How to automate vulnerability scans in Azure DevOps with Microsoft Defender for Cloud

You know how it goes. You’re working on a project, pushing code left and right, and then someone asks, “But is it secure?” Cue the collective groan. Well, what if I told you there’s a way to bake security right into your development process without slowing everything down to a crawl?
Enter Microsoft Defender for Cloud and Azure DevOps. Together, they’re like the dream team of cloud security. We can integrate Microsoft Defender for Cloud into our Azure DevOps pipeline, which means that we can perform vulnerability scans as part of our CI/CD process so that every deployment is scanned for security issues before it goes live.
That means:
- no more “oops” moments (remember my blog about how to get from Dev?! Oops! to DevOps?)
- consistency as every build gets the same treatment and it doesn’t depend on the someone’s mood, how close lunch break is or other very human factors what gets scanned
- speeding things up as automated scans are way faster than Bob from IT manually checking everything (Sorry Bob!)
I see too often that security scans are an afterthought or that scans are performed after a deployment hits production. So they just hope for the best.
What is Defender for Cloud
(and why would I care?)
Microsoft Defender for Cloud is a robust security solution that’s becoming increasingly important in the Azure ecosystem. It acts as a comprehensive monitoring system for your cloud resources, continuously scanning for potential vulnerabilities and threats. It doesn’t just alert you to issues, but provides actionable recommendations to improve your security.
A bit of prep work
Before we can leverage this approach, we need to check some prerequisites
- Azure subscription with Microsoft Defender for Cloud turned on
- A Azure DevOps account and project with some code in a repo
- The right permissions (you’ll need to be a Contributor or Owner)
- Microsoft Defender for Cloud plan that covers your resources (there is a free trial)
- A Log Analytics Workspace (If you don’t know how to do this, here is a tutorial by Microsoft Learn)
- A way for Azure DevOps to talk to Azure (like a Service Principal or Managed Identity)
Defender for Cloud Setup
First things first, let’s turn on Microsoft Defender for Cloud:
- Open portal.azure.com and find Microsoft Defender for Cloud
- Switch on the Defender plans for the services you care about (e.g., VMs, App Services, Key Vaults, SQL database)
Now, let’s set up Continuous Export:
- Find Environment Settings and then Continuous export
- Enable the export of security recommendations and alerts to a Log Analytics workspace.
DevOps Pipeline Magic
Now for the fun part – setting up the pipeline that’ll do our security scans:
We need to give our pipeline a way to talk to Azure:
- Use either a Service Principal or a Managed Identity to create a Service Connection
- Create a new pipeline (or edit an existing one) with this yaml snippet:
trigger:
- main
pool:
vmImage: 'ubuntu-latest'
variables:
- group: AzureSecurityVariables
steps:
- task: AzureCLI@2
inputs:
azureSubscription: 'AzureSecurityConnection'
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: |
echo "Starting vulnerability scan with Microsoft Defender for Cloud"
# Query the Log Analytics workspace for any critical security recommendations
result=$(az monitor log-analytics query \
--workspace $(logAnalyticsWorkspaceId) \
--analytics-query "SecurityRecommendation | where Severity == 'High'" \
--timespan P1D \
--output tsv)
if [[ -n "$result" ]]; then
echo "High-severity security vulnerabilities found:"
echo "$result"
echo "##vso[task.complete result=Failed;]Security vulnerabilities detected."
else
echo "No critical vulnerabilities found!"
fi
💡 Make sure that you create a variable for your logAnalyticsWorkspaceId
- you can obtain it from the Azure Portal
Our pipeline does a few cool things:
- It logs into Azure using your Service Principal (you know I love managed Identities for a variety of good reasons, but I wanted to keep this blog post focused on DevOps and Defender for Cloud so let’s cover DevOps and Managed Identity in a future post)
- It checks your Log Analytics workspace for any high-severity security recommendations from the last day
- If it finds anything scary (Severity
High
), it’ll fail the pipeline and show you what it found
Run your pipeline, if it tells that “No critical vulnerabilities found” you are good to go, otherwise, it will stop the pipeline and exactly tell you what it found.
Conclusion
Scans do not need to be performed after deployment, with everyone getting hectic or rolling back to previous versions. Microsoft Defender for Cloud got your back and you can integrate it into your DevOps scenario.
Published on:
Learn moreRelated posts
Fabric Mirroring for Azure Cosmos DB: Public Preview Refresh Now Live with New Features
We’re thrilled to announce the latest refresh of Fabric Mirroring for Azure Cosmos DB, now available with several powerful new features that e...
Power Platform – Use Azure Key Vault secrets with environment variables
We are announcing the ability to use Azure Key Vault secrets with environment variables in Power Platform. This feature will reach general ava...
Validating Azure Key Vault Access Securely in Fabric Notebooks
Working with sensitive data in Microsoft Fabric requires careful handling of secrets, especially when collaborating externally. In a recent cu...
Azure Developer CLI (azd) – May 2025
This post announces the May release of the Azure Developer CLI (`azd`). The post Azure Developer CLI (azd) – May 2025 appeared first on ...
Azure Cosmos DB with DiskANN Part 4: Stable Vector Search Recall with Streaming Data
Vector Search with Azure Cosmos DB In Part 1 and Part 2 of this series, we explored vector search with Azure Cosmos DB and best practices for...
General Availability for Data API in vCore-based Azure Cosmos DB for MongoDB
Title: General Availability for Data API in vCore-based Azure Cosmos DB for MongoDB We’re excited to announce the general availability of the ...
Efficiently and Elegantly Modeling Embeddings in Azure SQL and SQL Server
Storing and querying text embeddings in a database it might seem challenging, but with the right schema design, it’s not only possible, ...