JosiahSiegel/defender-for-devops
plugins/ado-master/skills/defender-for-devops/SKILL.md
Microsoft Defender for DevOps integration with Azure Pipelines. PROACTIVELY activate for: (1) adding security scanning to a pipeline, (2) Microsoft Security DevOps task (MSDO), (3) SAST tools (CredScan, ESLint, BinSkim, Bandit, Semgrep), (4) dependency scanning (Dependency-Check, Snyk), (5) container image scanning (Trivy, Defender for Containers), (6) IaC scanning (Checkov, Terrascan), (7) secret scanning, (8) SARIF results upload, (9) Defender for Cloud connector setup, (10) compliance reporting and policy gates. Provides: MSDO task YAML, scanner enable/disable matrix, SARIF integration, Defender connector setup steps, and a quality-gate template.
$ install --global
skillsauthnpx skillsauth add JosiahSiegel/claude-plugin-marketplace defender-for-devopsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 21, 2026, 7:55 AM206.8s1 file scanned
SKILL.md
- name:
- defender-for-devops
- description:
- |
- PROACTIVELY activate for:
- (1) adding security scanning to a pipeline, (2) Microsoft Security DevOps task (MSDO), (3) SAST tools (CredScan, ESLint, BinSkim, Bandit, Semgrep), (4) dependency scanning (Dependency-Check, Snyk), (5) container image scanning (Trivy, Defender for Containers), (6) IaC scanning (Checkov, Terrascan), (7) secret scanning, (8) SARIF results upload, (9) Defender for Cloud connector setup, (10) compliance reporting and policy gates.
- Provides:
- MSDO task YAML, scanner enable/disable matrix, SARIF integration, Defender connector setup steps, and a quality-gate template.
🚨 CRITICAL GUIDELINES
Windows File Path Requirements
MANDATORY: Always Use Backslashes on Windows for File Paths
When using Edit or Write tools on Windows, you MUST use backslashes (\) in file paths, NOT forward slashes (/).
Examples:
- ❌ WRONG:
D:/repos/project/file.tsx - ✅ CORRECT:
D:\repos\project\file.tsx
This applies to:
- Edit tool file_path parameter
- Write tool file_path parameter
- All file operations on Windows systems
Documentation Guidelines
NEVER create new documentation files unless explicitly requested by the user.
- Priority: Update existing README.md files rather than creating new documentation
- Repository cleanliness: Keep repository root clean - only README.md unless user requests otherwise
- Style: Documentation should be concise, direct, and professional - avoid AI-generated tone
- User preference: Only create additional .md files when user specifically asks for documentation
Microsoft Defender for DevOps Integration
Complete guide to integrating Microsoft Defender for Cloud security scanning into Azure Pipelines.
Overview
Microsoft Security DevOps (MSDO) provides comprehensive security scanning capabilities:
- SAST: Static Application Security Testing
- Secret Detection: Identify hardcoded secrets and credentials
- Dependency Scanning: Vulnerable package detection
- IaC Scanning: Infrastructure as Code security analysis
- Container Scanning: Image vulnerability assessment with Trivy
Microsoft Security DevOps Extension
Installation:
- Install from Azure DevOps Marketplace
- Configure in pipeline YAML
- View results in Scans tab
- Integrate with Defender for Cloud
Extension Capabilities:
- Converts results to SARIF format
- Displays findings in Scans tab
- Integrates multiple security tools
- Provides centralized security insights
YAML Integration
Basic MSDO Task
trigger:
branches:
include:
- main
- develop
pool:
vmImage: 'ubuntu-24.04'
stages:
- stage: Build
jobs:
- job: BuildAndScan
steps:
- task: UseDotNet@2
displayName: 'Install .NET SDK'
inputs:
version: '8.x'
- task: DotNetCoreCLI@2
displayName: 'Build Project'
inputs:
command: 'build'
projects: '**/*.csproj'
# Microsoft Security DevOps Scan
- task: MicrosoftSecurityDevOps@1
displayName: 'Run Microsoft Security DevOps'
inputs:
categories: 'secrets,code,dependencies,IaC,containers'
break: false # Don't fail pipeline on findings
# Publish SARIF results
- task: PublishSecurityAnalysisLogs@3
displayName: 'Publish Security Analysis Logs'
inputs:
ArtifactName: 'CodeAnalysisLogs'
# Display results in Scans tab
- task: PostAnalysis@2
displayName: 'Post Analysis'
inputs:
break: false
Advanced Configuration with Breaking Builds
- task: MicrosoftSecurityDevOps@1
displayName: 'Security Scanning (Break on Critical)'
inputs:
# Scan categories
categories: 'secrets,code,dependencies,IaC,containers'
# Break build on severity
break: true
breakSeverity: 'critical' # Options: critical, high, medium, low
# Tool configuration
tools: 'all' # Or specific: 'credscan,eslint,trivy'
