Not even sure that this is the right place to give feedback, but I cannot find another place, so hoping Microsoft is listening :)
I've been playing a bit more and ran into another small issue. I got the following informational warning from my Terraform (that I can also see you also get in your screenshot):
Rule AC_AZURE_0389: Ensure that Azure Resource Group has resource lock enabled
While this is easy to fix in Terraform, I want to disable this rule. As far as I can tell, it's not currently possible to disable rules when using the "Microsoft Security DevOps" extension. It is, however, possible to ignore policies in Terrascan that I believe is used behind the scene.
Why I want to disable this:
Setting lock-level requires the Azure Pipeline to have owner rights on resources (default is Contributor). I do not like having to grant elevated rights, and in general, I do no like Azure Locks.
For some resources like DNS you cannot have a Lock level. We programmatically add and delete DNS records from our app, but deleting a DNS record is not possible if there is a Lock level on the resource.
I'm sure there are other reasons why you would want to disable rules.
Again. Awesome that Microsoft is looking into this, as it's such an important area.
Microsoft MVP in DevTech - DevOps | DevOps Architect | Technical speaker focused on Microsoft technologies, Agentic AI, IaC & automation in Azure. Find me on GitHub: https://github.com/Pwd9000-ML
Hey @tjementum
Thank you for the great feedback and as the product matures from preview I am sure that there will be exclusions that can be passed as inputs. But for the time being this is possible by using a (*.gdnconfig) config file: github.com/microsoft/security-devo...
-task:MicrosoftSecurityDevOps@1displayName:'MicrosoftSecurityDevOps'inputs:config:<path to an MSDO configuration file (*.gdnconfig)>
You are looking for this setting: "SkipRules": "",
Example config for Terrascan using a gdconfig file:
Came across this article when also refreshing my knowledge on Defender for DevOps... The pipeline integration isn't at all well documented, but I'd previously found through source trawling and FAQs that you can also just define pipeline variables if there's only a small amount of checks to skip:
Not even sure that this is the right place to give feedback, but I cannot find another place, so hoping Microsoft is listening :)
I've been playing a bit more and ran into another small issue. I got the following informational warning from my Terraform (that I can also see you also get in your screenshot):
Rule AC_AZURE_0389: Ensure that Azure Resource Group has resource lock enabledWhile this is easy to fix in Terraform, I want to disable this rule. As far as I can tell, it's not currently possible to disable rules when using the "Microsoft Security DevOps" extension. It is, however, possible to ignore policies in Terrascan that I believe is used behind the scene.
Why I want to disable this:
I'm sure there are other reasons why you would want to disable rules.
Again. Awesome that Microsoft is looking into this, as it's such an important area.
Hey @tjementum
Thank you for the great feedback and as the product matures from preview I am sure that there will be exclusions that can be passed as inputs. But for the time being this is possible by using a (*.gdnconfig) config file: github.com/microsoft/security-devo...
You are looking for this setting:
"SkipRules": "",Example config for Terrascan using a gdconfig file:
Came across this article when also refreshing my knowledge on Defender for DevOps... The pipeline integration isn't at all well documented, but I'd previously found through source trawling and FAQs that you can also just define pipeline variables if there's only a small amount of checks to skip:
e.g.,
GDN_TERRASCAN_SKIPRULES = AC_AZURE_0389
Ref: github.com/microsoft/security-devo...