Security vulnerabilities don’t fix themselves. Someone needs to track them, prioritize them, and actually ship the fix. If you’ve ever tried to manage security alerts alongside your regular sprint work, though, you know the friction: you’re looking at an alert in one tab, switching to your backlog in another, trying to remember which vulnerability you were supposed to file a bug for.
We shipped work item linking for GitHub Advanced Security for Azure DevOps alerts to fix this. It’s now generally available and it does exactly what it sounds like: you can link work items in Boards directly to security alerts. Note that this only works for Advanced Security alerts in Azure DevOps.
The problem we see
Security alerts live in the Advanced Security hub while sprint planning happens in Boards. Teams end up with lost context (which alerts have owners?) and visibility gaps (is anyone actually working on this vulnerability?).
When your security team asks “is someone fixing this?” and your engineering team asks “which alert was this bug tracking again?”, visibility becomes your bottleneck.
How it works
You can link from either direction: from an alert to a work item, or from a work item to an alert. Once linked, you can navigate back and forth with one click when you need context.
You’ll also see which alerts have a linked worked item in the repository’s Advanced Security tab:
