Overview of Defender for DevOps

Important

Microsoft Defender for DevOps is constantly making changes and updates that require Defender for DevOps customers who have onboarded their GitHub environments in Defender for Cloud to provide permissions as part of the application deployed in their GitHub organization. These permissions are necessary to ensure all of the security features of Defender for DevOps operate normally and without issues.

Please see the recent release note for instructions on how to add these additional permissions.

Microsoft Defender for Cloud enables comprehensive visibility, posture management, and threat protection across multicloud environments including Azure, AWS, GCP, and on-premises resources. Defender for DevOps, a service available in Defender for Cloud, empowers security teams to manage DevOps security across multi-pipeline environments.

Defender for DevOps uses a central console to empower security teams with the ability to protect applications and resources from code to cloud across multi-pipeline environments, such as GitHub and Azure DevOps. Findings from Defender for DevOps can then be correlated with other contextual cloud security insights to prioritize remediation in code. Key capabilities in Defender for DevOps include:

  • Unified visibility into DevOps security posture: Security administrators now have full visibility into DevOps inventory and the security posture of pre-production application code, which includes findings from code, secret, and open-source dependency vulnerability scans. They can configure their DevOps resources across multi-pipeline and multicloud environments in a single view.

  • Strengthen cloud resource configurations throughout the development lifecycle: You can enable security of Infrastructure as Code (IaC) templates and container images to minimize cloud misconfigurations reaching production environments, allowing security administrators to focus on any critical evolving threats.

  • Prioritize remediation of critical issues in code: Apply comprehensive code to cloud contextual insights within Defender for Cloud. Security admins can help developers prioritize critical code fixes with Pull Request annotations and assign developer ownership by triggering custom workflows feeding directly into the tools developers use and love.

Defender for DevOps helps unify, strengthen and manage multi-pipeline DevOps security.

Availability

Aspect Details
Release state: Preview
The Azure Preview Supplemental Terms include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Clouds Commercial clouds
National (Azure Government, Microsoft Azure operated by 21Vianet)
Regions: Australia East, Central US, West Europe
Source Code Management Systems Azure DevOps
GitHub supported versions: GitHub Free, Pro, Team, and GitHub Enterprise Cloud
Required permissions:
Azure account - with permissions to sign into Azure portal.
Contributor - on the relevant Azure subscription.
Organization Administrator - in GitHub.
Security Admin role - in Defender for Cloud.

Manage your DevOps environments in Defender for Cloud

Defender for DevOps allows you to manage your connected environments and provides your security teams with a high level overview of discovered issues that may exist within them through the Defender for DevOps console.

Screenshot of the Defender for DevOps dashboard.

Here, you can add GitHub and Azure DevOps environments, customize DevOps workbooks to show your desired metrics, view our guides and give feedback, and configure your pull request annotations.

Understanding your DevOps security

Screenshot of the top of the Defender for DevOps page that shows all of your attached environments and their metrics.

Page section Description
Screenshot of the vulnerabilities section of the page. Shows the total number of vulnerabilities found by Defender for DevOps. You can organize the results by severity level.
Screenshot of the findings section and the associated recommendations. Presents the total number of findings by scan type and the associated recommendations for any onboarded resources. Selecting a result takes you to corresponding recommendations.
Screenshot of the connectors section. Provides visibility into the number of connectors and repositories that have been onboarded by an environment.

Review your findings

The lower half of the page allows you to review onboarded DevOps resources and the security information related to them.

Screenshot of the lower half of the Defender for DevOps overview page.

On this part of the screen you see:

  • Repositories - Lists onboarded repositories from GitHub and Azure DevOps. View more information about a specific resource by selecting it.

  • Pull request annotation status - Shows whether PR annotations are enabled for the repository.

    • On - PR annotations are enabled.
    • Off - PR annotations aren't enabled.
    • NA - Defender for Cloud doesn't have information about enablement.

    Note

    Currently, this information is available only for Azure DevOps repositories.

  • Exposed secrets - Shows the number of secrets identified in the repositories.

  • OSS vulnerabilities – Shows the number of open source dependency vulnerabilities identified in the repositories.

  • IaC scanning findings – Shows the number of infrastructure as code misconfigurations identified in the repositories.

  • Code scanning findings – Shows the number of code vulnerabilities and misconfigurations identified in the repositories.

Learn more

Next steps

Configure the Microsoft Security DevOps GitHub action.

Configure the Microsoft Security DevOps Azure DevOps extension