Expand IaC security scanning and explore Defender for Cloud integration

[arnaudlh]

Description

The manifesto describes Defender for Cloud as the binding layer connecting repos to deployed resources. Research shows git-ape already covers most scanning via Template Analyzer + SARIF upload. This issue tracks two tracks: an immediate quick-win and a longer-term enterprise integration.

Current state (already implemented)

• microsoft/security-devops-action@v1 with templateanalyzer in plan + deploy workflows.
• SARIF uploaded to GitHub Security tab (public repos; fails silently on private without GHAS).
• Agent-side blocking security gate via azure-security-analyzer skill + Azure MCP bestpractices.

Track A: Expand IaC scanning tools (quick win)

• Enable checkov,trivy alongside templateanalyzer in existing workflows — one-line tools: parameter change for broader scanning coverage at zero cost.
• Build a defender-posture-check skill querying the Assessments REST API post-deployment.

Track B: Defender for Cloud enterprise integration (optional)

• Document GitHub connector setup in onboarding guide.
• Requires org-level GitHub App install (Portal-only, not CLI-automatable), Defender CSPM ($5.11/resource/month), and GHAS for private repos.
• Position as enterprise add-on, not core pipeline requirement.

Open questions

• Is centralized Defender dashboard a priority for v1 audience?
• Should connector setup live in onboarding skill or separate enterprise docs?
• PR annotations are primarily Azure DevOps — GitHub uses PR comments (already implemented).

Acceptance Criteria

• Checkov and Trivy enabled in plan + deploy workflows.
• defender-posture-check skill queries Assessments API post-deployment.
• Defender for Cloud GitHub connector setup documented for enterprises.
• GHAS requirement for private repos documented.