You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/defender-for-cloud/azure-devops-extension.md
+17-1Lines changed: 17 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -112,7 +112,7 @@ If you don't have access to install the extension, you must request access from
112
112
```
113
113
114
114
> [!NOTE]
115
-
> The artifactName 'CodeAnalysisLogs' is required for integration with Defender for Cloud. For additional tool configuration options, see [the Microsoft Security DevOps wiki](https://github.com/microsoft/security-devops-action/wiki)
115
+
> The artifactName 'CodeAnalysisLogs' is required for integration with Defender for Cloud. For additional tool configuration options and environment variables, see [the Microsoft Security DevOps wiki](https://github.com/microsoft/security-devops-action/wiki)
116
116
117
117
1. To commit the pipeline, select **Save and run**.
118
118
@@ -121,6 +121,22 @@ The pipeline will run for a few minutes and save the results.
121
121
> [!NOTE]
122
122
> Install the SARIF SAST Scans Tab extension on the Azure DevOps organization in order to ensure that the generated analysis results will be displayed automatically under the Scans tab.
123
123
124
+
## Uploading findings from third-party security tooling into Defender for Cloud
125
+
126
+
While Defender for Cloud provides the MSDO CLI for standardized functionality and poliy controls across a set of open source security analyzers, you have the flexibility to upload results from other third-party security tooling that you may have configured in CI/CD pipelines to Defender for Cloud for comprehensive code-to-cloud contextualization. All results uploaded to Defender for Cloud must be in standard SARIF format.
127
+
128
+
First, ensure your Azure DevOps repositories are [onboarded to Defender for Cloud](quickstart-onboard-devops.md). After successfully onboarding, Defender for Cloud continuously monitors the 'CodeAnalysisLogs' artifact for SARIF output.
129
+
130
+
You can use the 'PublishBuildArtifacts@1' task to ensure SARIF output is published to the correct artifact. For example, if a security analyzer outputs 'results.sarif', you can configure the following task in your job to ensure results are uploaded to Defender for Cloud:
131
+
132
+
```yml
133
+
- task: PublishBuildArtifacts@1
134
+
inputs:
135
+
PathtoPublish: 'results.sarif'
136
+
ArtifactName: 'CodeAnalysisLogs'
137
+
```
138
+
Findings from third-party security tools will appear as 'Azure DevOps repositories should have code scanning findings resolved' assessments associated with the repository the secuirty finding was identified in.
139
+
124
140
## Learn more
125
141
126
142
- Learn how to [create your first pipeline](/azure/devops/pipelines/create-first-pipeline).
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments