We’re excited to announce that GitHub Advanced Security for Azure DevOps is now generally available and is ready for you to use in your own Azure DevOps repos! You can now enable code, secret, and dependency scanning within Azure Repos and take advantage of the new product updates.
Learn how to enable Advanced Security in your Azure Repos >
Thanks to your great feedback, we were able to identify issues and deliver updates that address key improvements since our public preview. You wanted:
- Faster onboarding after registering for Advanced Security
- The ability to enable multiple repos simultaneously
- More upfront clarity in billing
- Better visibility into all enabled repo alerts through a single pane of glass
and we delivered.
Instead of registering to get your organization onboarded to Advanced Security, we’ve done away with the registration process entirely. Any Azure DevOps Project Collection Administrator (PCA) can now enable Advanced Security protections for their orgs/projects/repos through the Azure DevOps configuration settings.
Speaking of enablement experiences, we also addressed that you’d really like an easy way to enable all the repos in a given project or org. During public preview, we provided some PowerShell scripts to help automate bulk-enablement as a workaround, but we acknowledged that you wanted the ability to enable Advanced Security on newly created repos by default. To make this process easier for you, you can now choose to enable Advanced Security at the org or project level as well as the individual repo level, and you can also choose for Advanced Security to be automatically enabled for any future repos you and your teams create.
Because Advanced Security is billed per active committer, we also now show the number of new active committers you would be billed for by enabling Advanced Security for a repo/project/org.
I’ve saved our biggest news for last: another virtually universal feature request we get is for a way for you to view all your Advanced Security alerts across all your repos in a single pane of glass. However, we’ve actually done better than that! Advanced Security is now integrating with Microsoft Defender for Cloud (MDC) to enable you to view all the alerts for all your repos across all your orgs – both Azure DevOps and GitHub – all in a single pane of glass in MDC. This all comes in the free tier of MDC, so it’s no extra cost to you, but you do get some awesome code-to-cloud contextualization capabilities in the paid tier, so please do check that out.
Again, whether you’ve ever signed up for an Advanced Security preview or not, all these new features and all the existing features of Advanced Security (such as code scanning, dependency scanning, and secret scanning) are now ready for you to enable in your own Azure DevOps orgs. We’d love to hear any feedback you have for us by using the Developer Community site. For more information, we’re also hosting a webinar demo and Q&A on October 6, and we’d love to see you there to answer any questions you may have in real time!
Learn more about the GitHub Advanced Security for Azure DevOps Webinar >
To learn more about other upcoming Azure DevOps investments in security and beyond, see https://aka.ms/AzureDevOpsRoadmap.
Are there any plans to support other languages like typescript during code scanning. Seems to only be a few supported at the moment according to the documentation.
Hi Gary, we do currently support TypeScript! Here’s the full list of languages:
– C/C++
– C#
– Go
– Java
– Kotlin
– JavaScript
– Python
– Ruby
– Swift
– TypeScript
– and more are on the way that we’re not ready to name quite yet 🙂 If you have requests for CodeQL language/framework support, please let us know at https://developercommunity.visualstudio.com. Thanks!
https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/
Hi Bryan. Been playing around with GHAS at work. Have added it to a few pipelines and it's looking good! I was wondering though if there are plans to introduce true shift left on the code scanning and dependency scanning by incorporating scan results into PRs?
I'd love it if I could set up a policy that blocks any PRs with code scan violations from being able to merge into main. Or at least set up some PR annotations, so the developer and reviewer can see if the code being merged caused any problems. I've done a fair bit of reading...
Hi Jonathan, great to hear you're liking it! Definitely we have plans to shift further left to raise alerts as PR annotations - this is something that GHAS-for-GitHub already does (https://docs.github.com/en/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests#viewing-an-alert-on-your-pull-request) and we're looking to deliver the same capabilities in GHAzDO by mid-calendar year 2024.
One thing that might help in the meantime is our Powershell script that you can customize for gating builds, including PR validation builds: https://github.com/microsoft/GHAzDO-Resources/tree/main/src/gating. You can set SLAs for different severities; for example, break the build if there are any criticals more than two days old, any highs more than seven days old, etc. You...
Ah that’s interesting, thanks Bryan. I was thinking about whether it was possible to download the SARIF file from the API, copy it to the artifacts and then maybe use the SARIF SAST Scans Tab devops extension to add something to the PR output.
That Powershell script looks like it will be cleaner though and do the job nicely. If I get a bit of time, I’ll give it a go.
Ever since this was deployed I’ve been getting permissions errors with VS2012 clients. I’m receiving TF31003, TF30063, and TF205020 errors. Anyone else receiving this?
I do not have Advanced Security enabled on either my Organization or my Project.
Hi Ben, thanks for reaching out. We don’t think Advanced Security is causing this but we are pulling in more colleagues from Azure DevOps engineering to help investigate. We are working from the info in your Developer Community post, and we’ll keep that thread updated. Thanks again!
Hi Bryan, Thanks for the response. Unfortunately MS has chimed in indicating they will not address this issue. They mentioned this on my community post as well as a much more active one regarding AX 2012 also loosing the ability to connect to Azure DevOps Services.
Do you think you can try to get some more assistance or information? It's very disturbing that we lost this crucial component in our development stack without any advance notice or testing windows.
https://developercommunity.visualstudio.com/t/Login-from-AX2012-R3-Version-Control-not/10461669
https://developercommunity.visualstudio.com/t/TF30063-and-associated-errors-since-920/10473760