Edit

Quickstart: Connect your GitHub repositories to Microsoft Defender for Cloud

  • Article

With cloud workloads commonly spanning multiple cloud platforms, cloud security services must do the same. Microsoft Defender for Cloud protects workloads in Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), GitHub, and Azure DevOps (ADO).

To protect your GitHub-based resources, you can connect your GitHub organizations on the environment settings page in Microsoft Defender for Cloud. This page provides a simple onboarding experience (including auto discovery).

By connecting your GitHub repositories to Defender for Cloud, you'll extend Defender for Cloud's enhanced security features to your GitHub resources. These features include:

  • Defender for Cloud's Cloud Security Posture Management (CSPM) features - Assesses your GitHub resources according to GitHub-specific security recommendations. You can also learn about all of the recommendations for DevOps resources. Resources are assessed for compliance with built-in standards that are specific to DevOps. Defender for Cloud's asset inventory page is a multicloud enabled feature that helps you manage your GitHub resources alongside your Azure resources.

  • Defender for Cloud's Cloud Workload Protection features - Extends Defender for Cloud's threat detection capabilities and advanced defenses to your GitHub resources.

Prerequisites

  • An Azure account with Defender for Cloud onboarded. If you don't already have an Azure account Create an account for free.

  • To use all advanced security capabilities provided by GitHub Connector in Defender for DevOps, you need to have GitHub Enterprise with GitHub Advanced Security (GHAS) enabled.

Availability

Note

During the preview, the maximum number of GitHub repositories that can be onboarded to Microsoft Defender for Cloud is 2,000. If you try to connect more than 2,000 GitHub repositories, only the first 2,000 repositories, sorted alphabetically, will be onboarded.

If your organization is interested in onboarding more than 2,000 GitHub repositories, please complete this survey.

Aspect Details
Release state: Preview
The Azure Preview Supplemental Terms include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Pricing: For pricing, see the Defender for Cloud pricing page.
Required permissions: - Azure account: with permissions to sign into Azure portal
- Contributor: on the Azure subscription where the connector will be created
- Security Admin Role: in Defender for Cloud
- Organization Administrator: in GitHub
GitHub supported versions: GitHub Free, Pro, Team, and GitHub Enterprise Cloud
Regions: Australia East, Central US, West Europe
Clouds:  Commercial clouds
 National (Azure Government, Azure China 21Vianet)

Connect your GitHub account

To connect your GitHub account to Microsoft Defender for Cloud:

  1. Sign in to the Azure portal.

  2. Navigate to Microsoft Defender for Cloud > Environment Settings.

  3. Select Add environment.

  4. Select GitHub.

    Screenshot that shows you where to select, to select GitHub.

  5. Enter a name (limit of 20 characters), select your subscription, resource group, and region.

    Note

    The subscription will be the location where Defender for DevOps will create and store the GitHub connection.

  6. Select Next: Select plans.

  7. Select Next: Authorize connection.

  8. Select Authorize to grant your Azure subscription access to your GitHub repositories. Sign in, if necessary, with an account that has permissions to the repositories you want to protect.

    Note

    The authorization will auto-login using the session from your browser tab. After you select Authorize, if you do not see the GitHub organizations you expect to see, check whether you are logged in to MDC in one browser tab and logged in to GitHub in another browser tab. After authorization, if you wait too long to install the DevOps application, the session will time out and you will receive an error message.

  9. Select Install.

  10. Select the repositories to install the GitHub application.

    Note

    This will grant Defender for DevOps access to the selected repositories.

  11. Select Next: Review and create.

  12. Select Create.

When the process completes, the GitHub connector appears on your Environment settings page.

Screenshot showing the Environmental page with the GitHub connector now connected.

The Defender for DevOps service automatically discovers the repositories you selected and analyzes them for any security issues. Initial repository discovery can take up to 10 minutes during the onboarding process.

When auto-discovery is selected during the onboarding process, it can take up to 4 hours for repositories to appear after onboarding is completed. The auto-discovery process detects any new repositories and connects them to Defender for Cloud.

The Inventory page populates with your selected repositories, and the Recommendations page shows any security issues related to a selected repository. This can take up to 3 hours or more.

Learn more

Next steps

Learn more about Defender for DevOps.

Learn how to configure the MSDO GitHub action.

Learn how to configure pull request annotations in Defender for Cloud.