Azure DevOps Security - Code Scanning Recommendations
Azure Dev Ops Code Recommendations
Query
securityresources
| where type == "microsoft.security/assessments/subassessments"
| where tostring(properties.id) != ""
| extend category=(iff(type == "microsoft.security/assessments/subassessments", tostring(properties.category), dynamic(null)))
| where category == "Code" or category == 'Infrastructure as Code'
| extend severity=(iff(type == "microsoft.security/assessments/subassessments", tostring(properties.status.severity), dynamic(null)))
| extend severitySort = iff(severity == "Critical", 4, iff (severity == "High", 3, iff(severity == "Medium", 2, iff(severity == "Low", 1, 0))))
| extend subAssessmentName=(iff(type == "microsoft.security/assessments/subassessments", tostring(properties.displayName), dynamic(null))),
description=(iff(type == "microsoft.security/assessments/subassessments", tostring(properties.description), dynamic(null))),
status=(iff(type == "microsoft.security/assessments/subassessments", tostring(properties.status.code), dynamic(null))),
statusDescription=(iff(type == "microsoft.security/assessments/subassessments", tostring(properties.status.description), dynamic(null))),
resourceDetails=(iff(type == "microsoft.security/assessments/subassessments", tostring(properties.resourceDetails), dynamic(null))),
timeGenerated=(iff(type == "microsoft.security/assessments/subassessments", todatetime(properties.timeGenerated), dynamic(null))),
additionalData=(iff(type == "microsoft.security/assessments/subassessments", (properties.additionalData),dynamic(null))),
ToolName=(iff(type == "microsoft.security/assessments/subassessments", tostring(properties.additionalData.data.ToolName), dynamic(null))),
RuleId=(iff(type == "microsoft.security/assessments/subassessments", tostring(properties.additionalData.data.RuleId), dynamic(null))),
RuleDescription=(iff(type == "microsoft.security/assessments/subassessments", tostring(properties.additionalData.data.RuleDescription), dynamic(null))),
RepositoryUri=(iff(type == "microsoft.security/assessments/subassessments", tostring(properties.additionalData.data.RepositoryUri), dynamic(null))),
File=(iff(type == "microsoft.security/assessments/subassessments", tostring(properties.additionalData.data.File), dynamic(null))),
Line=(iff(type == "microsoft.security/assessments/subassessments", tostring(properties.additionalData.data.Line), dynamic(null)))
| project timeGenerated, severitySort, category, resourceDetails, subAssessmentName, description, severity, status, additionalData, statusDescription, ToolName, RuleId, RuleDescription,RepositoryUri, File,LineAbout this query
Explanation
This KQL query is designed to extract and list security recommendations related to code and infrastructure as code from Azure DevOps. It focuses on identifying potential security issues within code repositories by analyzing data from Microsoft Defender for Cloud.
Here's a simplified breakdown of what the query does:
-
Data Source: It retrieves data from
securityresourceswhere the type is "microsoft.security/assessments/subassessments". This indicates that it's looking at detailed security assessments. -
Filtering: The query filters the results to only include those related to "Code" or "Infrastructure as Code" categories. This ensures that only relevant security recommendations are considered.
-
Severity Sorting: It assigns a numerical value to the severity levels (Critical, High, Medium, Low) to facilitate sorting, with Critical being the highest priority.
-
Data Extraction: The query extracts various details about each security recommendation, including:
- The name and description of the sub-assessment.
- The severity and status of the issue.
- Additional data like the tool used for scanning, rule ID, and rule description.
- Repository details such as the URI, file name, and line number where the issue was found.
-
Output: The final output is a structured list of security recommendations, sorted by severity, and includes detailed information to help developers and security teams address the identified issues.
This query can be run in Azure Resource Graph Explorer or Defender XDR Advanced Hunting to provide insights into security vulnerabilities in code and infrastructure managed through Azure DevOps.
Details

Alex Verboon
Released: April 16, 2026
Tables
Keywords
Operators