting Security Issues 10 | 11 | **Please do not report security vulnerabilities through public GitHub issues.** 12 | 13 | Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report). 14 | 15 | If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey). 16 | 17 | You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). 18 | 19 | Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: 20 | 21 | * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) 22 | * Full paths of source file(s) related to the manifestation of the issue 23 | * The location of the affected source code (tag/branch/commit or direct URL) 24 | * Any special configuration required to reproduce the issue 25 | * Step-by-step instructions to reproduce the issue 26 | * Proof-of-concept or exploit code (if possible) 27 | * Impact of the issue, including how an attacker might exploit the issue 28 | 29 | This information will help us triage your report more quickly. 30 | 31 | If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs. 32 | 33 | ## Preferred Languages 34 | 35 | We prefer all communications to be in English. 36 | 37 | ## Policy 38 | 39 | Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd). 40 | 41 | 42 | -------------------------------------------------------------------------------- /ci-cd-integrations/jenkins/jenkinspipeline.groovy: -------------------------------------------------------------------------------- 1 | pipeline { 2 | agent any 3 | environment { 4 | /* Defender for Cloud (Microsoft Security DevOps) */ 5 | GDN_MDC_CLI_TENANT_ID = credentials('MDC-TenantID') 6 | GDN_MDC_CLI_CLIENT_ID = credentials('MDC-CLI-ID') 7 | GDN_MDC_CLI_CLIENT_SECRET = credentials('MDC-CLI-Secret') 8 | GDN_PIPELINENAME = "jenkins" 9 | GDN_TRIVY_ACTION = "image" 10 | 11 | /* Registry details */ 12 | REGISTRY = "reg.azurecr.io" 13 | IMAGE_NAME = "cli_jenkins_image" 14 | REGISTRY_CREDS = credentials('Registry-Creds') 15 | } 16 | stages { 17 | stage('Checkout') { 18 | steps { 19 | git branch: 'main', url: 'https://github.com/org/repo' // <-- Input GitHub repository 20 | } 21 | } 22 | 23 | stage('Build & Push Container') { 24 | steps { 25 | script { 26 | def commit = env.GIT_COMMIT?.take(7) ?: 'unk' 27 | def fullImg = "${env.REGISTRY}/${env.IMAGE_NAME}" 28 | def verTag = "${BUILD_NUMBER}-${commit}" 29 | 30 | sh """ 31 | set -euo pipefail 32 | docker build -t ${fullImg}:${verTag} -t ${fullImg}:latest . 33 | 34 | echo "\${REGISTRY_CREDS_PSW}" | \ 35 | docker login ${env.REGISTRY} -u "\${REGISTRY_CREDS_USR}" --password-stdin 36 | 37 | docker push ${fullImg}:${verTag} 38 | if [ "\${BRANCH_NAME:-}" = "main" ]; then docker push ${fullImg}:latest; fi 39 | """ 40 | 41 | env.GDN_TRIVY_TARGET = fullImg 42 | env.IMAGE_TAG = verTag 43 | } 44 | } 45 | } 46 | 47 | stage ('Scan with Trivy & Publish to MDC') { 48 | steps { 49 | script { 50 | sh ''' 51 | set -euo pipefail 52 | # Download the tool only if it isn’t cached on this agent 53 | if [ ! -x tools/guardian ]; then 54 | curl -sSL -o msdo_linux.zip \ 55 | "https://www.nuget.org/api/v2/package/Microsoft.Security.DevOps.Cli.linux-x64/" 56 | unzip -oq msdo_linux.zip 57 | chmod +x tools/guardian tools/Microsoft.Guardian.Cli 58 | fi 59 | 60 | tools/guardian init --force 61 | tools/guardian run \ 62 | -t trivy \ 63 | --image ${GDN_TRIVY_TARGET}:${IMAGE_TAG} \ 64 | --export-file ./security-scan.sarif \ 65 | --publish-file ./security-scan.sarif \ 66 | --not-break-on-detections 67 | ''' 68 | } 69 | } 70 | } 71 | } 72 | 73 | post { 74 | success { 75 | archiveArtifacts artifacts: 'security-scan.sarif', fingerprint: