Compliance for Exposed Secrets Discovered by DevOps Security in Defender for Cloud
Azure Policy helps enforce organizational standards and assess compliance at-scale. You can now create a custom Azure Policy to add DevOps security to your centralized compliance dashboards. This blog walks through creating a custom Azure Policy that leverages the DevOps security recommendations in Defender for Cloud called “Azure DevOps repositories should have secret scanning findings should be resolved", "GitHub repositories should have secret scanning findings resolved", and "GitLab projects should have secret scanning findings resolved". This policy gives Security and Compliance Teams visibility into discovered secrets found in Azure DevOps, GitHub, and GitLab that have been onboarded to Microsoft Defender for Cloud.
Objectives:
Prerequisites:
Create a Custom Azure Compliance Policy for Exposed Secrets
{
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
}
},
"policyRule": {
"if": {
"field": "type",
"in": [
"microsoft.security/securityconnectors/devops/azuredevopsorgs/projects/repos"
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Security/assessments",
"name": "b5ef903f-8655-473b-9784-4f749eeb25c6",
"existenceCondition": {
"field": "Microsoft.Security/assessments/status.code",
"in": [
"NotApplicable",
"Healthy"
]
}
}
}
}
}
Note: The example above is for Azure DevOps. To replicate the same policy for GitHub or GitLab:
For more information on Azure Policy definition structure, effects, scope, and more, review this documentation.
The policy we just created uses the assessment ID for the Defender for Cloud DevOps securirty recommendation called “Code repositories should have secret scanning findings resolved” to determine whether there are any resources that are not NotApplicable or Healthy. If the policy finds an Unhealthy status code, that repository will be flagged as non-compliant because a secret was discovered.
The custom Policy gives you reporting capabilities on both compliant and non-compliant repositories.
It should look like the following in the Policy Compliance details:
To review, we’ve walked through setting up a custom Azure Policy to audit repositories against a Defender for Cloud assessment that finds exposed secrets. We assigned the policy to a subscription and visualized the results in Azure Policy’s centralized Compliance view. This helps Compliance Managers, Security Operators, and Governance Teams identify non-compliant repositories across connected DevOps environments. You can then use Azure Policy reporting on these discovered secrets to implement governance for resource consistency, regulatory compliance, security, and management.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.