Merge pull request #274707 from charlesoxyer/patch-37

Update azure-devops-extension.yml with new tool integration

Author: Stacyrch140

articles/defender-for-cloud/azure-devops-extension.yml

@@ -19,8 +19,9 @@ introduction: |
   | [AntiMalware](https://www.microsoft.com/windows/comprehensive-security) | AntiMalware protection in Windows from Microsoft Defender for Endpoint, that scans for malware and breaks the build if malware has been found. This tool scans by default on windows-latest agent. | Not Open Source |
   | [Bandit](https://github.com/PyCQA/bandit) | Python | [Apache License 2.0](https://github.com/PyCQA/bandit/blob/master/LICENSE) |
   | [BinSkim](https://github.com/Microsoft/binskim) | Binary--Windows, ELF | [MIT License](https://github.com/microsoft/binskim/blob/main/LICENSE) |
+  | [Checkov](https://github.com/bridgecrewio/checkov) | Terraform, Terraform plan, CloudFormation, AWS SAM, Kubernetes, Helm charts, Kustomize, Dockerfile, Serverless, Bicep, OpenAPI, ARM | [Apache License 2.0](https://github.com/bridgecrewio/checkov/blob/main/LICENSE) |
   | [ESlint](https://github.com/eslint/eslint) | JavaScript | [MIT License](https://github.com/eslint/eslint/blob/main/LICENSE) |
-  | [IaCFileScanner](iac-template-mapping.md) | Terraform, CloudFormation, ARM Template, Bicep | Not Open Source |
+  | [IaCFileScanner](iac-template-mapping.md) | Template mapping tool for Terraform, CloudFormation, ARM Template, Bicep | Not Open Source |
   | [Template Analyzer](https://github.com/Azure/template-analyzer) | ARM Template, Bicep | [MIT License](https://github.com/Azure/template-analyzer/blob/main/LICENSE.txt) |
   | [Terrascan](https://github.com/accurics/terrascan) | Terraform (HCL2), Kubernetes (JSON/YAML), Helm v3, Kustomize, Dockerfiles, CloudFormation | [Apache License 2.0](https://github.com/accurics/terrascan/blob/master/LICENSE) |
   | [Trivy](https://github.com/aquasecurity/trivy) | container images, Infrastructure as Code (IaC) | [Apache License 2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE) |
@@ -105,22 +106,21 @@ procedureSection:
           - task: MicrosoftSecurityDevOps@1
             displayName: 'Microsoft Security DevOps'
             # inputs:    
-              # command: 'run' | 'pre-job' | 'post-job'. Optional. The command to run. Default: run
-              # config: string. Optional. A file path to an MSDO configuration file ('*.gdnconfig').
-              # policy: 'azuredevops' | 'microsoft' | 'none'. Optional. The name of a well-known Microsoft policy. If no configuration file or list of tools is provided, the policy may instruct MSDO which tools to run. Default: azuredevops.
+              # config: string. Optional. A file path to an MSDO configuration file ('*.gdnconfig'). Vist the MSDO GitHub wiki linked below for additional configuration instructions
+              # policy: 'azuredevops' | 'microsoft' | 'none'. Optional. The name of a well-known Microsoft policy to determine the tools/checks to run. If no configuration file or list of tools is provided, the policy may instruct MSDO which tools to run. Default: azuredevops.
               # categories: string. Optional. A comma-separated list of analyzer categories to run. Values: 'code', 'artifacts', 'IaC', 'containers'. Example: 'IaC, containers'. Defaults to all.
               # languages: string. Optional. A comma-separated list of languages to analyze. Example: 'javascript,typescript'. Defaults to all.
-              # tools: string. Optional. A comma-separated list of analyzer tools to run. Values: 'bandit', 'binskim', 'eslint', 'templateanalyzer', 'terrascan', 'trivy'.
-              # break: boolean. Optional. If true, will fail this build step if any error level results are found. Default: false.
+              # tools: string. Optional. A comma-separated list of analyzer tools to run. Values: 'bandit', 'binskim', 'checkov', 'eslint', 'templateanalyzer', 'terrascan', 'trivy'.
+              # break: boolean. Optional. If true, will fail this build step if any high severity level results are found. Default: false.
               # publish: boolean. Optional. If true, will publish the output SARIF results file to the chosen pipeline artifact. Default: true.
               # artifactName: string. Optional. The name of the pipeline artifact to publish the SARIF result file to. Default: CodeAnalysisLogs*.
             
           ```
 
         > [!NOTE]  
         > The artifactName 'CodeAnalysisLogs' is required for integration with
-        > Defender for Cloud. For additional tool configuration options and environment variables, see
-        > [the Microsoft Security DevOps wiki](https://github.com/microsoft/security-devops-action/wiki)
+        > Defender for Cloud. **For additional tool configuration options and environment variables, see
+        > [the Microsoft Security DevOps wiki](https://github.com/microsoft/security-devops-action/wiki)**
 
       - |
         To commit the pipeline, select **Save and run**.