true 76 | } 77 | always { 78 | cleanWs() // keep agent disk tidy 79 | } 80 | } 81 | } 82 | -------------------------------------------------------------------------------- /ci-cd-integrations/bitbucket/bitbucket-pipelines.yml: -------------------------------------------------------------------------------- 1 | # =================================================================== 2 | # Bitbucket Pipelines configuration for Docker image build + scan 3 | # 4 | # Required Repository‑Level Environment Variables 5 | # (set them in Repo → Settings → Pipelines → Environment variables) 6 | # -------------------------------------------------- 7 | # • MDC_TENANT_ID – Microsoft Defender tenant ID 8 | # • MDC_CLIENT_ID – Defender App Registration (Client ID) 9 | # • MDC_CLIENT_SECRET – Defender client secret 10 | # • REGISTRY_USERNAME – Azure Container Registry (ACR) username 11 | # • REGISTRY_PASSWORD – ACR password or access token 12 | # =================================================================== 13 | 14 | image: docker:20.10.24 # Alpine image with Docker client 15 | 16 | options: 17 | docker: true # enable remote Docker daemon 18 | 19 | definitions: 20 | caches: 21 | defender-cli: ~/.cache/defender 22 | 23 | pipelines: 24 | default: 25 | - step: 26 | name: Build, scan & push 27 | services: 28 | - docker 29 | caches: 30 | - defender-cli 31 | script: 32 | # ──────────────────────────────────────────────────────────── 33 | # ❶ COMMON VARIABLES 34 | # ──────────────────────────────────────────────────────────── 35 | - export REGISTRY="reg.azurecr.io" 36 | - export IMAGE_NAME="cli_jenkins_image" 37 | - export COMMIT=$(git rev-parse --short HEAD) 38 | - export IMG_TAG="${BITBUCKET_BUILD_NUMBER}-${COMMIT}" 39 | - export FULL_IMAGE="${REGISTRY}/${IMAGE_NAME}" 40 | 41 | # ──────────────────────────────────────────────────────────── 42 | # ❷ BUILD & PUSH IMAGE 43 | # ──────────────────────────────────────────────────────────── 44 | - echo "$REGISTRY_PASSWORD" | \ 45 | docker login "$REGISTRY" -u "$REGISTRY_USERNAME" --password-stdin 46 | 47 | - docker build -t "${FULL_IMAGE}:${IMG_TAG}" -t "${FULL_IMAGE}:latest" . 48 | 49 | - docker push "${FULL_IMAGE}:${IMG_TAG}" 50 | - if [ "$BITBUCKET_BRANCH" = "main" ]; then 51 | docker push "${FULL_IMAGE}:latest"; 52 | fi 53 | 54 | # ──────────────────────────────────────────────────────────── 55 | # ❸ INSTALL (or RESTORE) DEFENDER FOR CLOUD CLI 56 | # ──────────────────────────────────────────────────────────── 57 | - | 58 | if [ ! -x ~/.cache/defender/defender ]; then 59 | mkdir -p ~/.cache/defender 60 | curl -sSL -o msdo_linux.zip \ 61 | "https://www.nuget.org/api/v2/package/Microsoft.Security.DevOps.Cli.linux-x64/" 62 | unzip -oq msdo_linux.zip 63 | mv tools/* ~/.cache/defender/ 64 | chmod +x ~/.cache/defender/defender \ 65 | ~/.cache/defender/Microsoft.Guardian.Cli 66 | fi 67 | - export PATH="$PATH:$HOME/.cache/defender" 68 | 69 | # ──────────────────────────────────────────────────────────── 70 | # ❹ RUN TRIVY SCAN & PUBLISH SARIF 71 | # ──────────────────────────────────────────────────────────── 72 | - guardian init --force 73 | - guardian run \ 74 | -t trivy \ 75 | --image "${FULL_IMAGE}:${IMG_TAG}" \ 76 | --export-file ./security-scan.sarif \ 77 | --publish-file ./security-scan.sarif \ 78 | --not-break-on-detections 79 | 80 | artifacts: 81 | - security-scan.sarif 82 | 83 | definitions: 84 | services: 85 | docker: {} # use Bitbucket’s default Docker service settings 86 | --------------------------------------------------------------------------------