Defender for DevOps helps unify, strengthen, insights to prioritize remediation and manage DevOps security posture across multi-pipeline environments, such as GitHub and Azure DevOps:
Unified visibility into DevOps security posture: Security administrators now have full visibility into DevOps inventory and the security posture of pre-production application code, which includes findings from code, secret, and open-source dependency vulnerability scans. They can configure their DevOps resources across multi-pipeline and multicloud environments in a single view.
Discover misconfigurations in Infrastructure as Code (IaC), Detect exposed secrets in code and Enable pull request annotations in GitHub and Azure DevOps:
Strengthen cloud resource configurations throughout the development lifecycle: You can enable security of Infrastructure as Code (IaC) templates and container images to minimize cloud misconfigurations reaching production environments, allowing security administrators to focus on any critical evolving threats.
Prioritize remediation of critical issues in code: Apply comprehensive code to cloud contextual insights within Defender for Cloud. Security admins can help developers prioritize critical code fixes with Pull Request annotations and assign developer ownership by triggering custom workflows feeding directly into the tools developers use and love.
Microsoft Security DevOps is a command line application that integrates static analysis tools into the development lifecycle. Microsoft Security DevOps installs, configures, and runs the latest versions of static analysis tools (including, but not limited to, SDL/security and compliance tools). Microsoft Security DevOps is data-driven with portable configurations that enable deterministic execution across multiple environments.
The Microsoft Security DevOps uses the following Open Source tools:
| Name | Language | License |
|---|---|---|
| Bandit | Python | Apache License 2.0 |
| BinSkim | Binary--Windows, ELF | MIT License |
| ESlint | JavaScript | MIT License |
| Credscan | Credential Scanner (also known as CredScan) is a tool developed and maintained by Microsoft to identify credential leaks such as those in source code and configuration files common types: default passwords, SQL connection strings, Certificates with private keys |
Not Open Source |
| Template Analyzer | ARM template, Bicep file | MIT License |
| Terrascan | Terraform (HCL2), Kubernetes (JSON/YAML), Helm v3, Kustomize, Dockerfiles, Cloud Formation | Apache License 2.0 |
| Trivy | container images, file systems, git repositories | Apache License 2.0 |
Defender for DevOps capabilities:
Surface DevOps security posture insights in a single console: Give security admins full visibility into the security posture of preproduction application code and resource configurations across GitHub, Azure DevOps, and multicloud environments.
Automatically discover your DevOps inventory: View your organization’s entire DevOps inventory to automatically discover rogue codebases across GitHub and Azure DevOps.
Help secure cloud infrastructure in code: Enable security of infrastructure-as-code (IaC) templates and container images to minimize cloud misconfigurations reaching production environments.
Prioritize remediation of critical issues in code: Utilize deep threat landscape context to help developers prioritize critical code fixes with actionable feedback. Assign developer ownership by triggering custom workflows that feed directly into the tools developers use and love.
Microsoft Defender for DevOps - the benefits and features | Microsoft Learn
https://learn.microsoft.com/en-us/azure/defender-for-cloud/github-action
Configure the Microsoft Security DevOps Azure DevOps extension