πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AZ-400 Domain 4
Domain 4 β€” Module 4 of 4 100%
23 of 25 overall

AZ-400 Study Guide

Domain 1: Design and Implement Processes and Communications

  • Work Item Tracking: Boards, GitHub & Flow
  • DevOps Metrics: Dashboards That Drive Decisions
  • Collaboration: Wikis, Teams & Release Notes

Domain 2: Design and Implement a Source Control Strategy

  • Branching Strategies: Trunk-Based, Feature & Release
  • Pull Requests: Policies, Protections & Merge Rules
  • Repository Management: LFS, Permissions & Recovery

Domain 3: Design and Implement Build and Release Pipelines

  • Package Management: Feeds, Versioning & Upstream
  • Testing Strategy: Quality Gates & Release Gates
  • Test Implementation: Code Coverage & Pipeline Tests
  • Azure Pipelines: YAML from Scratch Free
  • GitHub Actions: Workflows from Scratch Free
  • Pipeline Agents: Self-Hosted, Hybrid & VM Templates
  • Multi-Stage Pipelines: Templates, Variables & Approvals
  • Deployment Strategies: Blue-Green, Canary & Ring Free
  • Safe Rollouts: Slots, Dependencies & Hotfix Paths
  • Deployment Implementations: Containers, Scripts & Databases
  • Infrastructure as Code: ARM vs Bicep vs Terraform
  • IaC in Practice: Desired State & Deployment Environments
  • Pipeline Maintenance: Health, Migration & Retention

Domain 4: Develop a Security and Compliance Plan

  • Pipeline Identity: Service Principals, Managed IDs & OIDC Free
  • Authorization & Access: GitHub Roles & Azure DevOps Security
  • Secrets & Secure Pipelines: Key Vault & Workload Federation
  • Security Scanning: GHAS, Defender & Dependabot

Domain 5: Implement an Instrumentation Strategy

  • Monitoring for DevOps: Azure Monitor & App Insights
  • Metrics & KQL: Analysing Telemetry & Traces

AZ-400 Study Guide

Domain 1: Design and Implement Processes and Communications

  • Work Item Tracking: Boards, GitHub & Flow
  • DevOps Metrics: Dashboards That Drive Decisions
  • Collaboration: Wikis, Teams & Release Notes

Domain 2: Design and Implement a Source Control Strategy

  • Branching Strategies: Trunk-Based, Feature & Release
  • Pull Requests: Policies, Protections & Merge Rules
  • Repository Management: LFS, Permissions & Recovery

Domain 3: Design and Implement Build and Release Pipelines

  • Package Management: Feeds, Versioning & Upstream
  • Testing Strategy: Quality Gates & Release Gates
  • Test Implementation: Code Coverage & Pipeline Tests
  • Azure Pipelines: YAML from Scratch Free
  • GitHub Actions: Workflows from Scratch Free
  • Pipeline Agents: Self-Hosted, Hybrid & VM Templates
  • Multi-Stage Pipelines: Templates, Variables & Approvals
  • Deployment Strategies: Blue-Green, Canary & Ring Free
  • Safe Rollouts: Slots, Dependencies & Hotfix Paths
  • Deployment Implementations: Containers, Scripts & Databases
  • Infrastructure as Code: ARM vs Bicep vs Terraform
  • IaC in Practice: Desired State & Deployment Environments
  • Pipeline Maintenance: Health, Migration & Retention

Domain 4: Develop a Security and Compliance Plan

  • Pipeline Identity: Service Principals, Managed IDs & OIDC Free
  • Authorization & Access: GitHub Roles & Azure DevOps Security
  • Secrets & Secure Pipelines: Key Vault & Workload Federation
  • Security Scanning: GHAS, Defender & Dependabot

Domain 5: Implement an Instrumentation Strategy

  • Monitoring for DevOps: Azure Monitor & App Insights
  • Metrics & KQL: Analysing Telemetry & Traces
Domain 4: Develop a Security and Compliance Plan Premium ⏱ ~14 min read

Security Scanning: GHAS, Defender & Dependabot

Automate security scanning with GitHub Advanced Security, Microsoft Defender for Cloud DevOps, CodeQL, Dependabot, and container scanning. Design compliance strategies for open-source governance.

Why automated security scanning is non-negotiable

β˜• Simple explanation

Think of airport security.

