Scan every repository for code and IaC issues - no pipeline edits, no agents, and no extra effort from developers.
Most security teams want to shift left. But for many developers, "shift left" sounds like "shift pain". Coordination. YAML edits with extra pipeline steps. Build slowdowns. More friction while they're trying to go fast.
Pipeline friction
YAML edits with extra steps
Build slowdowns
More friction, less speed
Complex coordination
Too many moving parts
That's the tension we wanted to solve.
With agentless code scanning in Defender for Cloud, you get broad visibility into code and infrastructure risks across GitHub and Azure DevOps - without touching your CI/CD pipelines or installing anything.
āØ Just connect your environment. We handle the rest.
Already in preview, here's what's new
Agentless code scanning was released in November 2024, and we're expanding the preview with capabilities to make it more actionable, customizable, and scalable:
GitHub & Azure DevOps
Connect your GitHub org and scan every repository automatically
Scoping controls
Choose exactly which orgs, projects, and repos to scan
Scanner selection
Enable code scanning, IaC scanning, or both
UI and REST API
Manage at scale, programmatically or in-portal
How agentless code scanning works
Agentless code scanning runs entirely outside your pipelines. Once a connector has been created, Defender for Cloud automatically discovers your repositories, pulls the latest code, scans for security issues, and publishes findings as security recommendations - every day.
Here's the flow:
Discover
Repositories in GitHub or Azure DevOps are discovered using a built-in connector.
Retrieve
The latest commit from the default branch is pulled immediately, then re-scanned daily.
Analyze
Built-in scanners run in our environment:
- Code Scanning ā looks for insecure patterns, bad crypto, and unsafe functions (e.g., `pickle.loads`, `eval()`) using Bandit and ESLint.
- Infrastructure as Code (IaC) ā detects misconfigurations in Terraform, Bicep, ARM templates, CloudFormation, Kubernetes manifests, Dockerfiles, and more using Checkov and Template Analyzer.
Publish
Findings appear as Security recommendations in Defender for Cloud, with full context: file path, line number, rule ID, and guidance to fix.
Get started in under a minute
In Defender for Cloud, go to Environment settings ā DevOps Security
Add a connector:
- Azure DevOps ā requires Azure Security Admin and ADO Project Collection Admin
- GitHub ā requires Azure Security Admin and GitHub Org Owner to install the Microsoft Security DevOps app
Choose your scanning scope and scanners
Click Save ā and we'll run the first scan immediately
No pipeline configuration. No agent installed. No developer effort.
Do I still need in-pipeline scanning?
Short answer: yes - if you want depth and speed in the development workflow.
Agentless scanning gives you fast, wide coverage. But Defender for Cloud also supports in-pipeline scanning using Microsoft Security DevOps (MSDO) command line application for Azure DevOps or GitHub Action. Each method has its own strengths. Here's how to think about when to use which - and why many teams choose both:
|
When to use... |
āļø Agentless Scanning |
šļø In-Pipeline Scanning |
|
Visibility |
Quickly assess all repos at org-level |
Scans and enforce every PR and commit |
|
Setup |
Requires only a connector |
Requires pipeline (YAML) edits |
|
Dev experience |
No impact on build time |
Inline feedback inside PRs and builds |
|
Granularity |
Repo-level control with code and IaC scanners |
Fine-tuned control per tool or branch |
|
Depth |
Default branch scans, no build context |
Full build artifact, container, and dependency scanning |
š” Best practice: start broad with agentless. Go deeper with in-pipeline scans where "break the build" makes sense.
Already using GitHub Advanced Security (GHAS)?
GitHub Advanced Security (GHAS) includes built-in scanning for secrets, CodeQL, and open-source dependencies - directly in GitHub and Azure DevOps.
You don't need to choose. Defender for Cloud complements GHAS by:
- Surfaces GHAS findings inside Defender for Cloud's Security recommendations
- Adds broader context across code, infrastructure, and identity
- Requires no extra setup - findings flow in through the connector
You get centralized visibility, even if your teams are split across tools. One console. Full picture.
Core scenarios you can tackle today
š”ļø Catch IaC misconfigurations early
Scan for critical misconfigurations in Terraform, ARM, Bicep, Dockerfiles, and Kubernetes manifests. Flag issues like public storage access or open network rules before they're deployed.
šÆ Bring code risk into context
All findings appear in the same portal you use for VM and container security. No more jumping between tools - triage issues by risk, drill into the affected repository and file, and route them to the right owner.
š Focus on what matters
Customize which scanners run and where. Continuously scan production repositories. Skip forks. Run scoped PoCs. Keep pace as repositories grow - new ones are auto-discovered.
What you'll see - and where
All detected security issues show up as security recommendations in the recommendations and DevOps Security blades in Defender for Cloud. Every recommendation includes:
- ā Affected repository, branch, file path, and line number
- š ļø The scanner that found it
- š” Clear guidance to fix
Example finding with exact file path, line number, and fix guidance - all within Defender for Cloud.
What's next
We're not stopping here. These are already in development:
Secret scanning
Identify leaked credentials alongside code and IaC findings
Dependency scanning
Open-source dependency scanning (SCA)
Multi-branch support
Scan protected and non-default branches
Follow updates in our Tech Community and release notes.
Try it now - and help us shape what comes next
- Connect GitHub or Azure DevOps to Defender for Cloud (free during preview) and enable agentless code scanning
- View your discovered DevOps resources in the Inventory or DevOps Security blades
- Enable scanning and review recommendations Microsoft Defender for Cloud ā Recommendations
Shift left without slowing down.
Start scanning smarter with agentless code scanning today.
Helpful resources to learn more
- Learn more in the Defender for Cloud in the Field episode on agentless code scanning
- Overview of Microsoft Defender for Cloud DevOps security
- Agentless code scanning - configuration, capabilities, and limitations
- Set up in-pipeline scanning in:
- Azure DevOps
- GitHub action
- Other CI/CD pipeline tools (Jenkins, BitBucket Pipelines, Google Cloud Build, Bamboo, CircleCI, and more)
Microsoft