{"id":62285,"date":"2021-09-07T04:00:51","date_gmt":"2021-09-07T12:00:51","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/devops\/?p=62285"},"modified":"2021-08-31T08:30:08","modified_gmt":"2021-08-31T16:30:08","slug":"azurefunbytes-episode-54-github-integration-with-azure-and-shifting-left","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/azurefunbytes-episode-54-github-integration-with-azure-and-shifting-left\/","title":{"rendered":"AzureFunBytes Episode 54 &#8211; @GitHub Integration with @Azure and Shifting Left"},"content":{"rendered":"<p>AzureFunBytes is a weekly opportunity to learn more about the fundamentals and foundations that make up Azure. It&#8217;s a chance for me to understand more about what people across the Azure organization do and how they do it. Every week we get together at 11 AM Pacific on <a href=\"https:\/\/cda.ms\/226\">Microsoft LearnTV<\/a> and learn more about Azure.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/res.cloudinary.com\/practicaldev\/image\/fetch\/s--Z7BxBMz1--\/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880\/https:\/\/dev-to-uploads.s3.amazonaws.com\/uploads\/articles\/j2xzw2g664tj31jij13t.gif\" alt=\"AzureFunBytes animation\" \/><\/p>\n<p>Security is not an option when deploying applications. Considerations into what keeps your users safe must be part of your software delivery lifecycle. Whether it&#8217;s adding correct firewalls rules to a server or knowing your <code>npm<\/code> package dependencies don&#8217;t have cryptocurrency miners, you must always take steps to further your security posture. There&#8217;s no reason to wait till after deployment to consider security, if we begin the process of securing, scanning, and shifting left we can greatly reduce our potential for intrusions.<\/p>\n<p>What do I mean by <a href=\"https:\/\/cda.ms\/2s3\">shifting left<\/a>? The goal for <em>shifting left<\/em> is to move quality upstream by performing security-focused tasks earlier in the pipeline. Rather than play catch-up after a potential security incident, developers can take reduce their exposure to troublesome incidents by utilizing DevSecOps practices.<\/p>\n<p>What is DevSecOps? Azure&#8217;s DevOps solutions page defines it as:<\/p>\n<p>DevSecOps involves <strong>utilizing security best practices from the beginning of development<\/strong>, shifting the focus on security away from auditing at the end and towards development in the beginning using a <a href=\"https:\/\/cda.ms\/2sb\">shift-left strategy<\/a>.<\/p>\n<p>This week on AzureFunBytes I welcome <a href=\"https:\/\/www.linkedin.com\/in\/lavanya-kasarabada-06665091\/\">Lavanya Kasarbada<\/a> to help me understand how <a href=\"https:\/\/cda.ms\/2s9\">DevSecOps<\/a> can create a better environment for your applications. Lavanya Kasarabada is a Senior Program Manager with the Azure Security Team. She works on Container and Serverless Security!<\/p>\n<p>Lavanya covers how to secure your container workloads. She discusses how the <a href=\"https:\/\/cda.ms\/2sc\">GitHub integration with Azure<\/a> will provide end to end traceability and visibility into shift left security assessments.<\/p>\n<p>Our agenda includes:<\/p>\n<ul>\n<li>Enabling Defender for Containers<\/li>\n<li>Enabling and configuring Vulnerability scanning in GitHub workflow<\/li>\n<li>Viewing detailed results in <a href=\"https:\/\/cda.ms\/2sf\">Azure Security Center<\/a><\/li>\n<\/ul>\n<p><iframe title=\"AzureFunBytes Episode 54 - @GitHub integration with @Azure and shifting left\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/5nqI8sqecL8?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/p>\n<p><a href=\"https:\/\/youtu.be\/5nqI8sqecL8\">00:00:00 &#8211; Opening<\/a><br \/>\n<a href=\"https:\/\/youtu.be\/5nqI8sqecL8?t=197\">00:03:17 &#8211; Let&#8217;s meet Lavanya<\/a><br \/>\n<a href=\"https:\/\/youtu.be\/5nqI8sqecL8?t=345\">00:05:45 &#8211; Satya commits to $20 Billion to advance security solutions<\/a><br \/>\n<a href=\"https:\/\/youtu.be\/5nqI8sqecL8?t=399\">00:06:39 &#8211; So how did you get here?<\/a><br \/>\n<a href=\"https:\/\/youtu.be\/5nqI8sqecL8?t=446\">00:07:26 &#8211; What do we mean by &#8220;shift-left&#8221; exactly?