Share via

Defender for Cloud - DevOps security - Configure Pipelines (Step 2) - Completion status?

Mihai Iancu 0 Reputation points
2025-07-04T19:30:53.01+00:00

Hi,

I've run into an issue where the status for step 2 ( Configure pipelines) under Microsoft Defender for Cloud | DevOps security seems to be stuck in some sort of error ( missing my green check on step 2).

Double-checked all my pre-requisites but the tested vulnerabilities / code findings don't show up under DevOps Security Overview:

  • extensions installed in Azure DevOps org ( ex . SARIF SAST Scans Tab)
  • msdo.sarif gets published as an Artifact.
  • All job tasks show completed successfully

2025-06-19T14:45:44.0102515Z Uploaded 4,536 out of 4,536 bytes.

2025-06-19T14:45:44.0102662Z Associating files

2025-06-19T14:45:44.0102814Z Total files: 1 ---- Associated files: 0 (0%)

2025-06-19T14:45:44.2202081Z File upload succeed.

2025-06-19T14:45:44.2202351Z Upload '/home/x/azp-agent/_work/2/a/.gdn/msdo.sarif' to file container: '#/72749115/CodeAnalysisLogs'

2025-06-19T14:45:44.2202557Z Associated artifact 30 with build 35

2025-06-19T14:45:44.2202739Z ##[section]Async Command End: Upload Artifact

2025-06-19T14:45:44.2204170Z ##[section]Finishing: Microsoft Security DevOps

Is there a tutorial / workshop on how to run a quick PoC on Defender for Cloud - DevOps Security with Azure DevOps? Ideally I would want to demo an Azure DevOps dashboard as well based on findings from the different scans ...

Thank you,

Mihai

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anas Younis 0 Reputation points
    2025-07-04T20:44:45.36+00:00

    Hi Mihai,

    You're not alone—step 2 getting stuck without the green check in Microsoft Defender for Cloud (DevOps Security) has tripped up a few setups. From what you've shared, it looks like your SARIF file is uploading correctly, but it's not being associated with any findings, which could explain why no results are showing in the dashboard.

    A few things to check:

    1. File Association (0%) – This is key. Even though the file was uploaded, the "Associated files: 0" message suggests the SARIF output isn’t being linked properly. Make sure the SARIF format is valid and that the paths inside it match the repository structure (relative paths are especially important).

    Ensure correct build pipeline association – Defender for DevOps needs to associate the SARIF findings with the correct repo and commit. Double-check that your build pipeline includes the correct codeql or msdo tasks and that the pipeline is connected to the monitored repository.

    Enable policies in Defender for Cloud – Under Environment Settings > DevOps > Project, ensure policies are enabled to ingest and surface results.

    As for your PoC and dashboard demo, Microsoft provides a Quickstart guide that walks through setting up DevOps integration step-by-step. You might also find this Microsoft Learn module on Defender for DevOps useful for demo purposes.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.