This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
This article summarizes support information for DevOps security capabilities in Microsoft Defender for Cloud.
DevOps security is available in the Azure commercial cloud, in these regions:
DevOps security currently supports the following DevOps platforms:
DevOps security requires the following permissions:
| Feature | Permissions |
|---|---|
| Connect DevOps environments to Defender for Cloud |
|
| Review security insights and findings | Security Reader |
| Configure pull request annotations | Subscription Contributor or Owner |
| Install the Microsoft Security DevOps extension in Azure DevOps | Azure DevOps Project Collection Administrator |
| Install the Microsoft Security DevOps action in GitHub | GitHub Write |
Note
Security Reader role can be applied on the Resource Group or connector scope to avoid setting highly privileged permissions on a Subscription level for read access of DevOps security insights and findings.
DevOps security capabilities, such as code-to-cloud contextualization, security explorer, attack path analysis, and pull request annotations for Infrastructure-as-Code security findings, are available when you enable the paid Defender Cloud Security Posture Management (CSPM) plan.
The following tables summarize the availability and prerequisites for each feature within the supported DevOps platforms:
| Feature | Foundational CSPM | Defender CSPM | Prerequisites |
|---|---|---|---|
| Connect GitHub repositories |  |
|
See here |
| Security recommendations to fix code vulnerabilities | |
|
GitHub Advanced Security for CodeQL findings, Microsoft Security DevOps action |
| Security recommendations to discover exposed secrets | |
|
GitHub Advanced Security |
| Security recommendations to fix open source vulnerabilities | |
|
GitHub Advanced Security |
| Security recommendations to fix infrastructure as code misconfigurations | |
|
Microsoft Security DevOps action |
| Security recommendations to fix DevOps environment misconfigurations | |
|
N/A |
| Code to cloud mapping for Containers | |
Microsoft Security DevOps action | |
| Attack path analysis | |
Enable Defender CSPM on an Azure Subscription, AWS Connector, or GCP connector in the same tenant as the DevOps Connector | |
| Cloud security explorer | |
Enable Defender CSPM on an Azure Subscription, AWS Connector, or GCP connector in the same tenant as the DevOps Connector |
| Feature | Foundational CSPM | Defender CSPM | Prerequisites |
|---|---|---|---|
| Connect GitLab projects | |
|
See here |
| Security recommendations to fix code vulnerabilities | |
|
GitLab Ultimate |
| Security recommendations to discover exposed secrets | |
|
GitLab Ultimate |
| Security recommendations to fix open source vulnerabilities | |
|
GitLab Ultimate |
| Security recommendations to fix infrastructure as code misconfigurations | |
|
GitLab Ultimate |
| Cloud security explorer | |
Enable Defender CSPM on an Azure Subscription, AWS Connector, or GCP connector in the same tenant as the DevOps Connector |
Training
Learning path
AZ-400: Implement security and validate code bases for compliance - Training
AZ-400: Implement security and validate code bases for compliance
Certification
Microsoft Certified: Security Operations Analyst Associate - Certifications
Investigate, search for, and mitigate threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender.
Documentation
Configure agentless code scanning for Azure DevOps - Microsoft Defender for Cloud
Discover how agentless code scanning in Microsoft Defender for Cloud identifies vulnerabilities in code and IaC configurations in Azure DevOps.
DevOps environment posture management overview - Microsoft Defender for Cloud
Learn how to discover security posture violations in DevOps environments
Connect your Azure DevOps organizations - Microsoft Defender for Cloud
Learn how to connect your Azure DevOps environment to Defender for Cloud.