Skip to content

[ADO] CA, detailedScan updates #372

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[ADO] CA, detailedScan updates #372

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 15 additions & 2 deletions 09-AzureDevOps(VSTS)-Security/Readme.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ An Azure-based continuous assurance scanning solution for ADO can be setup in su
In this section, we will walk through the steps of setting up a Azure DevOps Organization for Continuous Assurance coverage in a subscription.

To get started, we need the following:
1. The user setting up Continuous Assurance needs to have 'Owner' access to the subscription.
1. The user setting up Continuous Assurance needs to have 'Owner' access to the subscription or 'Owner' access to the resource group where Continuous assurance will be setup.

2. Target Log Analytics WorkspaceID* and SharedKey. (The Log Analytics workspace can be in a different subscription, see note below)

Expand Down Expand Up @@ -230,7 +230,7 @@ Command:
Get-AzSKADOContinuousAssurance -SubscriptionId <SubscriptionId> `
-OrganizationName <OrganizationName> `
[-ResourceGroupName <ResourceGroupName>] `
[-FunctionAppName <FunctionAppName>]
[-RsrcTimeStamp <RsrcTimeStamp>]
```


Expand Down Expand Up @@ -587,10 +587,23 @@ Get-AzSKADOSecurityStatus -OrganizationName "<OrganizationName>" -ProjectNames "
Allowing scan for more then 1000 resources can be configured through the organization policy by updating 'IsAllowLongRunningSca'n and 'LongRunningScanCheckPoint' properties in the ControlSettings.json file.
If 'IsAllowLongRunningScan' is set to true, then by using '-AllowLongRunningScan' switch parameter, AzSK.ADO allows scan for resources count which is set in 'LongRunningScanCheckPoint'. If 'IsAllowLongRunningScan' value is set to false it does not allow scan for more then resources count set in 'LongRunningScanCheckPoint'.

### Execute SVTs using "-DetailedScan" switch

A special flag -DetailedScan in the scan command which can be used to tell the scanner to query and display richer information when evaluating certain controls. This is “off by default” and helps us scan RBAC controls at scale by avoiding API calls that can be deferred to a fix stage.
```PowerShell
Get-AzSKADOSecurityStatus -OrganizationName "<OrganizationName>" -ScanAllArtifacts -DetailedScan
```
Detailed information is also generated when -ControlIds or -ControlsToAttest flag is used. At present, the following controls support this flag:
- ADO_Build_AuthZ_Grant_Min_RBAC_Access
- ADO_Release_AuthZ_Grant_Min_RBAC_Access
- ADO_Organization_AuthZ_Justify_Guest_Identities

### Execute SVTs using "-UsePartialCommits" switch

The Get-AzSKADOSecurityStatus command now supports checkpointing via a "-UsePartialCommits" switch. When this switch is used, the command periodically persists scan progress to disk. That way, if the scan is interrupted or an error occurs, a future retry can resume from the last saved state. This capability also helps in Continuous Assurance scans if scan gets suspended due to any unforeseen reason.The cmdlet below checks security control state via a "-UsePartialCommits" switch:
```PowerShell
Get-AzSKADOSecurityStatus-OrganizationName "<OrganizationName>" -ScanAllArtifacts -UsePartialCommits
```

# Control Attestation

Expand Down