Overview of Defender for DevOps
Important
Microsoft Defender for DevOps is constantly making changes and updates that require Defender for DevOps customers who have onboarded their GitHub environments in Defender for Cloud to provide permissions as part of the application deployed in their GitHub organization. These permissions are necessary to ensure all of the security features of Defender for DevOps operate normally and without issues.
Please see the recent release note for instructions on how to add these additional permissions.
Microsoft Defender for Cloud enables comprehensive visibility, posture management, and threat protection across multicloud environments including Azure, AWS, GCP, and on-premises resources. Defender for DevOps, a service available in Defender for Cloud, empowers security teams to manage DevOps security across multi-pipeline environments.
Defender for DevOps uses a central console to empower security teams with the ability to protect applications and resources from code to cloud across multi-pipeline environments, such as GitHub and Azure DevOps. Findings from Defender for DevOps can then be correlated with other contextual cloud security insights to prioritize remediation in code. Key capabilities in Defender for DevOps include:
Unified visibility into DevOps security posture: Security administrators now have full visibility into DevOps inventory and the security posture of pre-production application code, which includes findings from code, secret, and open-source dependency vulnerability scans. They can configure their DevOps resources across multi-pipeline and multicloud environments in a single view.
Strengthen cloud resource configurations throughout the development lifecycle: You can enable security of Infrastructure as Code (IaC) templates and container images to minimize cloud misconfigurations reaching production environments, allowing security administrators to focus on any critical evolving threats.
Prioritize remediation of critical issues in code: Apply comprehensive code to cloud contextual insights within Defender for Cloud. Security admins can help developers prioritize critical code fixes with Pull Request annotations and assign developer ownership by triggering custom workflows feeding directly into the tools developers use and love.
Defender for DevOps helps unify, strengthen and manage multi-pipeline DevOps security.
Availability
| Aspect | Details |
|---|---|
| Release state: | Preview The Azure Preview Supplemental Terms include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. |
| Clouds | 
Commercial clouds
National (Azure Government, Microsoft Azure operated by 21Vianet) |
| Regions: | Australia East, Central US, West Europe |
| Source Code Management Systems | Azure DevOps GitHub supported versions: GitHub Free, Pro, Team, and GitHub Enterprise Cloud |
| Required permissions: | Azure account - with permissions to sign into Azure portal. Contributor - on the relevant Azure subscription. Organization Administrator - in GitHub. Security Admin role - in Defender for Cloud. |
Manage your DevOps environments in Defender for Cloud
Defender for DevOps allows you to manage your connected environments and provides your security teams with a high level overview of discovered issues that may exist within them through the Defender for DevOps console.
Here, you can add GitHub and Azure DevOps environments, customize DevOps workbooks to show your desired metrics, view our guides and give feedback, and configure your pull request annotations.
Understanding your DevOps security
| Page section | Description |
|---|---|
|
Shows the total number of vulnerabilities found by Defender for DevOps. You can organize the results by severity level. |
|
Presents the total number of findings by scan type and the associated recommendations for any onboarded resources. Selecting a result takes you to corresponding recommendations. |
|
Provides visibility into the number of connectors and repositories that have been onboarded by an environment. |
Review your findings
The lower half of the page allows you to review onboarded DevOps resources and the security information related to them.
On this part of the screen you see:
Repositories - Lists onboarded repositories from GitHub and Azure DevOps. View more information about a specific resource by selecting it.
Pull request annotation status - Shows whether PR annotations are enabled for the repository.
On- PR annotations are enabled.Off- PR annotations aren't enabled.NA- Defender for Cloud doesn't have information about enablement.
Note
Currently, this information is available only for Azure DevOps repositories.
Exposed secrets - Shows the number of secrets identified in the repositories.
OSS vulnerabilities – Shows the number of open source dependency vulnerabilities identified in the repositories.
IaC scanning findings – Shows the number of infrastructure as code misconfigurations identified in the repositories.
Code scanning findings – Shows the number of code vulnerabilities and misconfigurations identified in the repositories.
Learn more
You can learn more about DevOps from our DevOps resource center.
Learn about security in DevOps.
You can learn about securing Azure Pipelines.
Learn about security hardening practices for GitHub Actions.
Next steps
Configure the Microsoft Security DevOps GitHub action.
Configure the Microsoft Security DevOps Azure DevOps extension
Feedback
Submit and view feedback for