Enable pull request annotations in GitHub and Azure DevOps

Defender for DevOps exposes security findings as annotations in Pull Requests (PR). Security operators can enable PR annotations in Microsoft Defender for Cloud. Any exposed issues can then be remedied by developers. This process can prevent and fix potential security vulnerabilities and misconfigurations before they enter the production stage. Defender for DevOps annotates the vulnerabilities within the differences in the file rather than all the vulnerabilities detected across the entire file. Developers are able to see annotations in their source code management systems and Security operators can see any unresolved findings in Microsoft Defender for Cloud.

With Microsoft Defender for Cloud, you can configure PR annotations in Azure DevOps. You can get PR annotations in GitHub if you're a GitHub Advanced Security customer.

Note

GitHub Advanced Security for Azure DevOps (GHAzDO) is providing a free trial of PR annotations during the Defender for DevOps preview.

Prerequisites

For GitHub:

For Azure DevOps:

Enable pull request annotations in GitHub

By enabling pull request annotations in GitHub, your developers gain the ability to see their security issues when they create a PR directly to the main branch.

To enable pull request annotations in GitHub:

  1. Navigate to GitHub and sign in.

  2. Select a repository that you've onboarded to Defender for Cloud.

  3. Navigate to Your repository's home page > .github/workflows.

    Screenshot that shows where to navigate to, to select the GitHub workflow folder.

  4. Select msdevopssec.yml, which was created in the prerequisites.

    Screenshot that shows you where on the screen to select the msdevopssec.yml file.

  5. Select edit.

    Screenshot that shows you what the edit button looks like.

  6. Locate and update the trigger section to include:

    # Triggers the workflow on push or pull request events but only for the main branch
    pull_request:
      branches: ["main"]
    

    You can also view a sample repository.

    (Optional) You can select which branches you want to run it on by entering the branch(es) under the trigger section. If you want to include all branches remove the lines with the branch list. 

  7. Select Start commit.

  8. Select Commit changes.

Any issues that are discovered by the scanner will be viewable in the Files changed section of your pull request.

Resolve security issues in GitHub

To resolve security issues in GitHub:

  1. Navigate through the page and locate an affected file with an annotation.

  2. Follow the remediation steps in the annotation. If you choose not to remediate the annotation, select Dismiss alert.

  3. Select a reason to dismiss:

    • Won't fix - The alert is noted but won't be fixed.
    • False positive - The alert isn't valid.
    • Used in tests - The alert isn't in the production code.

Enable pull request annotations in Azure DevOps

By enabling pull request annotations in Azure DevOps, your developers gain the ability to see their security issues when they create PRs directly to the main branch.

Enable Build Validation policy for the CI Build

Before you can enable pull request annotations, your main branch must have enabled Build Validation policy for the CI Build.

To enable Build Validation policy for the CI Build:

  1. Sign in to your Azure DevOps project.

  2. Navigate to Project settings > Repositories.

    Screenshot that shows you where to navigate to, to select repositories.

  3. Select the repository to enable pull requests on.

  4. Select Policies.

  5. Navigate to Branch Policies > Main branch.

    Screenshot that shows where to locate the branch policies.

  6. Locate the Build Validation section.

  7. Ensure the build validation for your repository is toggled to On.

    Screenshot that shows where the CI Build toggle is located.

  8. Select Save.

    Screenshot that shows the build validation.

Once you've completed these steps, you can select the build pipeline you created previously and customize its settings to suit your needs.

Enable pull request annotations

To enable pull request annotations in Azure DevOps:

  1. Sign in to the Azure portal.

  2. Navigate to Defender for Cloud > DevOps Security.

  3. Select all relevant repositories to enable the pull request annotations on.

  4. Select Configure.

    Screenshot that shows you where to select the configure button on the screen.

  5. Toggle Pull request annotations to On.

    Screenshot that shows the toggle switched to on.

  6. (Optional) Select a category from the drop-down menu.

    Note

    Only secret scan results are currently supported.

  7. (Optional) Select a severity level from the drop-down menu.

    Note

    Only high-level severity findings are currently supported.

  8. Select Save.

All annotations on your main branch will be displayed from now on based on your configurations with the relevant line of code.

Resolve security issues in Azure DevOps

Once you've configured the scanner, you'll be able to view all issues that were detected.

To resolve security issues in Azure DevOps:

  1. Sign in to the Azure DevOps.

  2. Navigate to Pull requests.

    Screenshot showing where to go to navigate to pull requests.

  3. On the Overview, or files page, locate an affected line with an annotation.

  4. Follow the remediation steps in the annotation.

  5. Select Active to change the status of the annotation and access the dropdown menu.

  6. Select an action to take:

    • Active - The default status for new annotations.
    • Pending - The finding is being worked on.
    • Resolved - The finding has been addressed.
    • Won't fix - The finding is noted but won't be fixed.
    • Closed - The discussion in this annotation is closed.

Defender for DevOps will reactivate an annotation if the security issue isn't fixed in a new iteration.

Learn more

Learn more about Defender for DevOps.

Learn how to Discover misconfigurations in Infrastructure as Code.

Learn how to detect exposed secrets in code.

Next steps

Now learn more about Defender for DevOps.