원클릭으로
defender-for-devops
Microsoft Defender for DevOps integration with Azure Pipelines (2025)
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Microsoft Defender for DevOps integration with Azure Pipelines (2025)
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Maia theme design system for Compass. Read this skill BEFORE creating or modifying any UI component, page layout, or styling. Covers tokens, typography, color, spacing, component standards, states, motion, and accessibility. Applies whenever working on .tsx files, CSS, or anything visual.
Comprehensive Azure Data Factory knowledge base with official documentation sources, CI/CD methods, deployment patterns, and troubleshooting resources
Comprehensive Azure Data Factory validation rules, activity nesting limitations, linked service requirements, and edge-case handling guidance
Azure DevOps pipeline best practices, patterns, and industry standards
Windows and Git Bash compatibility guidance for Azure Pipelines. Covers path conversion issues, shell detection in pipeline scripts, MINGW/MSYS path handling, Windows agent configuration, cross-platform script patterns, and troubleshooting common Windows-specific pipeline failures.
Advanced bash array patterns including mapfile, readarray, associative arrays, and array manipulation (2025)
| name | defender-for-devops |
| description | Microsoft Defender for DevOps integration with Azure Pipelines (2025) |
MANDATORY: Always Use Backslashes on Windows for File Paths
When using Edit or Write tools on Windows, you MUST use backslashes (\) in file paths, NOT forward slashes (/).
Examples:
D:/repos/project/file.tsxD:\repos\project\file.tsxThis applies to:
NEVER create new documentation files unless explicitly requested by the user.
Complete guide to integrating Microsoft Defender for Cloud security scanning into Azure Pipelines.
Microsoft Security DevOps (MSDO) provides comprehensive security scanning capabilities:
Installation:
Extension Capabilities:
trigger:
branches:
include:
- main
- develop
pool:
vmImage: 'ubuntu-24.04'
stages:
- stage: Build
jobs:
- job: BuildAndScan
steps:
- task: UseDotNet@2
displayName: 'Install .NET SDK'
inputs:
version: '8.x'
- task: DotNetCoreCLI@2
displayName: 'Build Project'
inputs:
command: 'build'
projects: '**/*.csproj'
# Microsoft Security DevOps Scan
- task: MicrosoftSecurityDevOps@1
displayName: 'Run Microsoft Security DevOps'
inputs:
categories: 'secrets,code,dependencies,IaC,containers'
break: false # Don't fail pipeline on findings
# Publish SARIF results
- task: PublishSecurityAnalysisLogs@3
displayName: 'Publish Security Analysis Logs'
inputs:
ArtifactName: 'CodeAnalysisLogs'
# Display results in Scans tab
- task: PostAnalysis@2
displayName: 'Post Analysis'
inputs:
break: false
- task: MicrosoftSecurityDevOps@1
displayName: 'Security Scanning (Break on Critical)'
inputs:
# Scan categories
categories: 'secrets,code,dependencies,IaC,containers'
# Break build on severity
break: true
breakSeverity: 'critical' # Options: critical, high, medium, low
# Tool configuration
tools: 'all' # Or specific: 'credscan,eslint,trivy'
# Output configuration
publishResults: true
continueOnError: false
# Full scan on main, quick scan on branches
- task: MicrosoftSecurityDevOps@1
displayName: 'Security Scan'
inputs:
categories: ${{ if eq(variables['Build.SourceBranch'], 'refs/heads/main') }}:
value: 'secrets,code,dependencies,IaC,containers'
${{ else }}:
value: 'secrets,code'
break: ${{ eq(variables['Build.SourceBranch'], 'refs/heads/main') }}
Replaced: CredScan deprecated September 2023 Current: GitHub Advanced Security for Azure DevOps or MSDO secrets scanning
