How to automate vulnerability scans in Azure DevOps with Microsoft Defender for Cloud

You know how it goes. You’re working on a project, pushing code left and right, and then someone asks, “But is it secure?” Cue the collective groan. Well, what if I told you there’s a way to bake security right into your development process without slowing everything down to a crawl?

Enter Microsoft Defender for Cloud and Azure DevOps. Together, they’re like the dream team of cloud security. We can integrate Microsoft Defender for Cloud into our Azure DevOps pipeline, which means that we can perform vulnerability scans as part of our CI/CD process so that every deployment is scanned for security issues before it goes live.

That means:

• no more “oops” moments (remember my blog about how to get from Dev?! Oops! to DevOps?)
• consistency as every build gets the same treatment and it doesn’t depend on the someone’s mood, how close lunch break is or other very human factors what gets scanned
• speeding things up as automated scans are way faster than Bob from IT manually checking everything (Sorry Bob!)

I see too often that security scans are an afterthought or that scans are performed after a deployment hits production. So they just hope for the best.

What is Defender for Cloud

(and why would I care?)

Microsoft Defender for Cloud is a robust security solution that’s becoming increasingly important in the Azure ecosystem. It acts as a comprehensive monitoring system for your cloud resources, continuously scanning for potential vulnerabilities and threats. It doesn’t just alert you to issues, but provides actionable recommendations to improve your security.

A bit of prep work

Before we can leverage this approach, we need to check some prerequisites

• Azure subscription with Microsoft Defender for Cloud turned on
• A Azure DevOps account and project with some code in a repo
• The right permissions (you’ll need to be a Contributor or Owner)
• Microsoft Defender for Cloud plan that covers your resources (there is a free trial)
• A Log Analytics Workspace (If you don’t know how to do this, here is a tutorial by Microsoft Learn)
• A way for Azure DevOps to talk to Azure (like a Service Principal or Managed Identity)

Defender for Cloud Setup

First things first, let’s turn on Microsoft Defender for Cloud:

• Open portal.azure.com and find Microsoft Defender for Cloud
• Switch on the Defender plans for the services you care about (e.g., VMs, App Services, Key Vaults, SQL database)

Now, let’s set up Continuous Export:

• Find Environment Settings and then Continuous export
• Enable the export of security recommendations and alerts to a Log Analytics workspace.

DevOps Pipeline Magic

Now for the fun part – setting up the pipeline that’ll do our security scans:

We need to give our pipeline a way to talk to Azure:

• Use either a Service Principal or a Managed Identity to create a Service Connection
• Create a new pipeline (or edit an existing one) with this yaml snippet:

trigger:
- main
pool:
vmImage: 'ubuntu-latest'
variables:
- group: AzureSecurityVariables
steps:
- task: AzureCLI@2
inputs:
azureSubscription: 'AzureSecurityConnection'
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: |
 echo "Starting vulnerability scan with Microsoft Defender for Cloud"

 # Query the Log Analytics workspace for any critical security recommendations
 result=$(az monitor log-analytics query \
 --workspace $(logAnalyticsWorkspaceId) \
 --analytics-query "SecurityRecommendation | where Severity == 'High'" \
 --timespan P1D \
 --output tsv)

 if [[ -n "$result" ]]; then
 echo "High-severity security vulnerabilities found:"
 echo "$result"
 echo "##vso[task.complete result=Failed;]Security vulnerabilities detected."
 else
 echo "No critical vulnerabilities found!"
 fi

💡 Make sure that you create a variable for your logAnalyticsWorkspaceId - you can obtain it from the Azure Portal

Our pipeline does a few cool things:

• It logs into Azure using your Service Principal (you know I love managed Identities for a variety of good reasons, but I wanted to keep this blog post focused on DevOps and Defender for Cloud so let’s cover DevOps and Managed Identity in a future post)
• It checks your Log Analytics workspace for any high-severity security recommendations from the last day
• If it finds anything scary (Severity High), it’ll fail the pipeline and show you what it found

Run your pipeline, if it tells that “No critical vulnerabilities found” you are good to go, otherwise, it will stop the pipeline and exactly tell you what it found.

Conclusion

Scans do not need to be performed after deployment, with everyone getting hectic or rolling back to previous versions. Microsoft Defender for Cloud got your back and you can integrate it into your DevOps scenario.