Every passenger walks through a metal detector. Every bag goes through an X-ray. This happens automatically, for every flight, every time. Nobody skips it because they are in a hurry. Nobody says β€œI checked my bag myself, it is fine.”

Security scanning in DevOps is the same idea. Every code change goes through automated scanners β€” looking for vulnerable dependencies, insecure code patterns, leaked secrets, and dodgy open-source licences. It happens automatically in the pipeline, every time, for every PR. Nobody skips it.

The AZ-400 exam dedicates significant weight to designing and implementing a security scanning strategy. This module covers the full scanning landscape: GitHub Advanced Security (GHAS), Microsoft Defender for Cloud DevOps Security, Dependabot, container scanning, and open-source governance. Dr. Amira’s consulting practice revolves around exactly these capabilities.

  • Code scanning β€” static analysis with CodeQL to find vulnerabilities in your code
  • Secret scanning β€” detecting accidentally committed credentials
  • Dependency scanning β€” Dependabot alerts for vulnerable packages
  • Container scanning β€” image vulnerability scanning with Defender or Trivy
  • Licence compliance β€” governing open-source usage
  • Defender for Cloud integration β€” unified security posture across DevOps environments

The scanning strategy landscape

Before diving into individual tools, understand the five categories of scanning the exam expects you to design for:

Scan TypeWhat It FindsKey ToolWhen It Runs
Dependency scanningKnown vulnerabilities (CVEs) in third-party packagesDependabot, npm audit, OWASP Dependency-CheckPR, push, scheduled
Code scanning (SAST)Vulnerabilities in YOUR code β€” SQL injection, XSS, insecure deserializationCodeQL, SonarQube, SemgrepPR, push
Secret scanningAccidentally committed credentials β€” API keys, tokens, passwordsGHAS Secret Scanning, git-secretsPush, historical scan
Licence scanningOpen-source licence compliance β€” GPL, AGPL restrictions in commercial softwareFOSSA, Snyk, GitHub licence detectionPR, scheduled
Container scanningVulnerabilities in container base images and layersDefender for Containers, Trivy, AquaBuild, registry push, scheduled

GitHub Advanced Security (GHAS)

GHAS is GitHub’s integrated security suite. It includes three core capabilities.

1. Code scanning with CodeQL

CodeQL is a semantic code analysis engine that treats code as data. You write queries (or use GitHub’s default query suites) that find vulnerability patterns.

How it works:

  1. CodeQL builds a database from your source code (compiles it into a queryable format)
  2. Query suites run against the database β€” hundreds of checks for common vulnerability patterns
  3. Results appear as alerts on the Security tab and inline on PRs

Supported languages: C/C++, C#, Go, Java/Kotlin, JavaScript/TypeScript, Python, Ruby, Swift

Configuration: Add a workflow file .github/workflows/codeql-analysis.yml:

name: CodeQL
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    - cron: '0 6 * * 1'  # Weekly Monday 6am

jobs:
  analyze:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    strategy:
      matrix:
        language: ['javascript', 'python']
    steps:
      - uses: actions/checkout@v4
      - uses: github/codeql-action/init@v3
        with:
          languages: ${{ matrix.language }}
      - uses: github/codeql-action/autobuild@v3
      - uses: github/codeql-action/analyze@v3

2. Secret scanning

Secret scanning detects over 200 token patterns from service providers (AWS, Azure, GitHub, Slack, Stripe, etc.).

Two modes:

  • Push protection (recommended) β€” blocks the push BEFORE the secret enters the repository. The developer sees a warning and must either remove the secret or provide a justification to bypass.
  • Alert mode β€” scans existing repository history and alerts on found secrets. Does not block pushes.

Custom patterns: You can define custom regex patterns for organisation-specific secrets (internal API keys, custom token formats).

3. Dependabot

Dependabot provides three services:

ServiceWhat It DoesConfiguration
Dependabot alertsNotifies you when a dependency has a known vulnerabilityEnabled per-repo (no config file needed)
Dependabot security updatesAutomatically creates PRs to update vulnerable dependencies to the minimum safe versionEnable in repo settings
Dependabot version updatesAutomatically creates PRs to keep ALL dependencies up to date (not just vulnerable ones)Requires dependabot.yml config file

The dependabot.yml file lives in .github/dependabot.yml:

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "weekly"
Question

What is the difference between Dependabot security updates and Dependabot version updates?

