X
01Apr

Implementing Azure DevSecOps with Microsoft Credential Scanner

Let’s look at CredScan which is a Microsoft Code Analysis extension and it is abbreviated as MSCA in Azure DevOps. This blog outlines a set of simple steps to implement Credential Scanning using Azure DevOps on an ASP.NET application.

Introducing MSCA

Microsoft Security Code Analysis extension is a set of tasks that helps implement security analysis of the files and code in the pipelines. Microsoft has done an amazing job in making this extension available, so that we can make use of automated build tasks to check for some commonly encountered security issues.

 

The extension is restricted only for customers with a premium license. Please refer the below link to purchase the extension for your organization

https://docs.microsoft.com/en-us/azure/security/develop/security-code-analysis-onboard#installing-microsoft-security-code-analysis-extension

 

This extension consists of the following:

  1. Credential Scanner
  2. BinSkim
  3. TSLint
  4. Roslyn Analyzers
  5. Microsoft Security Risk Detection
  6. Anti-Malware Scanner

 

However, this blog focuses only on Credential Scanner (CredScan)

 

What’s CredScan?

 

Credential Scanner (aka CredScan) is a tool developed and maintained by Microsoft to identify credential leaks such as those in source code and configuration files. Some of the various types of credentials that are commonly found are default passwords, SQL connection strings and Certificates with private keys. The CredScan build task is included in the Microsoft Security Code Analysis Extension.

Let’s implement CredScan in Azure DevOps by making use of an ASP.NET application. This can be used for any other application as well.

 

 

 

Prerequisities

  • An Azure DevOps account provisioned
  • An Azure DevOps organization, and an Azure DevOps project
  • MSDC extension installed in the organization from the market place
  • A source code in Azure Repos or GitHub. If you don’t have one you can fork the sample repository below.

https://github.com/CanarysAuto/PartsUnlimitted

 

Refer the below guide to how to fork a repository if required.

https://guides.github.com/activities/forking/

 

  • Basic understanding of Azure Pipelines YAML.

Let’s do CredScan

Follow the below steps to implement CredScan in Azure DevOps

  1. Navigate to your Azure DevOps project.
  2. Click on Pipelines 

        1

 

3. Click on New Pipeline

 

2

 

4.Select where your code is. Here, we’ll select GitHub.

 35. Select your repository. If not connected to GitHub, provide your GitHub credentials when prompted to connect.

 

4

 

6. After selecting the repository click on Starter Pipeline. You can also try customizing the template provided by Microsoft according to your application.

 

5

 

7. Clear the contents of the starter pipeline, then copy the following YAML script to your pipeline.

 

trigger:
- master
pool:
  vmImage: 'windows-latest'
steps:
- task: CredScan@2
- task: SdtReport@1
  inputs:
    TsvFile: false
    AllTools: false
    BinSkim: false
    CredScan: true
    MSRD: false
    RoslynAnalyzers: false
    TSLint: false
    ToolLogsNotFoundAction: 'Standard'
- task: PublishSecurityAnalysisLogs@2
  inputs:
    ArtifactName: 'CodeAnalysisLogs'
    ArtifactType: 'Container'
    AllTools: false
    AntiMalware: false
    BinSkim: false
    CredScan: true
    MSRD: false
    RoslynAnalyzers: false
    TSLint: false
    ToolLogsNotFoundAction: 'Standard'

 

8. Click on Save and Run.

 

6

 

9. You can view the live logs of the CredScan in Azure DevOps.

 

7

 

10. After the run completes, you can find the Credential Scanner Report as an Artifact published.

 

8

 

11. You can download the report if required, it looks like the one below.

 

9

12. Congrats!!! You have successfully completed CredScan. You can integrate this report with your existing build pipeline if required.

Related

Time to Rock. Time for Our TechEd 2012 Rockstar.

Our Senior ALM specialist Sanjeev Kumar was awarded TechEd Rockstar in the Microsoft TechEd (March 2...

Read More >

TFS 2013 Build Template Customization

How to enable logging verbosity process parameter in build definition?Verbosity for a build will hel...

Read More >

Asynchronous actions in MVC 5

What does it mean?Asynchronous actions allow developers to handle more concurrent requests and can b...

Read More >

Software Services

The whole world has come to realize the role played by Information Technology and looking at ways to...

Read More >

IOS Developers

Working knowledge on HTML5 Working knowledge on JQuery Good written and oral communication Quick le...

Read More >

WCF SOAP and REST Services

WCF (Windows Communication Foundation) is a programming platform and runtime system for building, co...

Read More >

Create a Windows Server 2012 R2 VM using ARM in Azure PowerShell

Hi Folks,In this Blog Post we will learn how to create an Azure ARM Virtual Machine using Azure Powe...

Read More >

VSTS Rollup Service - How to use

          Hi All, Here i'm going to explain How VST...

Read More >

Share

Post a Comment

  • Recent
  • Popular
  • Tag
  • The Ansible Architecture

    Ansible is an open source, IT automation tool. It can configure systems, deploy software, and orchestrate more advanced IT tasks such as continuous deployments or zero downtime rolling updates. In thi...
  • Subversion (Centralized Version Control System)

    Version control system is a repository of files, often the files for the source code of computer programs with monitored access. They are essential for any form of distributed, collaborative developme...
  • Volume management in Kubernetes

    Since pods created in k8s are ephemeral, we are able to get the data as long as pods are alive, but if pods are terminated data stored in it completely lost and it cannot be get back, for that we need...
  • LDAP Integration with Sonatype Nexus

    Sonatype Nexus supports the Repository Manager integration with various active directory systems for authentication, such as Microsoft Exchange / Active Directory, OpenLDAP, ApacheDS, and others. In o...
Tags
Monthly Archive
Subscribe
Name

Contact Us
  • *
  • *