How to automate vulnerability scans in Azure DevOps with Microsoft Defender for Cloud

You know how it goes. You’re working on a project, pushing code left and right, and then someone asks, “But is it secure?” Cue the collective groan. Well, what if I told you there’s a way to bake security right into your development process without slowing everything down to a crawl?
Enter Microsoft Defender for Cloud and Azure DevOps. Together, they’re like the dream team of cloud security. We can integrate Microsoft Defender for Cloud into our Azure DevOps pipeline, which means that we can perform vulnerability scans as part of our CI/CD process so that every deployment is scanned for security issues before it goes live.
That means:
- no more “oops” moments (remember my blog about how to get from Dev?! Oops! to DevOps?)
- consistency as every build gets the same treatment and it doesn’t depend on the someone’s mood, how close lunch break is or other very human factors what gets scanned
- speeding things up as automated scans are way faster than Bob from IT manually checking everything (Sorry Bob!)
I see too often that security scans are an afterthought or that scans are performed after a deployment hits production. So they just hope for the best.
What is Defender for Cloud
(and why would I care?)
Microsoft Defender for Cloud is a robust security solution that’s becoming increasingly important in the Azure ecosystem. It acts as a comprehensive monitoring system for your cloud resources, continuously scanning for potential vulnerabilities and threats. It doesn’t just alert you to issues, but provides actionable recommendations to improve your security.
A bit of prep work
Before we can leverage this approach, we need to check some prerequisites
- Azure subscription with Microsoft Defender for Cloud turned on
- A Azure DevOps account and project with some code in a repo
- The right permissions (you’ll need to be a Contributor or Owner)
- Microsoft Defender for Cloud plan that covers your resources (there is a free trial)
- A Log Analytics Workspace (If you don’t know how to do this, here is a tutorial by Microsoft Learn)
- A way for Azure DevOps to talk to Azure (like a Service Principal or Managed Identity)
Defender for Cloud Setup
First things first, let’s turn on Microsoft Defender for Cloud:
- Open portal.azure.com and find Microsoft Defender for Cloud
- Switch on the Defender plans for the services you care about (e.g., VMs, App Services, Key Vaults, SQL database)
Now, let’s set up Continuous Export:
- Find Environment Settings and then Continuous export
- Enable the export of security recommendations and alerts to a Log Analytics workspace.
DevOps Pipeline Magic
Now for the fun part – setting up the pipeline that’ll do our security scans:
We need to give our pipeline a way to talk to Azure:
- Use either a Service Principal or a Managed Identity to create a Service Connection
- Create a new pipeline (or edit an existing one) with this yaml snippet:
trigger:
- main
pool:
vmImage: 'ubuntu-latest'
variables:
- group: AzureSecurityVariables
steps:
- task: AzureCLI@2
inputs:
azureSubscription: 'AzureSecurityConnection'
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: |
echo "Starting vulnerability scan with Microsoft Defender for Cloud"
# Query the Log Analytics workspace for any critical security recommendations
result=$(az monitor log-analytics query \
--workspace $(logAnalyticsWorkspaceId) \
--analytics-query "SecurityRecommendation | where Severity == 'High'" \
--timespan P1D \
--output tsv)
if [[ -n "$result" ]]; then
echo "High-severity security vulnerabilities found:"
echo "$result"
echo "##vso[task.complete result=Failed;]Security vulnerabilities detected."
else
echo "No critical vulnerabilities found!"
fi
💡 Make sure that you create a variable for your logAnalyticsWorkspaceId
- you can obtain it from the Azure Portal
Our pipeline does a few cool things:
- It logs into Azure using your Service Principal (you know I love managed Identities for a variety of good reasons, but I wanted to keep this blog post focused on DevOps and Defender for Cloud so let’s cover DevOps and Managed Identity in a future post)
- It checks your Log Analytics workspace for any high-severity security recommendations from the last day
- If it finds anything scary (Severity
High
), it’ll fail the pipeline and show you what it found
Run your pipeline, if it tells that “No critical vulnerabilities found” you are good to go, otherwise, it will stop the pipeline and exactly tell you what it found.
Conclusion
Scans do not need to be performed after deployment, with everyone getting hectic or rolling back to previous versions. Microsoft Defender for Cloud got your back and you can integrate it into your DevOps scenario.
Published on:
Learn moreRelated posts
Azure Toolkit for IntelliJ: Introducing the enhanced Java Code Quality Analyzer!
Discover the latest updates to the Azure Toolkit for IntelliJ, featuring an enhanced Java Code Quality Analyzer to help you write cleaner, saf...
Azure Boards + GitHub: Recent Updates
Over the past several months, we’ve delivered a series of improvements to the Azure Boards + GitHub integration. Whether you’re tracking...
Introducing the Azure MCP Server
This post introduces the Azure MCP Server, bringing the power of the cloud to your AI agents. The post Introducing the Azure MCP Server appear...
Azure OpenAI Service now authorized for all U.S. Government data classification levels
In the coming years, artificial intelligence will continue to be foundational to technical innovations for national security missions. Already...
GPT-4.1 is now available at Azure AI Foundry
Azure AI Foundry and AOAI (Azure OpenAI Services) keeps on getting better all the time! The latest addition in Azure AI Foundry (as of April 1...
Introducing Region Selection in Azure Cosmos DB Data Explorer for NoSQL Accounts
You asked—we delivered! Users can now manually select the region Data Explorer sends requests to! When you use Entra Authentication with NoSQL...
Microsoft Attempts to Fix Microsoft Graph PowerShell SDK Problem with Azure Automation
V2.26 and V2.26.1 of the Microsoft Graph PowerShell SDK were low-quality, buggy disasters. Microsoft aims to fix the problem in the next versi...