Integrate GitHub Advanced Security with Microsoft Defender for Cloud
Microsoft Defender for Cloud is a comprehensive security solution that helps organizations protect their cloud-based and on-premises workloads, applications, and infrastructure. One of its components is Microsoft Defender for DevOps, a cloud-based security solution that provides continuous monitoring and analysis of code, builds, and releases hosted in GitHub and Azure DevOps in order to identify and protect from security vulnerabilities and threats. Microsoft Defender for DevOps integrates with GitHub Advanced Security, leveraging strengths of both services to deliver a unified experience that helps DevOps teams to improve their security posture and reduce the risk of security breaches and data loss.
Defender for DevOps provides a centralized interface that aggregates data from multiple sources, including GitHub Advanced Security. In addition, it offers the Microsoft Security DevOps command line utility, which facilitates incorporating static analysis tools into GitHub Actions. The analysis results are automatically displayed in the Defender for DevOps portal.
Integrating Microsoft Defender for Cloud with GitHub Advanced Security
To implement integration between Microsoft Defender for Cloud and GitHub Advanced Security, onboard your GitHub organization into Defender for DevOps. This will enable support for two sets of features:
- Foundational Cloud Security Posture Management (CSPM), which facilitates assessment of GitHub security posture through detailed security recommendations.
- Defender CSPM, which enhances the foundational CSPM capabilities by offering risk assessment and insights into most critical exploitable weaknesses in the GitHub environment.
To connect your GitHub organizations, in the Azure portal, navigate to the Environment settings section of the Microsoft Defender for Cloud page. Select Add environment and then select GitHub. Enter an arbitrary name that will be assigned to the connection and specify is configuration settings, including the subscription, resource group, and region where the connection will be stored. In addition, select the Defender CSPM plan for the connection. When prompted, authorize your Azure subscription to access your GitHub organization. Following the authorization, install the GitHub application and select the repositories to which the Defender for DevOps should have access. Once created, the GitHub connector will appear on the Environment settings page, and Defender for Cloud will automatically discover the repositories in the target GitHub organizations.
As the result, the Defender for DevOps pane will display onboarded repositories grouped by organization. The Recommendations pane will display all security assessments related to the corresponding GitHub repositories.
Integrating Microsoft Security DevOps into GitHub Actions
Microsoft Security DevOps is a command line application that installs, configures, and runs the latest versions of open-source static analysis, security, and compliance tools, including Bandit, BinSkim, ESlint, Terrascan, and Trivy. By invoking Microsoft Security DevOps from a GitHub Actions workflow (using the microsoft/security-devops-action@latest action), you can use the output generated by any of its tools to control the workflow execution path.
In addition, after the action completes, its results would automatically display on the security tab of the GitHub repository. You can filter the security result by referencing individual tools. In addition, the results will also appear in the Microsoft Defender for Cloud console in the Azure portal, including DevOps security vulnerabilities, DevOps security results, and DevOps coverage.