Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Defender for Cloud Command‑Line Interface (Defender for Cloud CLI) lets you embed security scanning directly in your continuous integration and continuous deployment (CI/CD) workflows. The CLI orchestrates security scanners and can run locally for developers.
Key capabilities
- Container‑image vulnerability assessment and automatic ingestion into Cloud Security Explorer.
- Unified, cross‑platform CLI that works with any CI/CD tools.
- Standards‑based SARIF output that integrates with pull‑request annotations and quality gates.
- Token‑based authentication scoped to a single Azure subscription for granular control or Azure DevOps Connector authentication.
Prerequisites
An Azure Subscription with Defender for Cloud onboarded. If you don't already have an Azure account, create one for free.
Defender CSPM enabled.
One of the following CI/CD pipeline tools: Azure Pipelines, GitHub Actions, Jenkins, BitBucket Pipelines, GitLab, Google Cloud Build, Bamboo, CircleCI, Travis CI, TeamCity, Oracle DevOps services, or AWS CodeBuild.
Windows or Linux/WSL terminal for local desktop scans.
Security Admin permission to create the client ID and secret tokens if using token‑based authentication, or an Azure DevOps or GitHub connector established if using connector‑based authentication.
Authentication setup
Defender for Cloud CLI supports two authentication methods to align with enterprise security practices. Connector-based authentication is currently available and the preferred method of authentication for Azure DevOps and GitHub.
Configure your CI/CD pipeline
Choose the configuration example that matches your CI/CD platform and authentication method.
Azure DevOps (Connector-based authentication)
- task: MicrosoftDefenderCLI@2
inputs:
command: 'run'
scanType: 'image'
imageName: $(ImageName)
break: false
GitHub (Token-based authentication)
- name: Download Defender for Cloud CLI
run: |
curl -L -o defender "https://aka.ms/defender-cli_linux-x64" && chmod +x defender
- name: Run Defender for Cloud CLI Scan (Built)
run: |
#replace image-name with the Container image built
./defender scan image '${{ image-name }}'
continue-on-error: true
env:
DEFENDER_TENANT_ID: ${{ secrets.DEFENDER_TENANT_ID }}
DEFENDER_CLIENT_ID: ${{ secrets.DEFENDER_CLIENT_ID }}
DEFENDER_CLIENT_SECRET: ${{ secrets.DEFENDER_CLIENT_SECRET }}
Jenkins (Token-based authentication)
environment {
DEFENDER_TENANT_ID=credentials('defender-tenant-id')
DEFENDER_CLIENT_ID=credentials('defender-client-id')
DEFENDER_CLIENT_SECRET=credentials('defender-client-secret')
}
stage('Download & Run Defender for Cloud CLI') {
steps {
script {
node {
sh 'curl -L -o defender "https://aka.ms/defender-cli_linux-x64"'
sh 'chmod +x defender'
sh './defender scan image ${IMAGE_NAME}'
}
}
}
}