Microsoft announced the general availability of GitHub Advanced Security for Azure DevOps, allowing users to integrate code, secret, and dependency scanning into their Azure Repos and benefit from the latest updates. Key improvements were made based on user feedback during the public preview, including faster onboarding, simultaneous enabling of multiple repositories, transparent billing information, and enhanced visibility into enabled repo alerts.
The streamlined onboarding for Advanced Security enables Azure DevOps Project Collection Administrators to directly enable protections for their organizations, projects, and repositories via the Azure DevOps configuration settings.
Users can now activate Advanced Security for multiple repositories simultaneously and gain clear insights into billing, including the display of the estimated number of new active committers for accurate billing. Additionally, users can opt to automatically enable Advanced Security for future repositories, simplifying the process further.
GitHub Advanced Security provides features aimed at helping organizations and developers identify, protect against, and respond to security threats in their code repositories and software development lifecycle. The key features of GitHub Advanced Security are:
- Code Scanning: this allows the identification of possible code errors or security vulnerabilities in the repository and then triages and prioritizes fixes for existing problems. The code scanning can be scheduled for specific days and times or trigger scans when some events occur in the code.
- Secret Scanning: a feature to identify secrets or tokens embedded in the code. It scans the entire repository (every branch) to find secrets. It also searches for issue descriptions and comment secrets. It also scans titles, descriptions, and comments on open and closed historical issues.
- Dependency review: this feature analyzes dependency changes and the security impact of these changes on every pull request and visualizes this information for the user.
GitHub Advanced Security is now integrated with Microsoft Defender for Cloud (MDC), enabling users to access all alerts for their repositories across both Azure DevOps and GitHub, all from a single dashboard within MDC. This integration offers a comprehensive view of alerts and contextualization capabilities without incurring extra costs, while the paid tier of MDC offers additional code-to-cloud contextualization capabilities.
The roadmap for GitHub Advanced Security is shared in the GitHub public roadmap
Possible alternatives to GitHub Advanced Security include GitLab application security and Veracode, but these two alternatives are not fully integrated with Azure DevOps.