README.md

Demo: DevSecOps - Overview

Costa Rica

Cloud2BR OSS - Learning Hub

Last updated: 2026-01-25

---

graph TD
    A[Dev Platform - VS/VSC] --> B[Code Platform - GHE/GHES]
    B --> C[AI Productivity - GHC]
    B --> D[Security, Code Scanning, Secret Scanning - GHAS]
    B --> E[Quality & Analysis - GHCQ]
    A --> F[Boards + Pipelines - ADO]
    F --> G[CI/CD + Testing - GHA]

Loading

Important

The information provided and any document (such as scripts, sample codes, etc.) is provided AS-IS and WITH ALL FAULTS. Pricing estimates are for demonstration purposes only and do not reflect final pricing. Microsoft assumes no liability for your use of this information and makes no guarantees or warranties, expressed or implied, regarding its accuracy or completeness, including any pricing details. Please note that these demos are intended as a guide and are based on personal experiences. For official guidance, support, or more detailed information, please refer to Microsoft's official documentation or contact Microsoft directly: Microsoft Sales and Support

List of References (Click to expand)

• Announcing general availability of GitHub Advanced Security for Azure DevOps

• GHAS - About dependency review

• GHAS - Responsible use of Copilot Autofix for code scanning

• GHAS - Defining custom patterns for secret scanning

• Overview of Terraform on Azure - What is Terraform?

• What is Azure Resource Manager?

• About pipeline security roles

• Specify jobs in your pipeline

• Manage security in Azure Pipelines

• Secure your Azure Pipelines

• End-to-end governance in Azure when using CI/CD

  

• Azure OpenAI GPT model to review Pull Requests for Azure DevOps

• Azure Pipelines agents

• Build GitHub repositories

• GPT Pull Request Review

• Enhancing Code Quality at Scale with AI-Powered Code Reviews

• Using GitHub Copilot code review

• Connect Azure DevOps environments to Defender for Cloud

• Configure the Microsoft Security DevOps Azure DevOps extension

• Configure GitHub Advanced Security for Azure DevOps

• Deploy Defender for Containers on Azure (AKS) programmatically

• ARM template documentation

• Visual Studio subscriptions pricing

• GitHub Enterprise Pricing

• GitHub Advanced Security license billing

• GitHub Actions billing

• GitHub Code Quality billing

• Pricing for Azure DevOps

• GitHub pricing options

• Microsoft Use Case Explorer

• Overview of role-based access control in Microsoft Entra ID

• Configure a GitHub Enterprise Cloud Organization for Single sign-on with Microsoft Entra ID

• Authenticate to Azure DevOps with Microsoft Entra ID

• What is managed identities for Azure resources?

• Zero Trust security in Azure

  

Table of Content (Click to expand)

• DevOps + Security
• Setup Azure DevOps
  • Azure DevOps: Boards + Pipelines - pricing example
• GHE + VS + GHC setup
• Setup GitHub Actions + GHAS + GHCQ (CI)
  • GitHub Advanced Security - pricing example
  • GitHub Actions - pricing example
  • GitHub Code Quality - pricing example
  • Turn on core GHAS features (org → repo baseline)
  • Enable CodeQL code scanning (CI integrated)
• Setup Azure Release Pipelines (CD)
• Monitoring + Observability (Telemetry)

Note

• Visual Studio Dev Platform
• Azure DevOps Boards + Pipelines
• GitHub areas: Code Platform
  • GitHub Enterprise Cloud SaaS
  • GitHub Enterprise Server Self‑Hosted
  • GitHub Copilot for Business AI Productivity
  • GitHub Copilot for Enterprise AI Productivity + Governance
  • GitHub Advanced Security (Code Scanning, Secret Scanning) Security
  • GitHub Actions CI/CD + Testing
  • GitHub Code Quality (coming soon) Quality & Analysis

DevOps + Security

Demo about DevSecOps, we start by setting up a new project in Azure DevOps and using Boards to plan work with epics, features, and user stories. Then link a fresh GitHub Enterprise repo to track the progress of development, coding in Visual Studio with GitHub Copilot to accelerate productivity and enforce governance. From there, configure Azure DevOps Pipelines to provision and deploy the Azure infrastructure consistently, while using GitHub Actions for application builds, integration testing, and regression checks to ensure nothing breaks. Layer in GitHub Advanced Security for code scanning, secret detection, and dependency alerts, and add GitHub Code Quality for maintainability analysis. Finally, deploy through Azure DevOps Release Pipelines, and monitor with Azure Monitor and Application Insights to close the loop with observability and continuous feedback. This flow demonstrates how planning, coding, building, testing, securing, deploying, and monitoring all integrate seamlessly in a DevSecOps pipeline.

SDLC Stage	Area / Tool	What It Does (Function)	Value to DevSecOps (Why It Matters)
Plan	Azure DevOps Boards	- Work tracking - Backlog management - Sprint planning	- Creates traceability from idea → code → deployment - Aligns teams with agile processes
Code	Visual Studio / VS Code GitHub Copilot (Business/Enterprise)	- IDE integration, debugging, extensions - AI-assisted coding - Governance features (Enterprise)	- Boosts developer speed and productivity - Ensures AI suggestions comply with organizational policies
Build	Azure DevOps Pipelines GitHub Actions	- YAML pipelines, multi-stage builds - Workflow automation, CI/CD	- Ensures repeatable builds and consistent releases - Provides fast feedback loops
Test	Azure DevOps Test Plans GitHub Actions	- Manual + automated test management - Traceability from requirements → tests → deployments - Automated validations in workflows	- Strengthens quality assurance - Provides visibility and accountability across lifecycle
Secure	GitHub Advanced Security Azure Security Center + Defender for Cloud	- Code scanning (SAST) - Secret scanning - Dependency alerts - Runtime monitoring - Compliance dashboards	- Shifts security left by catching vulnerabilities early - Protects workloads post-deployment - Ensures compliance with CIS, NIST, ISO standards
Deploy	Azure DevOps Release Pipelines GitHub Actions	- Canary, blue-green deployments - Controlled release management - Direct deploy to Azure services	- Provides enterprise-grade deployment strategies - Enables reliable and governed releases
Monitor	Azure Monitor + Application Insights	- Collects logs, metrics, traces - Provides alerts and dashboards	- Enables observability and feedback loops - Feeds insights back into Boards for continuous improvement
Quality & Governance (cross-cutting)	GitHub Code Quality (coming soon) GitHub Copilot for Enterprise	- Static analysis - Maintainability checks - Governance features for AI suggestions	- Improves long-term code maintainability - Reduces technical debt - Ensures AI adoption aligns with organizational standards

Setup Azure DevOps

1. Use one of you existing organizations or create a new one: Azure DevOps

2. Create a project:

Depending on the project type you will see more type of work itmes, for example Agile:

For example:

Note

Your project now exists but is empty.

3. Plan your project. Example of plan: Demo_DevSecOps_E2E_Backlog_example

Note

Azure DevOps supports Excel integration via the Azure DevOps Office Integration add‑in.

• You can export work items (epics, features, user stories) to Excel.
• You can bulk edit or create work items in Excel (e.g., fill in rows for epics/features/stories).
• Then you can publish back to Azure DevOps Boards directly from Excel.

For example, let's image you have:

• Azure DevOps project already exists
• You have Basic access or higher
• Excel desktop app installed
• Your .xlsx contains work items (Epics, Features, Stories, Tasks)

Important

• You must still publish in order:
• Epics
• Features
• User Stories
• Tasks

Epics, for example:

How-to-create-workitems.mp4

Note

How to add more layers for project management:

Add-more-work-items-template.mp4

Use this only for flat imports (stories only).

1. Go to Boards → Work Items

2. Click Import Work Items

   

3. Upload CSV

4. Map fields manually

Validate in Azure DevOps. In the web portal:

• Go to Boards → Backlogs
• Toggle Epics / Features / Stories
• Confirm hierarchy:

        Epic
         └─ Feature
             └─ User Story
                 └─ Task

Azure DevOps: Boards + Pipelines - pricing example (Click to expand)

Click here to read more about:

• Pricing for Azure DevOps
• GitHub pricing options

ADO-compare-plans-example.mp4

GHE + VS + GHC setup

This process enables secure, enterprise-managed deployment of GitHub Copilot

1. Create a GitHub account for your organization.

2. Please go here Start your premium free trial by choosing an enterprise type, and start a GitHub Enterprise trial (includes Copilot and advanced security).

3. Select the Enterprise Managed Users option.

   

4. Enter required organization details and a short code for user management.

   

5. Set up Single Sign-On (SSO) with your identity provider. Click here to read the steps: GitHub Enterprise Cloud Enterprise Managed Users - Microsoft Entra ID / Azure AD Single Sign-On (SSO) Integration Guide

6. Link your Azure subscription for billing (optional during trial). Click here to read the steps: How to link Azure subscription to your GitHub's enterprise account

7. Add users to the enterprise and assign Copilot seats. Click here to read how: GitHub Copilot Business - Setup Guide

8. Users install the Copilot extension in their IDE.

   

9. Users activate their accounts and Copilot access is enabled automatically.

   

Setup GitHub Actions + GHAS + GHCQ (CI)

Continuous Integration (CI) is a software development practice where developers frequently integrate their code changes into a shared repository, allowing for automated builds and tests to ensure code quality and functionality.

GitHub Advanced Security - pricing example (Click to expand)

Click here to read more about:

• GitHub Enterprise Pricing
• GitHub Advanced Security license billing
• GitHub pricing options

E.g:

GitHub Actions - pricing example (Click to expand)

Click here to read more about:

• GitHub Enterprise Pricing
• GitHub Actions billing
• GitHub pricing options

GH-Actions-billing-example.mp4

GitHub Code Quality - pricing example (Click to expand)

Click here to read more about:

• GitHub Enterprise Pricing
• GitHub Code Quality billing
• GitHub pricing options

GH-CodeQuality-billing-example.mp4

1. Link the existing, or create new GitHub repository with Azure DevOps:

   

   For example: With new repo

   Link-GH-Repo-With_AzureDevOps.mp4
   

   Example with existing GH repo:

   Existing-GH-repo-with-Azure_DevOps.mp4

2. Relate work items with either existing history or new work:

   relate-workitems-with-GitHub-History.mp4

Turn on core GHAS features (org → repo baseline)

Why: Code scanning (CodeQL) finds code vulnerabilities; secret scanning prevents credential leaks (pushes can be blocked with Push protection); dependency features surface known CVEs and auto‑PR fixes (Dependabot).

Scope	Features to Enable	Where to Enable	Value to DevSecOps
Organization	- Code Scanning - Secret Scanning + Push Protection - Dependency Graph + Dependabot Alerts - Security Configurations	Org → Settings → Code security and analysis Org → Settings → Security configurations	- Ensures consistent security baseline across all repos - Shifts security left - Provides supply chain visibility - Reduces manual setup effort
Repository	- Code Scanning (CodeQL) - Secret Scanning + Push Protection - Dependency Graph + Dependabot Alerts	Repo → Settings → Code security and analysis	- Provides repo‑specific vulnerability detection - Protects sensitive data - Ensures supply chain security at repo level

Features include Code Scanning (CodeQL), Secret Scanning + Push Protection, and Dependency Graph/Dependabot alerts.

Org‑level enablement is recommended for consistency and scale.

Repo‑level enablement is useful when org defaults aren’t applied or for exceptions.

Setting-up-GHAS-repo-level-example.mp4

Enable CodeQL code scanning (CI integrated)

How-to-setuop-code-quality.mp4

Tip

Developer pushes code → CI runs → security & quality checks happen automatically:

• GitHub Actions runs build + tests
• CodeQL analyzes the code (and workflows)
• Secret scanning checks for leaked credentials
• Dependency review checks new libraries
• Results appear in Security tab
• Branch protection can block the merge if issues are found

How.agents.review.comment.PR.mp4

Setup Azure Release Pipelines (CD)

Click here to read more about Create your first pipeline. For example, this is how it looks:

Screen.Recording.2026-02-01.164127.mp4

Monitoring + Observability (Telemetry)

• Observability is particularly useful for diagnosing problems and understanding the root cause of issues.
• Monitoring helps ensure a system is working correctly and allows proactive problem detection and resolution before they become critical. We can say, therefore, monitoring is a subset of telemetry. It provides deeper monitoring capabilities and a comprehensive understanding of the system.
• Telemetry is used to collect and transmit data from remote sources, especially in hard-to-reach or hazardous environments. It is commonly used for performance monitoring, asset tracking, and predictive maintenance.

Click here to read more about Centralized Logging Framework - Overview

Refresh Date: 2026-04-06