Check for security issues in your ARM templates using AzSk

Aug 15, 2018 | Utkarsh Shigihalli Utkarsh Shigihalli | 2 min read

DevOps DevSecOps VSTS Azure

Twitter Facebook Linkedin Email WhatsApp

Secure DevOps Kit for Azure (AzSK) is packed with great set of tools, scripts and tasks to help you scan your Azure resources for security issues. At my client we have scheduled this as part of CICD to scan resources and generate report. The extension also includes a task to scan your ARM templates for security issues - The benefit is that you can STOP security issues even before they get deployed to Azure, ensuring you always do secured resource deployment. In this post we will see how easy it is to include this task in your CICD pipeline to scan for issues in your ARM templates.

The first thing to do, if you have not done already is, to go to VS Marketplace and install the extension

  • We will be testing our ARM templates as soon as we commit to the source control. So lets create a build definition mapped to our ARM template repository.

  • Next add the AzSK ARM Template Checker task to the build pipeline task search

  • Next, configure the task - To start scanning, you just need to provide the root folder where you have ARM templates (and optionally mark it to scan recursively). task configure

  • Run the build and let the build complete. You will see glimpse of the scan in the build output itself. task output

  • Once the build completes, you will find that task has attached all the results to the build log. You will be surprised to see the issues you find in your ARM templates.

    scan result

Occasionally you will find issues which you have decided as safe to ignore. The task allows you to skip such failures from the scan so that you will not get alerted as a security issue or cause in build failures.

The way you configure this is simple - Use the generated csv file and keep only entries you need to ignore from the scan and commit to your repository as a csv file. Then specify this file in the task as below.

skip controls

The task currently scans App Service, Storage, SQL, CDN, Traffic Manager, Document DB, Redis Cache, and Data Lake services only.

That’s it for now. Hope you found this post useful.

Related Posts
About author
Utkarsh Shigihalli
Utkarsh Shigihalli
Utkarsh is passionate about software development and has experience in the areas of Azure, Azure DevOps, C# and TypeScript. Over the years he has worked as an architect, independent consultant and manager in many countries including India, United States, Netherlands and United Kingdom. He is a Microsoft MVP and has developed numerous extensions for Visual Studio, Visual Studio Code and Azure DevOps.
We Are
  • onlyutkarsh
    Utkarsh Shigihalli
    Microsoft MVP, Technologist & DevOps Coach

  • arora_tarun
    Tarun Arora
    Microsoft MVP, Author & DevOps Coach at Avanade

Do you like our posts? Subscribe to our newsletter!
Subscribe
We Blog About
Recent Posts
Our Book
Azure DevOps Server 2019 Cookbook