# Output configuration
publishResults: true
continueOnError: false
Conditional Scanning
# Full scan on main, quick scan on branches
- task: MicrosoftSecurityDevOps@1
displayName: 'Security Scan'
inputs:
categories: ${{ if eq(variables['Build.SourceBranch'], 'refs/heads/main') }}:
value: 'secrets,code,dependencies,IaC,containers'
${{ else }}:
value: 'secrets,code'
break: ${{ eq(variables['Build.SourceBranch'], 'refs/heads/main') }}
Integrated Security Tools
1. Secret Scanning
Replaced: CredScan deprecated September 2023 Current: GitHub Advanced Security for Azure DevOps or MSDO secrets scanning
# MSDO secrets scanning
- task: MicrosoftSecurityDevOps@1
inputs:
categories: 'secrets'
break: true # Always break on secrets
Common secrets detected:
- API keys and tokens
- Database connection strings
- Cloud provider credentials
- SSH private keys
- OAuth tokens
2. Static Code Analysis (SAST)
- task: MicrosoftSecurityDevOps@1
displayName: 'SAST Scan'
inputs:
categories: 'code'
tools: 'eslint,bandit,semgrep'
Supported languages:
- JavaScript/TypeScript (ESLint)
- Python (Bandit)
- Go (gosec)
- Java (SpotBugs)
- C# (.NET Security Guard)
3. Dependency Scanning
- task: MicrosoftSecurityDevOps@1
displayName: 'Dependency Scan'
inputs:
categories: 'dependencies'
tools: 'trivy,govulncheck'
Detects:
- Known CVEs in dependencies
- Outdated packages
- License compliance issues
- Transitive vulnerabilities
4. Infrastructure as Code (IaC) Scanning
- task: MicrosoftSecurityDevOps@1
displayName: 'IaC Security Scan'
inputs:
categories: 'IaC'
tools: 'terrascan,checkov,templateanalyzer'
Scans:
- Terraform configurations
- ARM templates
- Bicep files
- Kubernetes manifests
- CloudFormation templates
5. Container Image Scanning
- task: MicrosoftSecurityDevOps@1
displayName: 'Container Security Scan'
inputs:
categories: 'containers'
tools: 'trivy'
Trivy scans for:
- OS vulnerabilities
- Application dependencies
- Misconfigurations
- Secrets in images
- License issues
Integration with Defender for Cloud
Enable Defender for DevOps
# Pipeline automatically sends results to Defender for Cloud
# when MSDO extension is connected
- task: MicrosoftSecurityDevOps@1
displayName: 'Scan and send to Defender'
inputs:
categories: 'all'
publishResults: true
# Results appear in:
# Defender for Cloud → DevOps Security → Findings
Benefits:
- Centralized security dashboard
- Cross-pipeline insights
- Compliance reporting
- Security trend analysis
- Integration with Azure Security Center
Complete Security Pipeline Example
trigger:
branches:
include:
- main
- develop
pool:
vmImage: 'ubuntu-24.04'
variables:
- name: breakOnCritical
value: ${{ eq(variables['Build.SourceBranch'], 'refs/heads/main') }}
stages:
- stage: SecurityScan
displayName: 'Security Analysis'
jobs:
- job: StaticAnalysis
displayName: 'Static Security Analysis'
steps:
- checkout: self
fetchDepth: 1
# Install dependencies
- task: NodeTool@0
inputs:
versionSpec: '20.x'
- script: npm ci
displayName: 'Install dependencies'
# Build application
- script: npm run build
displayName: 'Build application'
# Docker build for container scanning
- task: Docker@2
displayName: 'Build Docker image'
inputs:
command: 'build'
Dockerfile: 'Dockerfile'
tags: '$(Build.BuildId)'
# Comprehensive security scan
- task: MicrosoftSecurityDevOps@1
displayName: 'Microsoft Security DevOps Scan'
inputs:
categories: 'secrets,code,dependencies,IaC,containers'
break: $(breakOnCritical)
breakSeverity: 'high'
tools: 'all'
# Publish SARIF results
- task: PublishSecurityAnalysisLogs@3
displayName: 'Publish SARIF Logs'
inputs:
ArtifactName: 'CodeAnalysisLogs'
ArtifactType: 'Container'
# Post-analysis with results
- task: PostAnalysis@2
displayName: 'Security Post Analysis'
inputs:
break: $(breakOnCritical)
# Generate security report
- script: |
echo "Security scan completed"
echo "Results available in Scans tab"
displayName: 'Security Summary'
condition: always()
- stage: Deploy
dependsOn: SecurityScan
condition: succeeded()
jobs:
- deployment: DeployApp
environment: 'production'
strategy:
runOnce:
deploy:
steps:
- script: echo "Deploying secure application"
Advanced Security Features (Coming 2025)
Roadmap features:
- Pull request build validation
- Break pipeline on alert severity
- Advanced Security dashboard
- Custom CodeQL queries
- Integration with GitHub Advanced Security
GitHub Advanced Security for Azure DevOps
Alternative to MSDO for secret scanning:
