Static Code Analysis  for Infrastructure as Code Using Azure DevOps Pipelines

I work at an organization that has a majority of its services and resources in the Cloud. We use code to manage our cloud infrastructure using Azure DevOps. This article explains how to set up static code analysis for infrastructure as code using Azure DevOps pipelines and Prisma cloud.

Static (non-running) code analysis is performed as part of the security development lifecycle, where tools are used to find vulnerabilities such as buffer overflow, SQL injection within application code.

What is Infrastructure as Code

It is the process of managing infrastructure resources using code. The prominent tools in this field are Terraform, Azure Resource Manager templates, Cloud formation templates, and Azure BICEP used for deploying resources. Additionally, tools such as Ansible, Chef, and Puppet are used for configuration. These tools effectively maintain consistency across multiple deployments and serve as documentation of existing environments.

However, this process could introduce vulnerabilities into the infrastructure environment, such as publicly exposed Virtual machines or storage containers.

Requirements

• Azure DevOps / Github.

• Prisma Cloud Subscription: Prisma Cloud is a product from PaloAlto Networks that offers security protection of cloud-based environments from deployment to real-time monitoring of resources using policies and anomaly detection rules. Prisma Cloud also provides pipeline tasks for Azure DevOps, GitHub, and other CI/CD tools, which can be used to scan infrastructure code for misconfigurations.

Design Details

Every PR with Terraform code has to pass the validation process in this flow by successfully generating a terraform plan with intended changes. Then, we feed this plan output into the Prisma IAC task to be scanned for vulnerabilities. Post which the PR is peer-reviewed and approved to merge into deployment branch. If the job fails, the PR is blocked from being merged unless open issues are resolved.

Implementation Details

Setup Service Connection in Azure DevOps: 

• Generate an access key and secret key from Prisma Administrative console.
• Register the key in Azure DevOps as shown below

Pipeline Setup

There are two approaches that we can take to use Prisma Cloud Extension for Azure DevOps. However, irrespective of the approach, the controls, and policies applied are the same.

• Using the pipeline task to scan the entire folder of terraforming code that contains resource definitions for an environment. This approach works best for small deployments where all of the code is hosted within one folder.
• Using the pipeline task to scan the terraform plan output. This approach works best for complex and extensive Terraform definitions that use multi-module calls from various sources for deploying an environment.
  

Here is the pipeline definition based on the 2nd approach:

YAML

Now that we have a pipeline definition setup, you can now integrate these tasks into your existing terraform validation and deployment pipelines.

Pipeline execution

Below is an example of pipeline execution with Prisma Warning that we have one medium issue.

Constraints

Prisma cloud IAC Scan only supports terraform. However, if you are using platform native tools such as ARM templates or Azure BICEP, you will be able to use services such as Azure Policy to validate your deployment. Azure Policy is a powerful service that can help catch security issues and ensure that the infrastructure definition is right-sized and meets the desired configuration.

When Azure Resource Manager templates or Azure BICEP code violates a defined policy, the deployment will fail at the validation state. Since we use the validation as a gating process for all Pull Requests with Infrastructure code, this violation blocks the merge of “faulty code” into our deployment branch.

References

• Static Code Analysis Author: Ryan Dewhurst Contributor(s): KirstenS, Nick Bloor, Sarah Baso, James Bowie, Ram ch, EvgeniyRyzhkov, Iberiam…owasp.org
• Azure DevOps YML Terraform Pipeline and Pre-Merge Pull Request Validation
• Secure Your Infrastructure Automation
• Control deployments by using gates - Azure Pipelines