GitHub Advanced Security in Azure DevOps service has leading industry capabilities. These are natively integrated into Azure DevOps platform and into the developer workflow which helps to enhance developer productivity without sacrificing security. You can collaborate, prevent, remediate and manage without leaving Azure DevOps.
It helps to implement Shift Left Security and detect vulnerabilities in early stages of development. It has lower rate of false positives which helps in reducing the remediation cost.
Stop secret leaks/Secret scanning Push Protection:
Exposed credentials are implicated in over 80% of security breaches.
This feature intervenes before code commit history is created if code pushes include commits that expose secrets. Adopt secret scanning quickly and easily without the need for additional tooling via the Azure DevOps UI.
Secret scanning: Scan your repository and look for exposed secrets that were committed accidentally and immediately notify developers when they are found.
Detect more than 200+ token types from more than 100+ partners: For every commit made to your repository and its full git history, it will look for secret formats from our secret scanning partners.
Secure your software supply chain/Dependency scanning: Search for known vulnerabilities in open-source dependencies direct and transitive and offer straightforward remediation guidance on how to update component references so you can fix issues in minutes.
Prevent vulnerabilities while you write code/CodeQL code scanning (SAST): it is a powerful static analysis tool that helps you find and fix vulnerabilities in your application code as you write it.
CodeQL supports both compiled and interpreted languages and can find vulnerabilities and errors in code that's written in the supported languages:
C/C++, C#, Go, Java, JavaScript/TypeScript, Kotlin (beta), Python, Ruby, Swift etc.
GitHub experts, security researchers, and community contributors write and maintain the default CodeQL queries used for code scanning. These queries are regularly updated to improve analysis and reduce any false positive results. These queries are open source, so you can view and contribute to the queries in the GitHub/CodeQL repository.
Enable GitHub Advanced Security and secret scanning:
Project Settings > Repositories > Select the Repo > Select the Settings tab > enable or disable “Advanced Security” and “Block secrets on push”:
Default permissions and access levels:
Azure DevOps group |
Default permissions |
Contributors |
Advanced Security: read alerts |
Project administrator |
Advanced Security: read alerts, manage and dismiss alerts |
Project collection administrator |
Advanced Security: read alerts, manage and dismiss alerts, manage settings |
Manage Advanced Security permissions:
Project Settings > Repositories > Select the Repo > Select the Security tab > Select the Security Group you wish to adjust permissions for:
Manage code scanning alerts:
Viewing alerts for a repository:
Anyone with contributor permissions for a repository can view a summary of all alerts for a repository in the Advanced Security tab under Repos. Select the Code scanning tab to view all secret scanning alerts.
Select an alert for more details, including remediation guidance. Each alert includes location, description, example, and severity.
Dismissing code scanning alerts:
Alert details and to dismiss alerts, you need appropriate permission. By default, only project administrators can dismiss Advanced Security alerts.
This only dismisses the alert for your selected branch. Other branches that contain the same vulnerability stay active until dismissed. Any alert that has been previously dismissed can be manually reopened.
Some useful link:
GitHub Advanced Security for Azure DevOps (microsoft.com)
Configure GitHub Advanced Security for Azure DevOps features - Azure Repos | Microsoft Learn
Permissions for GitHub Advanced Security for Azure DevOps - Azure Repos | Microsoft Learn
Supported languages and frameworks — CodeQL (github.com)