# Requires GitHub Advanced Security license
# Provides:
# - Secret scanning
# - Code scanning with CodeQL
# - Dependency vulnerability alerts
# - Security overview dashboard
# Configuration in Azure DevOps organization settings
# Scans run automatically on commits and PRs
Best Practices
Pipeline Security:
- Run security scans on every commit
- Break builds on critical/high severity findings
- Scan both code and dependencies
- Include IaC security validation
- Scan container images before push
- Review findings regularly
Configuration:
# Recommended configuration
- task: MicrosoftSecurityDevOps@1
inputs:
categories: 'secrets,code,dependencies,IaC,containers'
break: true
breakSeverity: 'high' # Adjust based on risk tolerance
publishResults: true
Integration:
- Enable Defender for DevOps in Azure portal
- Configure organization-level policies
- Set up automated notifications
- Create security dashboards
- Establish remediation workflows
Viewing Results
In Pipeline:
- Navigate to pipeline run
- Click "Scans" tab
- Review findings by severity
- Click findings for details and remediation
In Defender for Cloud:
- Azure Portal → Defender for Cloud
- DevOps Security
- View findings across all pipelines
- Filter by severity, project, repository
- Track remediation progress
Troubleshooting
Common Issues:
MSDO task fails:
# Enable verbose logging
- task: MicrosoftSecurityDevOps@1
env:
MSDO_VERBOSE: true
inputs:
categories: 'all'
False positives:
# Suppress findings with .gdnconfig file
# In repository root:
{
"tools": {
"trivy": {
"enabled": true,
"severities": ["CRITICAL", "HIGH"]
}
}
}
Performance:
- Cache tool downloads
- Limit scan categories on branches
- Use parallel stages for large repos
Resources
- Microsoft Security DevOps Extension
- Defender for DevOps Documentation
- SARIF Format Specification
- Security Tools Integration
Related Skills
JosiahSiegel/ml-training
development
VerifiedTrustedCommunity
This skill should be used when the user asks to train, debug, scale, or improve ML models. PROACTIVELY activate for: (1) PyTorch, TensorFlow/Keras, JAX, Flax, Hugging Face Trainer/Accelerate training loops, (2) distributed training, DDP/FSDP/DeepSpeed, TPU/GPU setup, (3) mixed precision AMP/bf16, gradient accumulation, checkpointing, seeding, (4) overfitting, imbalance, loss functions, regularization, LR schedules, warmup, (5) memory optimization, gradient checkpointing, offloading, quantization-aware training. Provides: reproducible training best practices across deep learning and classical ML.
38SKILL.mdUpdated May 28, 2026
JosiahSiegel/ml-mlops
development
VerifiedTrustedCommunity
This skill should be used when the user asks to productionize, track, version, govern, monitor, or automate ML systems. PROACTIVELY activate for: (1) MLflow, Weights & Biases, Neptune, Comet, ClearML experiment tracking, (2) model registry, model versioning, artifact lineage, reproducibility, (3) Kubeflow, SageMaker Pipelines, Vertex AI Pipelines, Azure ML pipelines, Databricks workflows, (4) CI/CD, continuous training/evaluation, A/B tests, canary/shadow deployments, (5) drift detection, model monitoring, data validation, responsible AI governance. Provides: end-to-end MLOps architecture and operational safeguards.
38SKILL.mdUpdated May 28, 2026
JosiahSiegel/ml-inference-optimization
development
VerifiedTrustedCommunity
This skill should be used when the user asks to optimize, export, serve, compress, or accelerate ML inference. PROACTIVELY activate for: (1) latency, throughput, p95/p99, batching, concurrency, KV cache, memory, or cost issues, (2) quantization INT8/INT4, GPTQ, AWQ, bitsandbytes, pruning, sparsity, distillation, (3) ONNX export, ONNX Runtime, TensorRT, TorchScript, torch.compile, XLA, OpenVINO, Core ML, TFLite, (4) Triton, TorchServe, TF Serving, BentoML, Seldon, KServe configuration, (5) edge deployment, CPU/GPU/TPU/Inferentia serving. Provides: hardware-aware inference optimization and safe benchmarking.
38SKILL.mdUpdated May 28, 2026
JosiahSiegel/ml-hyperparameter-tuning
testing
VerifiedTrustedCommunity
This skill should be used when the user asks to tune hyperparameters, run sweeps, optimize search spaces, or use AutoML. PROACTIVELY activate for: (1) Optuna, Ray Tune, FLAML, AutoGluon, Hyperopt, Nevergrad, KerasTuner, W&B sweeps, (2) grid search, random search, Bayesian optimization, TPE, Gaussian processes, evolutionary search, (3) ASHA, Hyperband, successive halving, multi-fidelity optimization, population-based training, (4) learning-rate finder, batch-size search, early stopping, pruning, (5) reproducible sweep design and experiment analysis. Provides: budget-aware hyperparameter search strategy.
38SKILL.mdUpdated May 28, 2026