<\/a><br \/>\n<a href=\"https:\/\/youtu.be\/5nqI8sqecL8?t=660\">00:11:00 &#8211; A DevSecOps data flow<\/a><br \/>\n<a href=\"https:\/\/youtu.be\/5nqI8sqecL8?t=1286\">00:21:26 &#8211; Value proposition<\/a><br \/>\n<a href=\"https:\/\/youtu.be\/5nqI8sqecL8?t=1383\">00:23:03 &#8211; Security Scenarios<\/a><br \/>\n<a href=\"https:\/\/youtu.be\/5nqI8sqecL8?t=1492\">00:24:52 &#8211; Personas in our organization<\/a><br \/>\n<a href=\"https:\/\/youtu.be\/5nqI8sqecL8?t=1667\">00:27:47 &#8211; Public Preview Release<\/a><br \/>\n<a href=\"https:\/\/youtu.be\/5nqI8sqecL8?t=1842\">00:30:42 &#8211; Azure Security Center Demo<\/a><br \/>\n<a href=\"https:\/\/youtu.be\/5nqI8sqecL8?t=2046\">00:34:06 &#8211; GitHub Actions workflow and security scanning<\/a><br \/>\n<a href=\"https:\/\/youtu.be\/5nqI8sqecL8?t=2261\">00:37:41 &#8211; Let&#8217;s look at the build logs<\/a><br \/>\n<a href=\"https:\/\/youtu.be\/5nqI8sqecL8?t=2550\">00:42:30 &#8211; Reviewing scan results<\/a><br \/>\n<a href=\"https:\/\/youtu.be\/5nqI8sqecL8?t=2805\">00:46:45 &#8211; Recommendations and score<\/a><br \/>\n<a href=\"https:\/\/youtu.be\/5nqI8sqecL8?t=2984\">00:49:44 &#8211; Azure Defender<\/a><br \/>\n<a href=\"https:\/\/youtu.be\/5nqI8sqecL8?t=3232\">00:53:52 &#8211; What&#8217;s your biggest challenge with the ASC product today?<\/a><\/p>\n<p>We&#8217;ll dive into how all the parts fit together and learn to <em>shift-left<\/em> on Azure.<\/p>\n<hr \/>\n<p>Learn about Azure fundamentals with me!<\/p>\n<p>Live stream is normally found on Twitch, YouTube, and <a href=\"https:\/\/cda.ms\/226\">LearnTV<\/a> at 11 AM PT \/ 2 PM ET Thursday. You can also find the recordings here as well:<\/p>\n<p><a href=\"https:\/\/twitch.tv\/azurefunbytes\">AzureFunBytes on Twitch<\/a><br \/>\n<a href=\"https:\/\/aka.ms\/jaygordononyoutube\">AzureFunBytes on YouTube<\/a><br \/>\n<a href=\"https:\/\/www.youtube.com\/channel\/UC-ikyViYMM69joIAv7dlMsA\">Azure DevOps YouTube Channel<\/a><br \/>\n<a href=\"https:\/\/twitter.com\/azurefunbytes\">Follow AzureFunBytes on Twitter<\/a><\/p>\n<p>Useful Docs:<\/p>\n<p><a href=\"https:\/\/cda.ms\/219\">Get $200 in free Azure Credit<\/a><br \/>\n<a href=\"https:\/\/cda.ms\/243\">Microsoft Learn: Introduction to Azure fundamentals<\/a><br \/>\n<a href=\"https:\/\/cda.ms\/2s6\">DevSecOps<\/a><br \/>\n<a href=\"https:\/\/cda.ms\/2s7\">Enable DevSecOps with Azure and GitHub<\/a><br \/>\n<a href=\"https:\/\/cda.ms\/2s8\">DevOps solutions on Azure<\/a><br \/>\n<a href=\"https:\/\/cda.ms\/2s9\">DevSecOps in Azure<\/a><br \/>\n<a href=\"https:\/\/cda.ms\/2sb\">Shift left to make testing fast and reliable<\/a><br \/>\n<a href=\"https:\/\/cda.ms\/2sc\">Azure Security Center integration with GitHub Actions, in public preview<\/a><br \/>\n<a href=\"https:\/\/cda.ms\/2sd\">Azure Security Center<\/a><br \/>\n<a href=\"https:\/\/cda.ms\/2s\">Identify vulnerable container images in your CI\/CD workflows<\/a><br \/>\n<a href=\"https:\/\/cda.ms\/2sJa\">Use Azure Defender for container registries to scan your images for vulnerabilities<\/a><br \/>\n<a href=\"https:\/\/cda.ms\/2sM\">Scaling DevSecOps with GitHub and Azure<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security is not an option when deploying applications. Considerations into what keeps your users safe must be part of your software delivery lifecycle. Whether it&#8217;s adding correct firewalls rules to a server or knowing your npm package dependencies don&#8217;t have cryptocurrency miners, you must always take steps to further your security posture.<\/p>\n","protected":false},"author":39313,"featured_media":62286,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[224,1],"tags":[],"class_list":["post-62285","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","category-devops"],"acf":[],"blog_post_summary":"<p>Security is not an option when deploying applications. Considerations into what keeps your users safe must be part of your software delivery lifecycle. Whether it&#8217;s adding correct firewalls rules to a server or knowing your npm package dependencies don&#8217;t have cryptocurrency miners, you must always take steps to further your security posture.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/62285","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/39313"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=62285"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/62285\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/62286"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=62285"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=62285"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=62285"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}