# MSDO secrets scanning
- task: MicrosoftSecurityDevOps@1
inputs:
categories: 'secrets'
break: true # Always break on secrets
Common secrets detected:
- task: MicrosoftSecurityDevOps@1
displayName: 'SAST Scan'
inputs:
categories: 'code'
tools: 'eslint,bandit,semgrep'
Supported languages:
- task: MicrosoftSecurityDevOps@1
displayName: 'Dependency Scan'
inputs:
categories: 'dependencies'
tools: 'trivy,govulncheck'
Detects:
- task: MicrosoftSecurityDevOps@1
displayName: 'IaC Security Scan'
inputs:
categories: 'IaC'
tools: 'terrascan,checkov,templateanalyzer'
Scans:
- task: MicrosoftSecurityDevOps@1
displayName: 'Container Security Scan'
inputs:
categories: 'containers'
tools: 'trivy'
Trivy scans for:
# Pipeline automatically sends results to Defender for Cloud
# when MSDO extension is connected
- task: MicrosoftSecurityDevOps@1
displayName: 'Scan and send to Defender'
inputs:
categories: 'all'
publishResults: true
# Results appear in:
# Defender for Cloud → DevOps Security → Findings
Benefits:
trigger:
branches:
include:
- main
- develop
pool:
vmImage: 'ubuntu-24.04'
variables:
- name: breakOnCritical
value: ${{ eq(variables['Build.SourceBranch'], 'refs/heads/main') }}
stages:
- stage: SecurityScan
displayName: 'Security Analysis'
jobs:
- job: StaticAnalysis
displayName: 'Static Security Analysis'
steps:
- checkout: self
fetchDepth: 1
# Install dependencies
- task: NodeTool@0
inputs:
versionSpec: '20.x'
- script: npm ci
displayName: 'Install dependencies'
# Build application
- script: npm run build
displayName: 'Build application'
# Docker build for container scanning
- task: Docker@2
displayName: 'Build Docker image'
inputs:
command: 'build'
Dockerfile: 'Dockerfile'
tags: '$(Build.BuildId)'
# Comprehensive security scan
- task: MicrosoftSecurityDevOps@1
displayName: 'Microsoft Security DevOps Scan'
inputs:
categories: 'secrets,code,dependencies,IaC,containers'
break: $(breakOnCritical)
breakSeverity: 'high'
tools: 'all'
# Publish SARIF results
- task: PublishSecurityAnalysisLogs@3
displayName: 'Publish SARIF Logs'
inputs:
ArtifactName: 'CodeAnalysisLogs'
ArtifactType: 'Container'
# Post-analysis with results
- task: PostAnalysis@2
displayName: 'Security Post Analysis'
inputs:
break: $(breakOnCritical)
# Generate security report
- script: |
echo "Security scan completed"
echo "Results available in Scans tab"
displayName: 'Security Summary'
condition: always()
- stage: Deploy
dependsOn: SecurityScan
condition: succeeded()
jobs:
- deployment: DeployApp
environment: 'production'
strategy:
runOnce:
deploy:
steps:
- script: echo "Deploying secure application"
Roadmap features:
Alternative to MSDO for secret scanning:
# Requires GitHub Advanced Security license
# Provides:
# - Secret scanning
# - Code scanning with CodeQL
# - Dependency vulnerability alerts
# - Security overview dashboard
# Configuration in Azure DevOps organization settings
# Scans run automatically on commits and PRs
Pipeline Security:
Configuration:
# Recommended configuration
- task: MicrosoftSecurityDevOps@1
inputs:
categories: 'secrets,code,dependencies,IaC,containers'
break: true
breakSeverity: 'high' # Adjust based on risk tolerance
publishResults: true
Integration:
In Pipeline:
In Defender for Cloud:
Common Issues:
MSDO task fails:
# Enable verbose logging
- task: MicrosoftSecurityDevOps@1
env:
MSDO_VERBOSE: true
inputs:
categories: 'all'
False positives:
# Suppress findings with .gdnconfig file
# In repository root:
{
"tools": {
"trivy": {
"enabled": true,
"severities": ["CRITICAL", "HIGH"]
}
}
}
Performance: