search

microsoft / security-devops-azdevops

Microsoft Security DevOps extension for Azure DevOps.
MIT License
60 stars 16 forks source link

FR: 🙏 For better cybersecurity for everyone: Github and Defender for DevOps! Be an enabler! (allow 3rd SARIF upload w/o GHAS license) #20

Closed dnetoa closed 1 year ago

dnetoa commented 1 year ago

Hi,

Bringing a topic that I started on Github Community.

I want to bring up this topic because I believe that colleagues and professionals have similar opinions and maybe it can at least poke a good discussion about this.

We're facing the most challenging cybersecurity era, since our always-shortage of professionals, but also the rapid growth of attacks and requirements to reach continuous improvements during digital transformation. One of the biggest challenges is "connect the dots" and "build bridges" with all small or big tools that you already had and need to continue over your endless pipelines/processes/technologies/developers.....(you know, it's an infinite game)

Microsoft in the last years has had an important role in being more agnostic, multi-cloud, and absolutely more open to the community and open standards.

With the recent launch of Defender for DevOps we see how they're progressing in cover fast and broad as we can customers, businesses, and people.

Immediately you want to connect all your tools and you realize that to benefit from this Integration to push results to Github and finally MSDO of your results from 3rd party tools for secrets scanning, code scanning, and all others, you must have a GHAS.1

I believe that 99% of Github customers already have a security pipeline with 3rd party tools like SAST, DAST, IaC Scanners, Secrets Scanner, and other OpenSource tools, that support the SARIF format. I hope for good of the cybersecurity ecosystem, Github can allow customers that have more than 3 tools to do a complementary job, to improve better visibility for developers and education of cybersecurity in a broad and simpler way. It's not only for MSDO integration but also for helping security teams better communicate with developers. I don't think this reduces the GHAS product's value or its strong points, in opposite will enforce a healthy competition of tools, and in the last instance: improve customers' security. I can be wrong, but think was fair to bring some light to this topic with community members. 😉

Regards,

sukhans commented 1 year ago

Hi, thanks for your feedback. We have added this to our requested features list and will discuss within the team in terms of feasibility and priority. We cannot commit anything more at this point.