Click or press Enter to reveal answer

Answer

Security updates: automatically create PRs ONLY for dependencies with known vulnerabilities, updating to the minimum version that fixes the CVE. Version updates: automatically create PRs to keep ALL dependencies current (latest versions), regardless of vulnerabilities. Security updates are reactive (responding to CVEs). Version updates are proactive (staying current to reduce future vulnerability surface).

Click to flip back

GHAS for Azure DevOps

GitHub Advanced Security is also available for Azure DevOps repositories β€” it is not GitHub-exclusive.

GHAS for Azure DevOps includes:

  • Dependency scanning β€” scans package manifests (NuGet, npm, Maven, pip, Go) for known CVEs
  • Secret scanning β€” detects committed credentials with push protection
  • Code scanning β€” CodeQL analysis integrated into Azure Pipelines

Configuration: Enable GHAS at the organisation level in Azure DevOps, then per-repository. Add the GHAS tasks to your pipeline:

steps:
  - task: AdvancedSecurity-Codeql-Init@1
    inputs:
      languages: 'csharp'
  - task: AdvancedSecurity-Codeql-Autobuild@1
  - task: AdvancedSecurity-Codeql-Analyze@1
  - task: AdvancedSecurity-Dependency-Scanning@1
  - task: AdvancedSecurity-Publish@1

Results appear in the Advanced Security tab within the Azure DevOps repository, similar to the GitHub Security tab.

Question

Can you use GitHub Advanced Security (GHAS) with Azure DevOps repositories?

Click or press Enter to reveal answer

Answer

Yes. GHAS for Azure DevOps provides dependency scanning, secret scanning (with push protection), and CodeQL code scanning for Azure Repos. It is licensed per active committer, just like GHAS on GitHub. Enable it at the Azure DevOps organisation level, then add the GHAS pipeline tasks.

Click to flip back

Microsoft Defender for Cloud DevOps Security

Defender for Cloud DevOps Security provides a unified security posture view across multiple DevOps environments β€” GitHub, Azure DevOps, and GitLab.

What it does

  • Connects to your GitHub orgs and Azure DevOps projects via connectors in Defender for Cloud
  • Aggregates security findings from GHAS, Dependabot, and CodeQL into the Defender for Cloud dashboard
  • Provides recommendations for DevOps security posture (e.g., enable branch protection, enable secret scanning)
  • Maps findings to resources β€” correlates code vulnerabilities with the Azure resources they deploy to

Integration with GHAS

When GHAS and Defender for Cloud are both enabled:

  1. GHAS scans the code and generates alerts in GitHub / Azure DevOps
  2. Defender for Cloud ingests these alerts via the DevOps connector
  3. The Defender dashboard shows a unified view: code vulnerabilities, infrastructure misconfigurations, and runtime threats β€” all correlated
Scenario: Amira builds a unified security view

πŸ›οΈ Dr. Amira Hassan’s new client has 40 GitHub repositories and 25 Azure DevOps repositories across three business units. Each unit manages security independently β€” no central visibility.

Amira’s implementation:

  1. Enables GHAS on all GitHub repos (code scanning, secret scanning, Dependabot)
  2. Enables GHAS for Azure DevOps on all Azure Repos (dependency, secret, and code scanning)
  3. Creates Defender for Cloud connectors for both the GitHub org and all three Azure DevOps orgs
  4. Configures Defender for Cloud DevOps Security recommendations
  5. Creates a single Defender dashboard showing all findings across all 65 repos

Result: Farah (junior consultant) can now triage all security findings from one dashboard instead of checking 65 repositories individually. Severity-based prioritisation means critical vulnerabilities are addressed first.

