Loading...

How to automate vulnerability scans in Azure DevOps with Microsoft Defender for Cloud

How to automate vulnerability scans in Azure DevOps with Microsoft Defender for Cloud

You know how it goes. You’re working on a project, pushing code left and right, and then someone asks, “But is it secure?” Cue the collective groan. Well, what if I told you there’s a way to bake security right into your development process without slowing everything down to a crawl?

Enter Microsoft Defender for Cloud and Azure DevOps. Together, they’re like the dream team of cloud security. We can integrate Microsoft Defender for Cloud into our Azure DevOps pipeline, which means that we can perform vulnerability scans as part of our CI/CD process so that every deployment is scanned for security issues before it goes live.

That means:

  • no more “oops” moments (remember my blog about how to get from Dev?! Oops! to DevOps?)
  • consistency as every build gets the same treatment and it doesn’t depend on the someone’s mood, how close lunch break is or other very human factors what gets scanned
  • speeding things up as automated scans are way faster than Bob from IT manually checking everything (Sorry Bob!)

I see too often that security scans are an afterthought or that scans are performed after a deployment hits production. So they just hope for the best.

What is Defender for Cloud

(and why would I care?)

Microsoft Defender for Cloud is a robust security solution that’s becoming increasingly important in the Azure ecosystem. It acts as a comprehensive monitoring system for your cloud resources, continuously scanning for potential vulnerabilities and threats. It doesn’t just alert you to issues, but provides actionable recommendations to improve your security.

A bit of prep work

Before we can leverage this approach, we need to check some prerequisites

  • Azure subscription with Microsoft Defender for Cloud turned on
  • A Azure DevOps account and project with some code in a repo
  • The right permissions (you’ll need to be a Contributor or Owner)
  • Microsoft Defender for Cloud plan that covers your resources (there is a free trial)
  • A Log Analytics Workspace (If you don’t know how to do this, here is a tutorial by Microsoft Learn)
  • A way for Azure DevOps to talk to Azure (like a Service Principal or Managed Identity)

Defender for Cloud Setup

First things first, let’s turn on Microsoft Defender for Cloud:

  • Open portal.azure.com and find Microsoft Defender for Cloud
  • Switch on the Defender plans for the services you care about (e.g., VMs, App Services, Key Vaults, SQL database)

Now, let’s set up Continuous Export:

  • Find Environment Settings and then Continuous export
  • Enable the export of security recommendations and alerts to a Log Analytics workspace.

DevOps Pipeline Magic

Now for the fun part – setting up the pipeline that’ll do our security scans:

We need to give our pipeline a way to talk to Azure:

  • Use either a Service Principal or a Managed Identity to create a Service Connection
  • Create a new pipeline (or edit an existing one) with this yaml snippet:
trigger:
- main
pool:
vmImage: 'ubuntu-latest'
variables:
- group: AzureSecurityVariables
steps:
- task: AzureCLI@2
inputs:
azureSubscription: 'AzureSecurityConnection'
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: |
 echo "Starting vulnerability scan with Microsoft Defender for Cloud"

 # Query the Log Analytics workspace for any critical security recommendations
 result=$(az monitor log-analytics query \
 --workspace $(logAnalyticsWorkspaceId) \
 --analytics-query "SecurityRecommendation | where Severity == 'High'" \
 --timespan P1D \
 --output tsv)

 if [[ -n "$result" ]]; then
 echo "High-severity security vulnerabilities found:"
 echo "$result"
 echo "##vso[task.complete result=Failed;]Security vulnerabilities detected."
 else
 echo "No critical vulnerabilities found!"
 fi

💡 Make sure that you create a variable for your logAnalyticsWorkspaceId - you can obtain it from the Azure Portal

Our pipeline does a few cool things:

  • It logs into Azure using your Service Principal (you know I love managed Identities for a variety of good reasons, but I wanted to keep this blog post focused on DevOps and Defender for Cloud so let’s cover DevOps and Managed Identity in a future post)
  • It checks your Log Analytics workspace for any high-severity security recommendations from the last day
  • If it finds anything scary (Severity High), it’ll fail the pipeline and show you what it found

Run your pipeline, if it tells that “No critical vulnerabilities found” you are good to go, otherwise, it will stop the pipeline and exactly tell you what it found.

Conclusion

Scans do not need to be performed after deployment, with everyone getting hectic or rolling back to previous versions. Microsoft Defender for Cloud got your back and you can integrate it into your DevOps scenario.

Published on:

Learn more
Luise Freese: Consultant & MVP
Luise Freese: Consultant & MVP

Recent content on Luise Freese: Consultant & MVP

Share post:

Related posts

Fabric Mirroring for Azure Cosmos DB: Public Preview Refresh Now Live with New Features

We’re thrilled to announce the latest refresh of Fabric Mirroring for Azure Cosmos DB, now available with several powerful new features that e...

16 hours ago

Power Platform – Use Azure Key Vault secrets with environment variables

We are announcing the ability to use Azure Key Vault secrets with environment variables in Power Platform. This feature will reach general ava...

16 hours ago

Validating Azure Key Vault Access Securely in Fabric Notebooks

Working with sensitive data in Microsoft Fabric requires careful handling of secrets, especially when collaborating externally. In a recent cu...

23 hours ago

Azure Developer CLI (azd) – May 2025

This post announces the May release of the Azure Developer CLI (`azd`). The post Azure Developer CLI (azd) – May 2025 appeared first on ...

1 day ago

Azure Cosmos DB with DiskANN Part 4: Stable Vector Search Recall with Streaming Data

Vector Search with Azure Cosmos DB  In Part 1 and Part 2 of this series, we explored vector search with Azure Cosmos DB and best practices for...

1 day ago

General Availability for Data API in vCore-based Azure Cosmos DB for MongoDB

Title: General Availability for Data API in vCore-based Azure Cosmos DB for MongoDB We’re excited to announce the general availability of the ...

1 day ago

Efficiently and Elegantly Modeling Embeddings in Azure SQL and SQL Server

Storing and querying text embeddings in a database it might seem challenging, but with the right schema design, it’s not only possible, ...

2 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy