Support and prerequisites: DevOps security
This article summarizes support information for DevOps security capabilities in Microsoft Defender for Cloud.
Cloud and region support
DevOps security is available in the Azure commercial cloud, in these regions:
- Asia (East Asia)
- Australia (Australia East)
- Canada (Canada Central)
- Europe (West Europe, North Europe, Sweden Central)
- UK (UK South)
- US (East US, Central US)
DevOps platform support
DevOps security currently supports the following DevOps platforms:
Required permissions
DevOps security requires the following permissions:
| Feature | Permissions |
|---|---|
| Connect DevOps environments to Defender for Cloud |
|
| Review security insights and findings | Security Reader |
| Configure pull request annotations | Subscription Contributor or Owner |
| Install the Microsoft Security DevOps extension in Azure DevOps | Azure DevOps Project Collection Administrator |
| Install the Microsoft Security DevOps action in GitHub | GitHub Write |
Note
Security Reader role can be applied on the Resource Group or connector scope to avoid setting highly privileged permissions on a Subscription level for read access of DevOps security insights and findings.
Feature availability
The following tables summarize the availability and prerequisites for each feature within the supported DevOps platforms:
Note
Starting March 7, 2024, Defender CSPM must be enabled on at least one subscription or multicloud connector in the tenant to benefit from premium DevOps security capabilities which include code-to-cloud contextualization powering security explorer and attack paths and pull request annotations for Infrastructure-as-Code security findings. See details below to learn more.
Azure DevOps
GitHub
| Feature | Foundational CSPM | Defender CSPM | Prerequisites |
|---|---|---|---|
| Connect GitHub repositories |  |
|
See here |
| Security recommendations to fix code vulnerabilities | |
|
GitHub Advanced Security for CodeQL findings, Microsoft Security DevOps action |
| Security recommendations to discover exposed secrets | |
|
GitHub Advanced Security |
| Security recommendations to fix open source vulnerabilities | |
|
GitHub Advanced Security |
| Security recommendations to fix infrastructure as code misconfigurations | |
|
Microsoft Security DevOps action |
| Security recommendations to fix DevOps environment misconfigurations | |
|
N/A |
| Code to cloud mapping for Containers | |
Microsoft Security DevOps action | |
| Attack path analysis | |
Enable Defender CSPM on an Azure Subscription, AWS Connector, or GCP connector in the same tenant as the DevOps Connector | |
| Cloud security explorer | |
Enable Defender CSPM on an Azure Subscription, AWS Connector, or GCP connector in the same tenant as the DevOps Connector |
GitLab
| Feature | Foundational CSPM | Defender CSPM | Prerequisites |
|---|---|---|---|
| Connect GitLab projects | |
|
See here |
| Security recommendations to fix code vulnerabilities | |
|
GitLab Ultimate |
| Security recommendations to discover exposed secrets | |
|
GitLab Ultimate |
| Security recommendations to fix open source vulnerabilities | |
|
GitLab Ultimate |
| Security recommendations to fix infrastructure as code misconfigurations | |
|
GitLab Ultimate |
| Cloud security explorer | |
Enable Defender CSPM on an Azure Subscription, AWS Connector, or GCP connector in the same tenant as the DevOps Connector |