Microsoft Security Code Analysis (Private Preview)

  • Article

Run security analysis tools in Azure DevOps Pipelines

The Secure Development Lifecycle (SDL) Guidelines recommend that teams perform static analysis during the implementation phase of your development cycle.

The Microsoft Security Code Analysis extension empowers you to do so, easily integrating the running of static analysis tools in your Azure DevOps pipelines.

The private preview is currently under NDA and “Invitation Only” so only select customer will be provided access.

Security Static Analysis Tools Available

The Microsoft Security Code Analysis extension makes readily available to you, the latest versions of important static analysis tools. The extension includes both Microsoft Internal and Open Source tools. The tools get automatically downloaded on the cloud-hosted agent once you configure & run the pipeline using the corresponding build task. Below is the list of tools that are available in the extension today.

Credential Scanner

Passwords and other secrets stored in source code is currently a big problem. Credential Scanner is a static analysis tool that detects credentials, secrets, certificates, and other sensitive content in your source code and your build output.

More Information

Microsoft Security Risk Detection

Security Risk Detection is Microsoft's unique cloud-based fuzz testing service for identifying exploitable security bugs in software.

More Information (MSRD on docs.microsoft.com)

BinSkim

BinSkim is a Portable Executable (PE) light-weight scanner that validates compiler/linker settings and other security-relevant binary characteristics. The build task provides a command line wrapper around the BinSkim.exe application. BinSkim is an open source tool.

More Information (BinSkim on GitHub)

TSLint

TSLint is an extensible static analysis tool that checks TypeScript code for readability, maintainability, and functionality errors. It is widely supported across modern editors and build systems and can be customized with your own lint rules, configurations, and formatters. TSLint is an open source tool.

More Information on Github

Anti-Malware Scanner

The Anti-Malware Scanner build task is now included in the Microsoft Security Code Analysis Extension. It must be run on a build agent which has Windows Defender already installed.

More Information

For more details and to signup for the private preview visit https://aka.ms/sca-docs