Orca has launched an integration with Azure DevOps Repos, allowing security organizations to easily enable scanning of source code for vulnerabilities, Infrastructure-as-Code problems, and secrets in the same way that Orca’s Shift Left Security solution already integrates with GitHub and GitLab repositories. This reduces the burden of implementing shift-left scanning for security teams, efficiently reducing the number of flaws that make it into the cloud.

Introducing Orca’s new integration with Azure DevOps

Traditional shift-left scanning has been accomplished by embedding a command line (CLI) tool in every pipeline definition. This approach can be difficult to implement as it requires DevOps teams to modify every pipeline. Organizations have found that this introduces a great deal of friction and, ultimately, makes it more difficult to ensure that all projects are covered.

Orca’s new integration allows security teams—after authenticating once to the Azure DevOps organization—to centrally manage the policies applied to repos, both currently existing ones and new repos that are created. Main branches are automatically scanned and baselined; then, when new pull requests are created, they are, by default, scanned only for new problems created by changes in the code base—this keeps developers focused on the problems they’re working on rather than penalizing them for every alert in the repo. Orca has found this approach to be three times as popular with customers already using our GitHub App when compared with more traditional approaches.

Automation and visibility for security teams

For security teams, this new integration enables automatic scanning of code for all important projects without the burden of convincing DevOps to implement a configuration per repo or pipeline. Policies can be set to block pull requests for high severity problems. Finally, security teams can see the state of all repos at a glance in the Code Security dashboard.

The oncall repository in Azure DevOps Repos with an overview of the repo and issues discovered
Security teams can see all repos across different source control providers in a single view and dig into specifics of each repo.

Improved experience for developers 

For developers, problems are surfaced with context where they’re already working and in a process they’re deeply familiar with. Just as a more traditional test or linting failure would appear in their pull request, so do security issues found; additionally, the code is annotated to show the specific issue and how to address it. The integration improves the developer experience, while infusing security seamlessly into existing workflows. 

A pull request in Azure DevOps has failed due to a number of high severity issues. An AWS Secret Access Key is shown in build.env.
This pull request is blocked because of high severity issues with vulnerabilities and secrets found in the scan. These issues must be addressed before the pull request can be merged to the main branch.

About the Orca Cloud Security Platform

Orca offers a unified and comprehensive cloud security platform that identifies, prioritizes, and remediates security risks and compliance issues across AWS, Azure, Google Cloud, Kubernetes, Oracle Cloud, and Alibaba Cloud. Leveraging its patented SideScanning™ Technology, the Orca Platform detects vulnerabilities, misconfigurations, malware, lateral movement, data risks, API risks, overly permissive identities, and much more.

Orca also offers a comprehensive Shift Left Security solution, which includes Software Composition Analysis (SCA), Secrets Detection, Infrastructure as Code (IaC) Security, Source Code Management Posture Management (SCM-PM), and more. Orca also offers deep integrations with GitHub, GitLab, Snyk, and Azure DevOps Repos to unify security across the application lifecycle.

Learn More

Interested in seeing Orca’s integration with Azure DevOps Repos? Schedule a personalized 1:1 demo, and we’ll demonstrate the capabilities and benefits.