Support and prerequisites: DevOps security

This article summarizes support information for DevOps security capabilities in Microsoft Defender for Cloud.

Cloud and region support

DevOps security is available in the Azure commercial cloud, in these regions:

  • Asia (East Asia)
  • Australia (Australia East)
  • Canada (Canada Central)
  • Europe (West Europe, North Europe, Sweden Central)
  • UK (UK South)
  • US (East US, Central US)

DevOps platform support

DevOps security currently supports the following DevOps platforms:

Required permissions

DevOps security requires the following permissions:

Feature Permissions
Connect DevOps environments to Defender for Cloud
  • Azure: Subscription Contributor or Security Admin
  • Azure DevOps: Project Collection Administrator on target Organization
  • GitHub: Organization Owner
  • GitLab: Group Owner on target Group
Review security insights and findings Security Reader
Configure pull request annotations Subscription Contributor or Owner
Install the Microsoft Security DevOps extension in Azure DevOps Azure DevOps Project Collection Administrator
Install the Microsoft Security DevOps action in GitHub GitHub Write

Note

Security Reader role can be applied on the Resource Group or connector scope to avoid setting highly privileged permissions on a Subscription level for read access of DevOps security insights and findings.

Feature availability

The following tables summarize the availability and prerequisites for each feature within the supported DevOps platforms:

Note

Starting March 7, 2024, Defender CSPM must be enabled on at least one subscription or multicloud connector in the tenant to benefit from premium DevOps security capabilities which include code-to-cloud contextualization powering security explorer and attack paths and pull request annotations for Infrastructure-as-Code security findings. See details below to learn more.

Azure DevOps

Feature Foundational CSPM Defender CSPM Prerequisites
Connect Azure DevOps repositories Yes Icon Yes Icon See here
Security recommendations to fix code vulnerabilities Yes Icon Yes Icon GitHub Advanced Security for Azure DevOps for CodeQL findings, Microsoft Security DevOps extension
Security recommendations to discover exposed secrets Yes Icon Yes Icon GitHub Advanced Security for Azure DevOps
Security recommendations to fix open source vulnerabilities Yes Icon Yes Icon GitHub Advanced Security for Azure DevOps
Security recommendations to fix infrastructure as code misconfigurations Yes Icon Yes Icon Microsoft Security DevOps extension
Security recommendations to fix DevOps environment misconfigurations Yes Icon Yes Icon N/A
Pull request annotations Yes Icon See here
Code to cloud mapping for Containers Yes Icon Microsoft Security DevOps extension
Code to cloud mapping for Infrastructure as Code templates Yes Icon Microsoft Security DevOps extension
Attack path analysis Yes Icon Enable Defender CSPM on an Azure Subscription, AWS Connector, or GCP Connector in the same tenant as the DevOps Connector
Cloud security explorer Yes Icon Enable Defender CSPM on an Azure Subscription, AWS Connector, or GCP connector in the same tenant as the DevOps Connector

GitHub

Feature Foundational CSPM Defender CSPM Prerequisites
Connect GitHub repositories Yes Icon Yes Icon See here
Security recommendations to fix code vulnerabilities Yes Icon Yes Icon GitHub Advanced Security for CodeQL findings, Microsoft Security DevOps action
Security recommendations to discover exposed secrets Yes Icon Yes Icon GitHub Advanced Security
Security recommendations to fix open source vulnerabilities Yes Icon Yes Icon GitHub Advanced Security
Security recommendations to fix infrastructure as code misconfigurations Yes Icon Yes Icon Microsoft Security DevOps action
Security recommendations to fix DevOps environment misconfigurations Yes Icon Yes Icon N/A
Code to cloud mapping for Containers Yes Icon Microsoft Security DevOps action
Attack path analysis Yes Icon Enable Defender CSPM on an Azure Subscription, AWS Connector, or GCP connector in the same tenant as the DevOps Connector
Cloud security explorer Yes Icon Enable Defender CSPM on an Azure Subscription, AWS Connector, or GCP connector in the same tenant as the DevOps Connector

GitLab

Feature Foundational CSPM Defender CSPM Prerequisites
Connect GitLab projects Yes Icon Yes Icon See here
Security recommendations to fix code vulnerabilities Yes Icon Yes Icon GitLab Ultimate
Security recommendations to discover exposed secrets Yes Icon Yes Icon GitLab Ultimate
Security recommendations to fix open source vulnerabilities Yes Icon Yes Icon GitLab Ultimate
Security recommendations to fix infrastructure as code misconfigurations Yes Icon Yes Icon GitLab Ultimate
Cloud security explorer Yes Icon Enable Defender CSPM on an Azure Subscription, AWS Connector, or GCP connector in the same tenant as the DevOps Connector