- After close to 5 years of active development, the PowerShell/Automation-based "Secure DevOps Kit for Azure (AzSK)" is being phased out through FY21. We are transitioning to a more scalable and robust solution called Azure Tenant Security scanner (AzTS) which is based on Azure Functions and a central scan model where scans are performed via a managed identity with Reader access to subscriptions configured at management group level. This new approach helps us scale efficiently and with less process overhead to get the same level of visibility to compliance of several thousand subscriptions. It is also designed to help accelerate our migration to native security offerings in Azure such as Policy, Security Center, Management Groups, Azure Resource Graph, etc.
- At the Core Services Engineering and Operations (CSEO) division, we plan to phase out AzSK-based Continuous Assurance completely during Q3-FY21 and, furthermore, eliminate our other dependencies on AzSK (ARM Checker, DevOps Kit CICD Extensions, etc.) during Q4-FY21. We will support important bug fixes in AzSK till end of FY21. However, new security controls and features will be added only to AzTS going forward. The AzSK project repo will remain available on GitHub FY22 and beyond but without active maintenance.
- The new solution, AzTS, is available at https://aka.ms/devopskit/AzTS. This was developed by the same team that built AzSK and we have been using it to scan close to 100,000 Azure subscriptions daily for baseline control compliance across our environment over the last several months.
- As promised to all internal and external users of AzSK, we will continue to share CSEO's internal approach for cloud security and compliance and our migration path towards exclusively using native security capabilities in Azure. We believe AzTS takes us a big step closer to that. If you have a dependency on AzSK, please consider either migrating to AzTS or switching to using an approach based on native capabilities such as Azure Policy, Management Groups, Security Center, etc.
The points above are about the AzSK module which is Azure-specific. For the other modules (AAD scanner, ADO scanner), we have the following guidance:
- ADO Scanner module (AzSK.ADO) will continue to be updated and maintained by our team. It is being actively used for surfacing security risks and remediating issues in our development environments. You can directly access the ADO Scanner project at https://aka.ms/adoscanner.
- The AAD Scanner (AzSK.AAD) has been in preview mode. We have not done further development on it and there are no plans to resume work at present.
- Right from the time we started, we have treated AzSK as a community effort. Early adopters and users of the kit (both MS internal and external members) regularly suggested improvements - some in overview discussions, some in targeted use case/solutioning efforts and some others just over email. Almost every appealing AzSK feature we added after the initial launch has a mark of someone from outside our core team!! The toolkit matured and came a long way because of contributions from collaborators like you and we would like to thank you whole-heartedly for your inputs, ideas and contributions and, equally importantly, the confidence you expressed in us all through this journey.