We’re happy to share that we’ve expanded our CI/CD security value proposition for Azure DevOps users with Azure Pipelines support! This new expansion allows organizations to scan Azure Pipelines for exposed secrets and other sensitive data, taking your software supply chain security to the next level. In this blog post, we’ll explore the advantages of the integration and how it works, so you can begin scanning your Azure DevOps Pipelines without delay.
Merging Cycode’s secret detection engine and knowledge graph capabilities with Azure Pipelines provides a wide range of key benefits. Organizations can shrink the attack surface and lessen the potential fallout of data breaches by identifying and addressing sensitive data exposure. Furthermore, the integration enables valuable insight into the data involved in the event of a security incident. It also helps reinforce trust in CI/CD pipelines, both internally and among software end users. Lastly, this integration contributes to meeting CI/CD security standard, such as mentioned in “Defending CI/CD Environments” recently published by the Cybersecurity & Infrastructure Security Agency (CISA) and National Security Agency (NSA).
The Nuts and Bolts of Cycode’s Azure DevOps Pipelines Integration
Integrating is pretty easy: In the Cycode integrations page, clicking “Azure Pipelines” will open the Azure console to review an OAuth app installation. Click to install and then once more when reviewing the organizations found to integrate with Cycode.
In case of an existing Azure DevOps integration with Cycode, simply click “reconnect” in the integration page.
Once integrated, Cycode scans your pipelines as follows:
- Continuously fetching all defined pipelines, pipeline runs’ data, and jobs within each pipeline. This information is then modeled into Cycode’s knowledge graph, and can be visually examined alongside other SDLC entities.
- The pipeline definitions as well as their code are scanned for hardcoded sensitive information and other security issues.
- Examining logs from each pipeline run and generating a violation for each discovered secret. These violations can be viewed on the violations page, while appropriate notifications are sent out.
By default, all pipelines are scanned. However, Cycode’s workflow capabilities can be harnessed to fine-tune the alerting process when a secret is detected.
Peeking at Pipeline Data
You can access your pipeline information using the knowledge graph page:
The true potential of the graph is unleashed by applying queries involving other entities from your supply chain, such as users who initiated failed pipeline runs or pipeline jobs with security violations:
Violations raised by secrets found in pipeline logs can be viewed on the violations page. Use the filter component to effortlessly isolate relevant violations from your pipelines by leveraging the source (Azure DevOps) and SDLC Stage (build):
Generating push notification from secret detection events is straightforward using Cycode’s workflows. Simply select one or more CI/CD security policies as trigger, and then filter by Provider=Azure DevOps Cloud. Eventually define the notification you want to receive or action to be taken (ticket creation, Slack message, etc.) and you’re good to go.
Conclusion
Cycode’s mission of mitigating risk and securing all stages of the SDLC from code to cloud is now supported by a powerful addition. Increasing Azure pipelines’ security enables organizations to maintain trust, adhere to data privacy regulations, and most of all reduce the risk of data breaches and MTTR when these actually happen. Book a demo for a deep dive in the new capabilities and a live demo of enhancing the security of Azure Pipelines!
Originally published: September 11, 2023