5.3.3. DevOps Security: GitHub, Azure DevOps, GitLab
š” First Principle: Security must be "shifted left" into the development lifecycle. DevOps security (DevSecOps) ensures that vulnerabilities are identified at the sourceāthe code and the pipelineābefore they ever reach the cloud runtime.
Unified Code-to-Cloud Visibility (2026 Focus)
Microsoft Defender for DevOps provides a unified view of security posture across multiple DevOps platforms. By connecting GitHub, GitLab, and Azure DevOps to Defender for Cloud, security teams can correlate findings from the repository to the running resource.
- DevOps Connectors: Centralized integration for GitHub, GitLab, and Azure DevOps.
- Repository Discovery: Defender for DevOps automatically discovers repositories within connected organizations/projects.
- Code-to-Cloud Correlation: Linking a vulnerability found in a production container back to the specific line of code and the developer who introduced it.
Supply Chain Security
Modern applications are built on a complex web of dependencies. Securing the supply chain is critical to preventing "upstream" attacks.
- Dependency Scanning: Detecting known vulnerabilities in open-source libraries (e.g., Log4j) used by your applications.
- Secret Detection: Actively scanning repositories for hardcoded credentials, API keys, and certificates.
- Container Image Scanning: Analyzing images in the CI/CD pipeline and the registry (ACR) for OS and language-level vulnerabilities.
- SBOM (Software Bill of Materials): Generating and verifying a manifest of every component in your software to ensure transparency and compliance.
Infrastructure as Code (IaC) Security
š” First Principle: In the cloud, infrastructure is code. Securing the templates used to deploy resources is just as important as securing the applications themselves.
- IaC Scanning: Automatically analyzing Terraform, Bicep, and ARM templates for misconfigurations (e.g., storage accounts with public access) before deployment.
- Policy-as-Code: Enforcing organizational security standards directly in the pull request.
- Drift Detection: Identifying when the configuration of a deployed resource has changed from its original IaC definition (manual "hotfixes" that bypass security gates).
DevSecOps Integration & Automation
| Feature | GitHub Security | GitLab Security | Azure DevOps Security |
|---|---|---|---|
| Primary Tooling | GitHub Advanced Security (GHAS) | Ultimate Security Features | Defender for DevOps / Advanced Security |
| Pull Request Feedback | PR Annotations / Check Runs | Security Dashboards / MR Widgets | PR Annotations / Pipeline Gates |
| Remediation | Dependabot / Automated Fixes | Vulnerability Management | Automated Remediation Suggestions |
Visual: Code-to-Cloud Security Flow
Scenario: A developer attempts to merge a Terraform template that creates a public SQL Server. The CI/CD pipeline runs an IaC scan, detects the misconfiguration, and automatically leaves a PR annotation explaining the security risk and blocking the merge.
ā ļø Exam Trap: Overlooking DevOps security in a cloud security strategy. Organizations often focus heavily on runtime protection (firewalls, NSGs) while allowing insecure code to be deployed via automated pipelines. True defense-in-depth starts in the repository.
