{"id":71146,"date":"2025-08-04T09:17:37","date_gmt":"2025-08-04T17:17:37","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/devops\/?p=71146"},"modified":"2025-08-04T09:17:37","modified_gmt":"2025-08-04T17:17:37","slug":"automate-your-open-source-dependency-scanning-with-advanced-security","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/automate-your-open-source-dependency-scanning-with-advanced-security\/","title":{"rendered":"Automate your open-source dependency scanning with Advanced Security"},"content":{"rendered":"<p>Any experiences that require additional setup is cumbersome, especially when there are multiple people needed. In GitHub Advanced Security for Azure DevOps, we&#8217;re working to make it easier to enable features <em>and<\/em> scale out enablement across your enterprise.<\/p>\n<p>You can now automatically inject the dependency scanning task into any pipeline run targeting your default branch. This is a quick way to ensure that your production code (and any code being merged into your production branch) are evaluated for open-source dependency vulnerabilities.<\/p>\n<h2>Enabling one-click dependency scanning for your repository<\/h2>\n<p>You&#8217;ll need to have the Advanced Security: manage settings permission to make changes to your repository&#8217;s Advanced Security enablement. Navigate to a specific repository&#8217;s settings page: <strong>Project settings<\/strong> > <strong>Repositories<\/strong> > Select your repository.<\/p>\n<p>If you&#8217;re using the standalone products, you first need Code Security enabled. Then, navigate to <strong>Options<\/strong> and confirm your selection of <strong>Dependency alerts default setup<\/strong>.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/05\/2025-05-28-15_48_55-advsec-repository-settings-code-security-options.png\"><img decoding=\"async\" width=\"1720\" height=\"912\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/05\/2025-05-28-15_48_55-advsec-repository-settings-code-security-options.png\" alt=\"Advanced Security repository options for Code Security plan\" class=\"alignnone size-full wp-image-71151\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/05\/2025-05-28-15_48_55-advsec-repository-settings-code-security-options.png 1720w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/05\/2025-05-28-15_48_55-advsec-repository-settings-code-security-options-300x159.png 300w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/05\/2025-05-28-15_48_55-advsec-repository-settings-code-security-options-1024x543.png 1024w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/05\/2025-05-28-15_48_55-advsec-repository-settings-code-security-options-768x407.png 768w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/05\/2025-05-28-15_48_55-advsec-repository-settings-code-security-options-1536x814.png 1536w\" sizes=\"(max-width: 1720px) 100vw, 1720px\" \/><\/a><\/p>\n<p>If you&#8217;re using the bundled Advanced Security, enable the checkbox to <strong>Scan default branch for vulnerable dependencies<\/strong>.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/05\/2025-02-24-14_20_55-Clipboard.png\"><img decoding=\"async\" width=\"965\" height=\"373\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/05\/2025-02-24-14_20_55-Clipboard.png\" alt=\"Advanced Security repository enablement options\" class=\"alignnone size-full wp-image-71150\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/05\/2025-02-24-14_20_55-Clipboard.png 965w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/05\/2025-02-24-14_20_55-Clipboard-300x116.png 300w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/05\/2025-02-24-14_20_55-Clipboard-768x297.png 768w\" sizes=\"(max-width: 965px) 100vw, 965px\" \/><\/a><\/p>\n<h2>Receiving results from dependency scanning<\/h2>\n<p>Upon the next execution of a pipeline run targeting your repository&#8217;s default branch, the Advanced Security dependency scanning task will be injected near the end of your pipeline. Dependency scanning completes evaluation of your dependencies and any associated vulnerabilities within a few minutes. For repositories where you may not have consistent CI\/CD running, we recommend scheduled pipeline runs.<\/p>\n<p>If the task is already in your pipeline or you&#8217;ve set up your pipelines to skip the dependency scanning task via the <code>DependencyScanning.Skip: true<\/code> environment variable, the injected task will be skipped. The environment variable is a great option if there are certain pipelines you don&#8217;t want to include in your scanning surface area. Alternatively, if there are certain pipeline jobs you wish to skip automated scanning in, you can also set the pipeline variable <code>dependencyScanningInjectionEnabled<\/code> to false.<\/p>\n<p>Upon successful execution of the task, results are uploaded to Advanced Security and available in the <strong>Repos<\/strong> > <strong>Advanced Security<\/strong> tab for developers to fix any findings.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/05\/advsec-alerts-dependencies.png\"><img decoding=\"async\" width=\"1285\" height=\"804\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/05\/advsec-alerts-dependencies.png\" alt=\"Advanced Security dependency scanning alerts in repository\" class=\"alignnone size-full wp-image-71158\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/05\/advsec-alerts-dependencies.png 1285w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/05\/advsec-alerts-dependencies-300x188.png 300w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/05\/advsec-alerts-dependencies-1024x641.png 1024w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/05\/advsec-alerts-dependencies-768x481.png 768w\" sizes=\"(max-width: 1285px) 100vw, 1285px\" \/><\/a><\/p>\n<p>You can also use this to easily set up pull request annotations for dependency scanning. If you have a build validation policy configured for your repository, dependency scanning will also automatically inject into any pull requests that target your default branch. Annotations for new findings appear directly on your pull request after you&#8217;ve scanned your default branch at least once, while any findings that exist in both branches will show up in the Advanced Security tab as well.<\/p>\n<h2>Next steps<\/h2>\n<p>Give this feature a try! Our team is also working on more experiences to smooth out the enablement process across Advanced Security. Have any feedback? Please share that with us directly or on <a href=\"https:\/\/developercommunity.visualstudio.com\/AzureDevOps\">Developer Community<\/a>.<\/p>\n<p>Learn more about <a href=\"https:\/\/learn.microsoft.com\/azure\/devops\/repos\/security\/configure-github-advanced-security-features\">Advanced Security<\/a> and <a href=\"https:\/\/learn.microsoft.com\/azure\/devops\/repos\/security\/github-advanced-security-dependency-scanning?view=azure-devops\">dependency scanning<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Any experiences that require additional setup is cumbersome, especially when there are multiple people needed. In GitHub Advanced Security for Azure DevOps, we&#8217;re working to make it easier to enable features and scale out enablement across your enterprise. You can now automatically inject the dependency scanning task into any pipeline run targeting your default branch. [&hellip;]<\/p>\n","protected":false},"author":177424,"featured_media":71181,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1,249,251],"tags":[],"class_list":["post-71146","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops","category-open-source","category-security"],"acf":[],"blog_post_summary":"<p>Any experiences that require additional setup is cumbersome, especially when there are multiple people needed. In GitHub Advanced Security for Azure DevOps, we&#8217;re working to make it easier to enable features and scale out enablement across your enterprise. You can now automatically inject the dependency scanning task into any pipeline run targeting your default branch. [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/71146","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/177424"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=71146"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/71146\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/71181"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=71146"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=71146"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=71146"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}