{"id":57956,"date":"2019-11-06T07:02:50","date_gmt":"2019-11-06T15:02:50","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/devops\/?p=57956"},"modified":"2019-11-25T09:40:18","modified_gmt":"2019-11-25T17:40:18","slug":"secure-software-supply-chain-with-azure-pipelines-artifact-policies","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/secure-software-supply-chain-with-azure-pipelines-artifact-policies\/","title":{"rendered":"Secure software supply chain with Azure Pipelines artifact policies"},"content":{"rendered":"<p>We are announcing a preview capability for <a href=\"https:\/\/azure.com\/pipelines\">Azure Pipelines<\/a> allowing you to define artifact policies that are enforced before deploying to critical environments such as production. You will be able to define <a href=\"https:\/\/aka.ms\/AA6e0a2\">custom policies<\/a> that are evaluated against all the deployable artifacts in a given pipeline run and block the deployment if the artifacts don\u2019t comply. At launch, we support container images and Kubernetes environments; support for other artifact types and target environment resources will be added in the next months.<\/p>\n<p>This feature is currently in private preview, and if you\u2019d like to participate, please <a href=\"mailto:RM_Customer_Queries@microsoft.com\">drop us a note<\/a>.<\/p>\n<p>Teams know how valuable and sensitive production environments are, and changes to it usually require following multiple checklists suggested by the security, operations and engineering teams, among others. However, sometimes the protocol is not fully respected; and when that happens, audit teams raise red flags, and after some root causing and soul searching, teams settle with an updated process that prevents the lapse from happening and most likely increasing their mean time to deliver (MTD).<\/p>\n<p>At a high level, an application environment can be described as 3 layers: infrastructure, application platform, application.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2019\/11\/Screen-Shot-2019-11-04-at-14.10.21.png\" alt=\"Application layers\" width=\"1506\" height=\"594\" class=\"wp-image-57962\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2019\/11\/Screen-Shot-2019-11-04-at-14.10.21.png 1506w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2019\/11\/Screen-Shot-2019-11-04-at-14.10.21-300x118.png 300w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2019\/11\/Screen-Shot-2019-11-04-at-14.10.21-768x303.png 768w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2019\/11\/Screen-Shot-2019-11-04-at-14.10.21-1024x404.png 1024w\" sizes=\"(max-width: 1506px) 100vw, 1506px\" \/><\/p>\n<p>Each of these layers can be described as code and with their own set of best practices to imbibe. We\u2019ll be focusing on the application layer in this article, which is updated most frequently and is the interface for external systems and users to interact with.<\/p>\n<p>So, when it comes to <em>checklist<\/em> in the context of an application update, what are the usual suspects?<\/p>\n<p>For example:<\/p>\n<ul>\n<li>Allow application binaries from trusted sources <\/li>\n<li>Application binaries has been built from trusted source control repository <\/li>\n<li>Allow production deployment only when an application has been deployed and tested in a staging environment <\/li>\n<li>Static analysis tools such as code coverage, lint have been run (with acceptable thresholds) <\/li>\n<li>Application bits has run specific tests (with acceptable thresholds) <\/li>\n<li>No known vulnerabilities found above severity level: medium <\/li>\n<li>Green light from a custom tool <\/li>\n<\/ul>\n<p>This is a supply chain problem where the goods (application artifact) to be delivered (to production system) goes through various waypoints (build, test, analysis) and the shipment is tracked in a waybill (record of where the artifact originated from, processes it\u2019s been through). Not surprisingly, the term <em>Software<\/em> supply chain has been picking up in recent years. Let\u2019s say we have an artifact with all the attributions related to the build, tests and other processes it\u2019s been through, and there are policies defined by the teams collectively: can we now eliminate the manual intervention before production deployment? Here\u2019s how artifact policies can be put to work.<\/p>\n<p>The artifact policy is configured as a <a href=\"https:\/\/aka.ms\/AA6e0a1\">Check<\/a> on an <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/devops\/pipelines\/process\/environments\">Environment<\/a>.