Github Advanced Security for Azure DevOps

Date published: September 24, 2023

This post will look at integrating GitHub Advance Security with Azure DevOps. As more and more organisations move to the cloud, security has become a top concern for many developers. That’s why Github has introduced Advanced Security for Azure DevOps. This post is written on behalf of Azure Back to School 2023.

This new feature allows you to integrate Github’s security features into your Azure DevOps workflow, making it easier than ever to secure your applications.

Github Advanced Security for Azure DevOps includes a range of features, including:

• Code scanning: Scans your code for vulnerabilities and provides actionable insights to help you fix them.
• Secret scanning: Scans your code for secrets such as API keys and passwords.
• Dependabot alerts: Alerts you when a dependency has a known vulnerability and provides guidance on how to fix it.
• Security advisories: Provides a centralised view of all security advisories for your dependencies.

Enable Advanced Security for Azure DevOps

Enable the features in your Azure DevOps organisation repository to get started with Github Advanced Security for Azure DevOps. From there, you can use it to scan your code, monitor your dependencies, and stay on top of security advisories.

Scanning Azure DevOps Pipeline with Github Advanced Security

You’ll need to add a new step to your pipeline to scan your Azure DevOps pipeline with Github Advanced Security. This step will run the GitHub Advanced Security scanner on your code and provide you with a report of any vulnerabilities it finds. I will show you an example of how to use it in your pipeline.

• create or edit your pipeline
• add the following Github Advanced Security task to your pipeline as shown below

You can insert the AdvancedSecurity task from the classic editor as well.

Results

Once you’ve added the task to your pipeline, you can run it and view the results in the Github Advanced Security dashboard. The dashboard will show you a list of all the vulnerabilities, including Dependencies, code scanning, and secret scanning. Below are dependencies vulnerabilities.

To resolve the vulnerabilities, you can fix them manually or automatically. The fixer will create a pull request with the fixes and assign it to you for review. An example of the vulnerability is shown below, with instructions on how to fix it.

For more information you can view the video below

Conclusion

Overall, Github Advanced Security for Azure DevOps is a powerful tool that can help developers strengthen their security posture and protect their applications from threats. I have shown you how to enable the feature and scan your code to resolve vulnerabilities. In this post, I have demonstrated how easily you can integrate Github Advanced Security with Azure DevOps to detect Dependencies, code scanning, and secret scanning vulnerabilities. I only show the Dependencies issue, but the code and secret are similar.

References

• https://learn.microsoft.com/en-us/azure/devops/repos/security/github-advanced-security-billing?view=azure-devops

• https://azure.microsoft.com/en-gb/products/devops/?nav=min

• https://devblogs.microsoft.com/devops/now-generally-available-github-advanced-security-for-azure-devops-is-ready-for-you-to-use