Security vulnerabilities don’t fix themselves. Someone needs to track them, prioritize them, and actually ship the fix. If you’ve ever tried to manage security alerts alongside your regular sprint work, though, you know the friction: you’re looking at an alert in one tab, switching to your backlog in another, trying to remember which vulnerability you were supposed to file a bug for.

We shipped work item linking for GitHub Advanced Security for Azure DevOps alerts to fix this. It’s now generally available and it does exactly what it sounds like: you can link work items in Boards directly to security alerts. Note that this only works for Advanced Security alerts in Azure DevOps.

The problem we see

Security alerts live in the Advanced Security hub while sprint planning happens in Boards. Teams end up with lost context (which alerts have owners?) and visibility gaps (is anyone actually working on this vulnerability?).

When your security team asks “is someone fixing this?” and your engineering team asks “which alert was this bug tracking again?”, visibility becomes your bottleneck.

How it works

You can link from either direction: from an alert to a work item, or from a work item to an alert. Once linked, you can navigate back and forth with one click when you need context.

You’ll also see which alerts have a linked worked item in the repository’s Advanced Security tab:

Try it out

Open an alert in your Advanced Security hub and click “Add” next to the Related Work section to link it to a work item.

Or go the other way and create a work item, then link it to an alert by selecting “Advanced Security Alert” as the link type.

Once you’ve linked them, you can always jump between the alert and its work item when you need context.

If you’re already using GitHub Advanced Security for Azure DevOps, start linking today. The integration respects your existing permissions so you can only link alerts and work items you have access to.

This is part of a broader effort to make security workflows native to Azure DevOps. We recently shipped one-click enablement for dependency scanning that eliminates pipeline edits and added more flexibility for project and organization-level enablement settings. More coming.

Have feedback? Let us know.

Try it today: Link work items to Advanced Security alerts | Learn more about GitHub Advanced Security for Azure DevOps