Container scanning

Container image scanning

Container images often contain vulnerable packages in their base layers. Scanning should happen at two points:

  1. Build time β€” scan the image in the CI pipeline before pushing to a registry
  2. Registry level β€” continuous scanning of images already stored in the registry

Tools for container scanning

Container Scanning Tools
ToolWhere It RunsIntegrationBest For
Microsoft Defender for ContainersAzure Container Registry, AKSNative Azure integration, continuous scanningAzure-native teams needing registry + runtime scanning
TrivyCI pipeline (GitHub Actions, Azure Pipelines)Open-source, fast, wide format supportTeams wanting free, fast build-time scanning
Aqua SecurityCI pipeline, registry, runtimeEnterprise, policy-basedLarge enterprises with complex compliance needs
Snyk ContainerCI pipeline, registryDeveloper-friendly, fix suggestionsDeveloper teams wanting actionable fix guidance

CodeQL in containers

You can run CodeQL analysis inside a container to ensure a consistent build environment:

jobs:
  analyze:
    runs-on: ubuntu-latest
    container:
      image: mcr.microsoft.com/dotnet/sdk:8.0
    steps:
      - uses: actions/checkout@v4
      - uses: github/codeql-action/init@v3
        with:
          languages: 'csharp'
      - run: dotnet build
      - uses: github/codeql-action/analyze@v3

This is useful when your project requires specific SDKs or compilers that are not on the GitHub-hosted runner image.

Question

At what two points should container images be scanned for vulnerabilities?

Click or press Enter to reveal answer

Answer

1. Build time β€” scan in the CI pipeline immediately after building the image, before pushing to any registry. This catches vulnerabilities before they enter your supply chain. 2. Registry level β€” continuous scanning of stored images to catch newly discovered CVEs in previously clean images. Microsoft Defender for Containers handles registry-level scanning for ACR.

Click to flip back

Open-source governance and licence compliance

Why licences matter

Open-source dependencies come with licences that impose legal obligations:

Licence TypeObligationCommercial Risk
MIT, Apache 2.0, BSDAttribution onlyLow β€” permissive, business-friendly
LGPLMust share modifications to the library itselfMedium β€” dynamic linking usually safe
GPLMust open-source your entire derivative workHigh β€” can force open-sourcing proprietary code
AGPLGPL obligations extend to network use (SaaS)Very high β€” even server-side use triggers obligations
No licenceNo permissions granted (all rights reserved)Very high β€” legally you cannot use it

Governance approach

  1. Define an approved licence list β€” MIT, Apache 2.0, BSD, ISC are typically safe
  2. Automate licence detection β€” tools like FOSSA, Snyk, or the GitHub dependency graph detect licences
  3. Block risky licences in the pipeline β€” fail the build if a GPL or AGPL dependency is introduced
  4. Maintain a Software Bill of Materials (SBOM) β€” track all dependencies and their licences for audit
Question

Why is the AGPL licence particularly risky for SaaS applications?

Click or press Enter to reveal answer

Answer

AGPL extends the GPL copyleft obligations to network use. If your SaaS application uses an AGPL-licensed component, you may be legally required to release your entire application's source code to anyone who interacts with it over a network β€” even if you never distribute a binary. This can force open-sourcing proprietary SaaS code.

Click to flip back
πŸ’‘ Exam tip: Scanning strategy design

The exam may ask you to design a complete scanning strategy. Cover all five pillars:

  1. Dependencies β€” Dependabot alerts + security updates for known CVEs
  2. Code β€” CodeQL in PR and push workflows for SAST
  3. Secrets β€” GHAS secret scanning with push protection enabled
  4. Licences β€” Automated licence detection with policy enforcement
  5. Containers β€” Build-time scanning (Trivy/Defender) + registry continuous scanning

Remember: scanning should be shift-left (catch issues in PRs, not in production) and automated (no manual steps that developers can skip).

Knowledge check

Knowledge Check

Amira needs to prevent developers from accidentally pushing API keys into any repository in the organisation. She wants the push to be blocked before the secret enters Git history. What should she enable?
Knowledge Check

Kai's startup uses npm packages heavily. He wants to be alerted when a dependency has a known CVE AND automatically receive PRs that update to the patched version. He also wants all dependencies kept current, not just vulnerable ones. What Dependabot features does he need?
Knowledge Check

Jordan's team runs Defender for Cloud and GHAS. Where does Jordan see a UNIFIED view of security findings across both GitHub and Azure DevOps repositories?

🎬 Video coming soon

Security Scanning: GHAS, Defender & Dependabot

Next up: Monitoring for DevOps: Azure Monitor and App Insights

← Previous

Secrets & Secure Pipelines: Key Vault & Workload Federation

Next β†’

Monitoring for DevOps: Azure Monitor & App Insights

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.