<\/p>\n<p><img decoding=\"async\" width=\"425\" height=\"420\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2019\/11\/word-image-1.png\" class=\"wp-image-57957\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2019\/11\/word-image-1.png 425w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2019\/11\/word-image-1-300x296.png 300w\" sizes=\"(max-width: 425px) 100vw, 425px\" \/> <img decoding=\"async\" width=\"1142\" height=\"460\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2019\/11\/word-image-2.png\" class=\"wp-image-57958\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2019\/11\/word-image-2.png 1142w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2019\/11\/word-image-2-300x121.png 300w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2019\/11\/word-image-2-768x309.png 768w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2019\/11\/word-image-2-1024x412.png 1024w\" sizes=\"(max-width: 1142px) 100vw, 1142px\" \/> <img decoding=\"async\" width=\"491\" height=\"698\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2019\/11\/word-image-3.png\" class=\"wp-image-57959\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2019\/11\/word-image-3.png 491w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2019\/11\/word-image-3-211x300.png 211w\" sizes=\"(max-width: 491px) 100vw, 491px\" \/><\/p>\n<p>Check configuration lets you specify custom policies to enforce; we have a set of <a href=\"https:\/\/aka.ms\/AA6dsy3\">examples<\/a> to help you get started. The policy is evaluated with the <a href=\"https:\/\/openpolicyagent.org\">Open Policy Agent<\/a>.<\/p>\n<p>After you define a policy, when a container image is built, tested or deployed, metadata is automatically attributed to the resulting artifact (the container image); you can even add custom metadata if desired. When an environment with the Artifact policy Check configured is running, custom policies are evaluated even before the deployment stage is run. As part of the evaluation, metadata for all the pipeline images (images either consumed via resources or built in any previous stages) is retrieved and the policy evaluated for all deployable image. If the images comply, they can be deployed, otherwise the pipeline halts with an error, as per this example:<\/p>\n<p><img decoding=\"async\" width=\"545\" height=\"307\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2019\/11\/word-image-4.png\" class=\"wp-image-57960\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2019\/11\/word-image-4.png 545w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2019\/11\/word-image-4-300x169.png 300w\" sizes=\"(max-width: 545px) 100vw, 545px\" \/><\/p>\n<p>And there it is, Azure Pipeline captured artifact\u2019s provenance and provided a mechanism to enforce custom policies before they could be deployed to a production environment \u2013 instantly, without you having to manually validate them every single time!<\/p>\n<p>You can learn more by looking at the <a href=\"https:\/\/aka.ms\/AA6e0a1\">artifact policy check documentation<\/a> and reading about <a href=\"https:\/\/aka.ms\/AA6e0a2\">writing a custom policy<\/a>. Additionally, you can check out <a href=\"https:\/\/aka.ms\/AA6dsy3\">sample policies<\/a>.<\/p>\n<p>If you have any feedback, get in touch by posting on our <a href=\"https:\/\/developercommunity.visualstudio.com\/spaces\/21\/index.html\">Developer Community<\/a> or reaching out on Twitter at <a href=\"https:\/\/twitter.com\/AzureDevOps\">@AzureDevOps<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>New preview capabilities for Azure Pipelines let you define artifact policies that are enforced before deploying to critical environments such as production. You will be able to define custom policies that are evaluated against all the deployable artifacts in a given pipeline run and block the deployment if the artifacts don&#8217;t comply.<\/p>\n","protected":false},"author":5233,"featured_media":57960,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[224,226,251],"tags":[],"class_list":["post-57956","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","category-ci","category-security"],"acf":[],"blog_post_summary":"<p>New preview capabilities for Azure Pipelines let you define artifact policies that are enforced before deploying to critical environments such as production. You will be able to define custom policies that are evaluated against all the deployable artifacts in a given pipeline run and block the deployment if the artifacts don&#8217;t comply.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/57956","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/5233"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=57956"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/57956\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/57960"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=57956"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=57956"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=57956"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}