Enable pull request annotations in GitHub and Azure DevOps
Defender for DevOps exposes security findings as annotations in Pull Requests (PR). Security operators can enable PR annotations in Microsoft Defender for Cloud. Any exposed issues can then be remedied by developers. This process can prevent and fix potential security vulnerabilities and misconfigurations before they enter the production stage. Defender for DevOps annotates the vulnerabilities within the differences in the file rather than all the vulnerabilities detected across the entire file. Developers are able to see annotations in their source code management systems and Security operators can see any unresolved findings in Microsoft Defender for Cloud.
With Microsoft Defender for Cloud, you can configure PR annotations in Azure DevOps. You can get PR annotations in GitHub if you're a GitHub Advanced Security customer.
Note
GitHub Advanced Security for Azure DevOps (GHAzDO) is providing a free trial of PR annotations during the Defender for DevOps preview.
Prerequisites
For GitHub:
- An Azure account. If you don't already have an Azure account, you can create your Azure free account today.
- Be a GitHub Advanced Security customer.
- Connect your GitHub repositories to Microsoft Defender for Cloud.
- Configure the Microsoft Security DevOps GitHub action.
For Azure DevOps:
- An Azure account. If you don't already have an Azure account, you can create your Azure free account today.
- Connect your Azure DevOps repositories to Microsoft Defender for Cloud.
- Configure the Microsoft Security DevOps Azure DevOps extension.
- Setup secret scanning in Azure DevOps.
Enable pull request annotations in GitHub
By enabling pull request annotations in GitHub, your developers gain the ability to see their security issues when they create a PR directly to the main branch.
To enable pull request annotations in GitHub:
Navigate to GitHub and sign in.
Select a repository that you've onboarded to Defender for Cloud.
Navigate to
Your repository's home page
> .github/workflows.Select msdevopssec.yml, which was created in the prerequisites.
Select edit.
Locate and update the trigger section to include:
# Triggers the workflow on push or pull request events but only for the main branch pull_request: branches: ["main"]
You can also view a sample repository.
(Optional) You can select which branches you want to run it on by entering the branch(es) under the trigger section. If you want to include all branches remove the lines with the branch list.
Select Start commit.
Select Commit changes.
Any issues that are discovered by the scanner will be viewable in the Files changed section of your pull request.
Resolve security issues in GitHub
To resolve security issues in GitHub:
Navigate through the page and locate an affected file with an annotation.
Follow the remediation steps in the annotation. If you choose not to remediate the annotation, select Dismiss alert.
Select a reason to dismiss:
- Won't fix - The alert is noted but won't be fixed.
- False positive - The alert isn't valid.
- Used in tests - The alert isn't in the production code.
Enable pull request annotations in Azure DevOps
By enabling pull request annotations in Azure DevOps, your developers gain the ability to see their security issues when they create PRs directly to the main branch.
Enable Build Validation policy for the CI Build
Before you can enable pull request annotations, your main branch must have enabled Build Validation policy for the CI Build.
To enable Build Validation policy for the CI Build:
Sign in to your Azure DevOps project.
Navigate to Project settings > Repositories.
Select the repository to enable pull requests on.
Select Policies.
Navigate to Branch Policies > Main branch.
Locate the Build Validation section.
Ensure the build validation for your repository is toggled to On.
Select Save.
Once you've completed these steps, you can select the build pipeline you created previously and customize its settings to suit your needs.
Enable pull request annotations
To enable pull request annotations in Azure DevOps:
Sign in to the Azure portal.
Navigate to Defender for Cloud > DevOps Security.
Select all relevant repositories to enable the pull request annotations on.
Select Configure.
Toggle Pull request annotations to On.
(Optional) Select a category from the drop-down menu.
Note
Only secret scan results are currently supported.
(Optional) Select a severity level from the drop-down menu.
Note
Only high-level severity findings are currently supported.
Select Save.
All annotations on your main branch will be displayed from now on based on your configurations with the relevant line of code.
Resolve security issues in Azure DevOps
Once you've configured the scanner, you'll be able to view all issues that were detected.
To resolve security issues in Azure DevOps:
Sign in to the Azure DevOps.
Navigate to Pull requests.
On the Overview, or files page, locate an affected line with an annotation.
Follow the remediation steps in the annotation.
Select Active to change the status of the annotation and access the dropdown menu.
Select an action to take:
- Active - The default status for new annotations.
- Pending - The finding is being worked on.
- Resolved - The finding has been addressed.
- Won't fix - The finding is noted but won't be fixed.
- Closed - The discussion in this annotation is closed.
Defender for DevOps will reactivate an annotation if the security issue isn't fixed in a new iteration.
Learn more
Learn more about Defender for DevOps.
Learn how to Discover misconfigurations in Infrastructure as Code.
Learn how to detect exposed secrets in code.
Next steps
Now learn more about Defender for DevOps.
Feedback
Submit and view feedback for