Dependency Reviews with GitHub Advanced Security for Azure DevOps (GHAZDO)

July 13, 2023 by Rene van Osnabrugge 1 Comment

Last month GitHub Advanced Security for Azure DevOps (GHAZDO) was released at the Build conference . GHAZDO is the implementation of GitHub Advanced Security on the Azure DevOps platform. On GitHub Advanced Security (GHAS) is already around for quite a while, but on Azure DevOps it is still in it’s infancy.

Together with my colleague Randy Pagels we were exploring the possibilities of GHAZDO and found quite some limitations compared to the big brother GHAS.

One of the features that we were missing is the possibility of a Dependency Review. The Dependency Review on GHAS allows DevOps teams to see which dependencies they are pulling in and check if this leads to any security risk. For example, a developer pulls in a package to get some functionality. The package has an indication of High risk vulnerability. When the developers builds code, commits, and merges to main and this is directly deployed, you are at risk.

What we want is to scan every new dependency that is added for possible risk. When we see that a dependency has this label, we want to fail the build on a Pull Request and the package will never enter the main codebase.

In GHAS this functionality is available out if the box. But unfortunately this is not the case in GHAZDO (yet..)

The solution

Randy and I wanted to make this work for our own packages as well. So we created someting ourselves that resembles the functionality. Let us quickly explain how this works and how to use it yourself.

The solution we built consists of a few parts

A Repository with Advanced Security switched on
A powershell script that can be used in a build. This script has the following steps
- Determine on which branch we are
- Check the dependency scan results (by API) to look for critical vulnerabilities
- Fail the build (exit code 1) when these are found
A Pull Request build
- Run the Dependency scan
- Run the above powershell script

The GHAZDO API’s

The powershell script needs to check the results of the dependency reviews. At this moment in time, the GHAZDO API’s are not yet documented, but the F12 developer tools are our friend. We can see which API’s are called.

When diving a bit in to the developer tool, we find that getting the alerts call this url

https://advsec.dev.azure.com/{organization}/{project}/_apis/AdvancedSecurity/repositories/{repository}/alerts?criteria.alertType=1&criteria.ref={branchname}&criteria.onlyDefaultBranchAlerts=true&useDatabaseProvider=true

That opens up quite some possibilities for our PowerShell script. We can add the following code to read the API and check for critical vulnerabilities

# Call the adv security dependecies
$CriticalDependenciesURL = “https://advsec.dev.azure.com/$($organization)/$($teamProject)/_apis/AdvancedSecurity/Repositories/$($repoID)/Alerts?criteria.alertType=1&criteria.branchName=$($branchname)&criteria.onlyDefaultBranchAlerts=true&useDatabaseProvider=true”
Write-Host “URL: $CriticalDependenciesURL”
$response = Invoke-RestMethod -Uri $CriticalDependenciesURL -Headers @{Authorization = $ghazdoAccessToken} -ContentType “application/json” -Method Get
Write-Host “Response: $response”

$filteredData = $response.value | Where-Object { $_.severity -eq “critical” }

# check the json for high vulnerabilties
if ($($filteredData.Count) -gt 0)
{
Write-Host “Found [$($filteredData.Count)] critical vulnerabilities in the branch” -ForegroundColor Red
Write-Host “Fail Build”
exit 1
}
else
{
Write-Host “No critical vulnerabilities in the branch”

}

For the full script, please check the full Gist here

The Build

Now that we have a PowerShell script, we need to embed this in a build to make sure we can trigger this every time when we file a Pull Request. We created a new Dependecy Build that calls the PowerShell Script. Make sure that the build can call the REST API by using the System.Access token. (an older post on using System Access Token in build can be found here.). Make sure that the build is set up to do the dependency scanning as described here

– task: PowerShell@2
inputs:
workingDirectory: ‘$(System.DefaultWorkingDirectory)’
filePath: ‘.azdo/dependencyreview.ps1’
arguments: ‘-isInBuild $true’
failOnStderr: true
pwsh: true
env:
SYSTEM_ACCESSTOKEN: $(System.AccessToken)

Bringing it together

Now that we have a build and a script that can fail the build. We can set up branch protection rule that requires a PR to merge to main, and set up a build. By setting up the Build validation branch policy, you make sure that the build needs to succeed before the PR can be merged.