icon-zwp.svg
Posture Control (ZPC)

Configuring IaC Scan for Azure Repos

This article provides step-by-step instructions for integrating the Zscaler IaC Scan app with Azure Repos. The integration enables the IaC Scan app to scan and monitor your Infrastructure-as-code (IaC) files for misconfigurations.

Prerequisites

Only the Azure DevOps organization owner can onboard the Azure organization and accounts.

Before proceeding with the integration, you must enable and authorize the ZPC Admin Portal via OAuth to access the Azure organization and accounts.

  1. On the Azure DevOps console, go to Organization Settings > Security > Policies.
  2. Under Application connection policies, enable the third-party application access via OAuth. To learn more, see the Azure DevOps documentation.

Configuring the Zscaler IaC Scan App for Azure Repos

To configure the Zscaler IaC Scan app for Azure Repos:

  1. Go to Administration > Version Control & CI/CD Systems.
  2. On the IaC Integrations page, click Add IaC Integration.

  1. Under General Information:
  • For IaC Scanner Type, select Code Repository.
  • For Platform, select Azure Repos.

  1. Click Next.
  2. Under Configuration, click Authorize App from Azure DevOps to install the IaC Scan app in the Azure DevOps account. The authorization establishes the connection between Azure DevOps and the ZPC Admin Portal to enable IaC scanning of the Azure repositories.
    1. Log in to your Azure DevOps account.
    2. Go through the list of actions that ZPC can perform on Azure DevOps.
    3. Click Accept.

    You are redirected back to the Configuration page in the ZPC Admin Portal.

    Close

  1. Click Next.
  2. Under Organization, select the required Azure organization.

You can only add one organization at a time and you cannot select organizations that are already onboarded. Repeat the integration steps to add multiple organizations, even if they are within the same Azure account.

  1. Click Next.
  2. Under Choose Azure Repositories, select the checkboxes for the repositories that must be enabled for scanning.

The date and time format displayed is based on the browser locale.

  1. Click Next.
  2. (Optional) Under Advanced Settings:
  • Scan on Push: Click the toggle to scan the code for a push command. The IaC Scan app performs the scan in the background and triggers alert notifications for any policy violations and displays the alerts in the ZPC Admin Portal. To learn more, see About Alerts.
  • Include Paths: Click the Edit icon to include the path of the specific folder within the repository that must be scanned. For example, if you define an include path for a single file, then only that file is scanned and all other files and folders within the repository are ignored. You can also use regular expressions (regex) to search for and include files or folders that must be scanned:
    • Regex Pattern Description Example
      /**/ Match zero or more directories

      If you type charts/**, then the following files are included:

      • charts/docker.yml
      • charts/stub
      • charts/stub/config.yml
      • charts/server/conf/app1/app.yml

      **/

      Match any directory/directories, start of pattern only

      If you type **/internal/test/**, then the following files are included:

      • root/internal/test/stub.txt
      • internal/test/stub.txt
      • /internal/test/server
      • root/internal/test

      /**

      Match any directory/directories, end of pattern only

      If you type monorepo/**/terraform/**, then the following files are included:

      • monorepo/terraform/doc.tf
      • monorepo/app1/terraform
      • monorepo/app1/terraform/stub.yml
      • monorepo/app1/app2/terraform
      * Match any non-separator character

      If you type *repo/**/terraform/**, then the following files are included:

      • monorepo/terraform/doc.tf
      • monorepo/app1/terraform
      • publicrepo/app1/terraform/stub.yml
      • newrepo/app1/app2/terraform

      !

      Excludes all matches from the result set, start of pattern only

      If you type !**/internal/test/**, then the following files are excluded:

      • root/internal/test/stub.txt
      • internal/test/stub.txt
      • /internal/test/server
      • root/internal/test
      Close
  • Fail Check Criteria: Fail check criteria is applicable to only pull requests based on policy severity. Select the security threshold for the policy (Critical, High, Medium, or Low) from the drop-down list.

You can apply a security threshold to each repository. For example, if the fail check criteria is set as Critical and High and there are only violations with Medium or Low severity, then the Zscaler IaC Scan does not fail the pull request.

  1. Click Finish.

The integrated account is displayed on the Version Control & CI/CD Systems page.

Viewing the IaC Scan Results

The IaC Scan app scans the IaC repositories, detects policy violations, and displays the results within the code. You can see the total policies along with passed and failed findings. This information indicates if the code is violation-free for the policies evaluated or if none of the policies were evaluated for this resource. You can see the policy title and ID, severity, and resource details after the line of code that has issues.

The ZPC service generates alerts for IaC policy violations. You can view these alerts in the ZPC Admin Portal. You can also configure alert notifications for ZPC to send email notifications to recipients or send the alert data to third-party tools. To learn more, see About Alerts.

Enabling Branch Protection

You can enable the branch protection settings on Azure DevOps to prevent the merging of code with the main branch if the code contains policy violations.

The option to enable branch protection is available after you run the Zscaler IaC scan once on any one pull request.

To enable the branch protection setting:

  1. Log in to the Azure DevOps UI.
  2. Go to Repo > Branches.
  3. Select the required branch that you want to protect.
  4. Click the Settings icon to the right, then select Branch Policies.

  1. Scroll down to the Status Checks section.
  2. Select Zscaler IaC Scan from the Satus to check drop-down menu.
  3. Select Required under Policy requirement.

  1. Click Save.

Resolving Failed Integrations

Use Case 1

There can be scenarios where an Azure Repo integration that was working earlier is disrupted (e.g. when a user accidentally unauthorizes the Zscaler IaC Scan in Azure DevOps or if the authorization token is corrupted in the ZPC Admin Portal). Instead of deleting the integration and repeating the configuration steps again, you can reauthorize the existing integration.

When an integration fails, the Integration Status is displayed as Failed in the ZPC Admin Portal.

To reauthorize an Azure Repo integration:

  1. Go to Version Control & CI/CD Systems.
  2. Under Version Control Systems, click the Azure Repos tab.
  3. Search for the integration that has failed.
  4. Hover the mouse over the Failed status to see the following tooltip: "Click here to reauthorize this integration."

  1. Click the tooltip to go to the Configuration page.
  2. Click Authorize App from Azure DevOps to re-establish the connection between Azure DevOps and the ZPC Admin Portal, and enable IaC scanning of the Azure repositories.

A confirmation message appears indicating that the reauthorization is successful and you are redirected to the Version Control & CI/CD Systems page. The Integration Status is displayed as "Success" for that integration.

Use Case 2

For failed integrations, the Integration Status is displayed as Failed in the ZPC Admin Portal. In this case, if you offboard the tenant or unsubscribe from the IaC service entitlement, then the integration is deleted from ZPC but the webhooks are not deleted from the Azure repository. You need to manually delete the webhooks.

If you don't delete the webhooks, then you might not be able to integrate the Azure account whenever you subscribe for the IaC entitlement again.

Related Articles
Configuring IaC Scan for GitHubConfiguring IaC Scan for GitLabConfiguring IaC Scan for Azure ReposConfiguring IaC Scan for Bitbucket