Edit

Share via

Configure GitHub Advanced Security for Azure DevOps

  • Article

GitHub Advanced Security for Azure DevOps adds GitHub Advanced Security's suite of security features to Azure Repos and includes the following features:

  • Secret Scanning push protection: check if code pushes include commits that expose secrets such as credentials
  • Secret Scanning repo scanning: scan your repository and look for exposed secrets that were committed accidentally
  • Dependency Scanning – search for known vulnerabilities in open source dependencies (direct and transitive)
  • Code Scanning – use CodeQL static analysis engine to identify code-level application vulnerabilities such as SQL injection and authentication bypass

GitHub Advanced Security for Azure DevOps is only available for Azure DevOps Services and specifically for code Git repositories.

GitHub Advanced Security for Azure DevOps works with Azure Repos. To use GitHub Advanced Security with GitHub repositories, see GitHub Advanced Security.

Prerequisites

Category Requirements
Permissions - To view a summary of all alerts for a repository: Contributor permissions for the repository.
- To dismiss alerts in Advanced Security: Project administrator permissions.
- To manage permissions in Advanced Security: Member of the Project Collection Administrators group or Advanced Security: manage settings permission set to Allow.

For more information about Advanced Security permissions, see Manage Advanced Security permissions.

Extra prerequisites for self-hosted agents

If your organization uses self-hosted agents, add the following URLs to your Allowlist so the dependency scanning task can fetch vulnerability advisory data. For more information, see Allowed IP addresses and domain URLs.

Domain URL  Description
https://governance.dev.azure.com For organizations using the dev.azure.com domain to access their DevOps instance 
https://dev.azure.com For organizations using the dev.azure.com domain to access their DevOps instance
https://advsec.dev.azure.com For organizations using the dev.azure.com domain to access their DevOps instance
https://{organization_name}.governance.visualstudio.com For organizations using the {organization_name}.visualstudio.com domain to access their DevOps instance  
https://{organization_name}.visualstudio.com  For organizations using the {organization_name}.visualstudio.com domain to access their DevOps instance 
https://{organization_name}.advsec.visualstudio.com For organizations using the {organization_name}.visualstudio.com domain to access their DevOps instance

  • Run a compatible version of the .NET runtime (currently .NET 8.x). If a compatible version isn't present on the agent, the dependency scanning build task downloads .NET.

  • Ensure the CodeQL bundle is installed to the agent tool cache on your agent. You might utilize the enableAutomaticCodeQLInstall: true variable with the AdvancedSecurity-Codeql-Init@1 pipeline task for YAML pipelines or select the Enable automatic CodeQL detection and installation checkbox for classic pipelines. Alternatively, for manual installation instructions, see Code scanning for GitHub Advanced Security for Azure DevOps.

Enable GitHub Advanced Security

You can enable Advanced Security at the organization, project, or repository level. To access each of the scanning tools and results, you need to first enable Advanced Security. Once you enable Advanced Security, any future pushes containing secrets to a repository with this policy enabled are blocked, and repository secret scanning happens in the background.

Repository-level onboarding

  1. Go to your Project settings for your Azure DevOps project.
  2. Select Repos > Repositories.
  3. Select the repository you want to enable Advanced Security for.
  4. Select Enable and Begin billing to activate Advanced Security. A shield icon now appears in the repository view for any repository with Advanced Security enabled.

Screenshot of enabling GitHub Advanced Security.

Project-level onboarding

  1. Go to your Project settings for your Azure DevOps project.
  2. Select Repos.
  3. Select the Settings tab.
  4. Select Enable all and see an estimate for the number of active committers for your project appear.
  5. Select Begin billing to activate Advanced Security for every existing repository in your project.
  6. Optionally, select Automatically enable Advanced Security for new repositories so that any newly created repositories have Advanced Security enabled upon creation.

Screenshot of project-level enablement for Advanced Security.

Organization-level onboarding

  1. Go to your Organization settings for your Azure DevOps organization.
  2. Select Repositories.
  3. Select Enable all and see an estimate for the number of active committers for your organization appear.
  4. Select Begin billing to activate Advanced Security for every existing repository in each project in your organization.
  5. Optionally, select Automatically enable Advanced Security for new repositories so that any newly created projects have Advanced Security enabled upon creation.