Loading...

How to automate vulnerability scans in Azure DevOps with Microsoft Defender for Cloud

How to automate vulnerability scans in Azure DevOps with Microsoft Defender for Cloud

You know how it goes. You’re working on a project, pushing code left and right, and then someone asks, “But is it secure?” Cue the collective groan. Well, what if I told you there’s a way to bake security right into your development process without slowing everything down to a crawl?

Enter Microsoft Defender for Cloud and Azure DevOps. Together, they’re like the dream team of cloud security. We can integrate Microsoft Defender for Cloud into our Azure DevOps pipeline, which means that we can perform vulnerability scans as part of our CI/CD process so that every deployment is scanned for security issues before it goes live.

That means:

  • no more “oops” moments (remember my blog about how to get from Dev?! Oops! to DevOps?)
  • consistency as every build gets the same treatment and it doesn’t depend on the someone’s mood, how close lunch break is or other very human factors what gets scanned
  • speeding things up as automated scans are way faster than Bob from IT manually checking everything (Sorry Bob!)

I see too often that security scans are an afterthought or that scans are performed after a deployment hits production. So they just hope for the best.

What is Defender for Cloud

(and why would I care?)

Microsoft Defender for Cloud is a robust security solution that’s becoming increasingly important in the Azure ecosystem. It acts as a comprehensive monitoring system for your cloud resources, continuously scanning for potential vulnerabilities and threats. It doesn’t just alert you to issues, but provides actionable recommendations to improve your security.

A bit of prep work

Before we can leverage this approach, we need to check some prerequisites

  • Azure subscription with Microsoft Defender for Cloud turned on
  • A Azure DevOps account and project with some code in a repo
  • The right permissions (you’ll need to be a Contributor or Owner)
  • Microsoft Defender for Cloud plan that covers your resources (there is a free trial)
  • A Log Analytics Workspace (If you don’t know how to do this, here is a tutorial by Microsoft Learn)
  • A way for Azure DevOps to talk to Azure (like a Service Principal or Managed Identity)

Defender for Cloud Setup

First things first, let’s turn on Microsoft Defender for Cloud:

  • Open portal.azure.com and find Microsoft Defender for Cloud
  • Switch on the Defender plans for the services you care about (e.g., VMs, App Services, Key Vaults, SQL database)

Now, let’s set up Continuous Export:

  • Find Environment Settings and then Continuous export
  • Enable the export of security recommendations and alerts to a Log Analytics workspace.

DevOps Pipeline Magic

Now for the fun part – setting up the pipeline that’ll do our security scans:

We need to give our pipeline a way to talk to Azure:

  • Use either a Service Principal or a Managed Identity to create a Service Connection
  • Create a new pipeline (or edit an existing one) with this yaml snippet:
trigger:
- main
pool:
vmImage: 'ubuntu-latest'
variables:
- group: AzureSecurityVariables
steps:
- task: AzureCLI@2
inputs:
azureSubscription: 'AzureSecurityConnection'
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: |
 echo "Starting vulnerability scan with Microsoft Defender for Cloud"

 # Query the Log Analytics workspace for any critical security recommendations
 result=$(az monitor log-analytics query \
 --workspace $(logAnalyticsWorkspaceId) \
 --analytics-query "SecurityRecommendation | where Severity == 'High'" \
 --timespan P1D \
 --output tsv)

 if [[ -n "$result" ]]; then
 echo "High-severity security vulnerabilities found:"
 echo "$result"
 echo "##vso[task.complete result=Failed;]Security vulnerabilities detected."
 else
 echo "No critical vulnerabilities found!"
 fi

💡 Make sure that you create a variable for your logAnalyticsWorkspaceId - you can obtain it from the Azure Portal

Our pipeline does a few cool things:

  • It logs into Azure using your Service Principal (you know I love managed Identities for a variety of good reasons, but I wanted to keep this blog post focused on DevOps and Defender for Cloud so let’s cover DevOps and Managed Identity in a future post)
  • It checks your Log Analytics workspace for any high-severity security recommendations from the last day
  • If it finds anything scary (Severity High), it’ll fail the pipeline and show you what it found

Run your pipeline, if it tells that “No critical vulnerabilities found” you are good to go, otherwise, it will stop the pipeline and exactly tell you what it found.

Conclusion

Scans do not need to be performed after deployment, with everyone getting hectic or rolling back to previous versions. Microsoft Defender for Cloud got your back and you can integrate it into your DevOps scenario.

Published on:

Learn more
Luise Freese: Consultant & MVP
Luise Freese: Consultant & MVP

Recent content on Luise Freese: Consultant & MVP

Share post:

Related posts

Azure Toolkit for IntelliJ: Introducing the enhanced Java Code Quality Analyzer!

Discover the latest updates to the Azure Toolkit for IntelliJ, featuring an enhanced Java Code Quality Analyzer to help you write cleaner, saf...

23 hours ago

Azure Boards + GitHub: Recent Updates

Over the past several months, we’ve delivered a series of improvements to the Azure Boards + GitHub integration. Whether you’re tracking...

1 day ago

Introducing the Azure MCP Server

This post introduces the Azure MCP Server, bringing the power of the cloud to your AI agents. The post Introducing the Azure MCP Server appear...

1 day ago

Azure OpenAI Service now authorized for all U.S. Government data classification levels

In the coming years, artificial intelligence will continue to be foundational to technical innovations for national security missions. Already...

3 days ago

GPT-4.1 is now available at Azure AI Foundry

Azure AI Foundry and AOAI (Azure OpenAI Services) keeps on getting better all the time! The latest addition in Azure AI Foundry (as of April 1...

4 days ago

Introducing Region Selection in Azure Cosmos DB Data Explorer for NoSQL Accounts

You asked—we delivered! Users can now manually select the region Data Explorer sends requests to! When you use Entra Authentication with NoSQL...

5 days ago

Microsoft Attempts to Fix Microsoft Graph PowerShell SDK Problem with Azure Automation

V2.26 and V2.26.1 of the Microsoft Graph PowerShell SDK were low-quality, buggy disasters. Microsoft aims to fix the problem in the next versi...

5 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy