Microsoft has declared the general availability of GitHub Advanced Security for Azure DevOps. This announcement comes after the security features were initially introduced in October 2022, followed by a public preview in May. The service is designed to bolster the Azure DevOps environment by providing developers with tools such as secret scanning, dependency scanning, and CodeQL code scanning capabilities. It empowers developer, security, and operations (DevSecOps) teams to prioritize innovation and enhance developer productivity without sacrificing security.
Enhancements Based on Developer Feedback
GitHub Advanced Security for Azure DevOps includes the following features:
- Secret scanning: Scans your code for secrets, such as API keys, passwords, and tokens, and alerts you when they are found.
- Code scanning: Scans your code for security vulnerabilities using CodeQL, GitHub's static analysis engine.
- Dependency scanning: Scans your dependencies for known vulnerabilities and alerts you when they are found.
- Security alerts: Provides actionable security alerts in your Azure DevOps pipelines and dashboards.
Since the public preview, Microsoft has been actively gathering feedback from the developer community. Responding to this feedback, the tech giant has made several pivotal changes. One significant alteration is the removal of the special registration requirement for the services. As per Microsoft, “Any Azure DevOps Project Collection Administrator (PCA) can now enable Advanced Security protections for their orgs/projects/repos through the Azure DevOps configuration settings.” Furthermore, to streamline the process, developers can now opt to activate Advanced Security at the organization, project, or individual repository level. There's also an option to have Advanced Security automatically enabled for any newly created repositories.
Integration with Microsoft Defender for Cloud
Another noteworthy feature is the integration of Advanced Security with Microsoft Defender for Cloud (MDC). This integration aims to provide developers with a consolidated view of all Advanced Security alerts across their repositories, whether on Azure DevOps or GitHub, all through a single MDC interface. While this feature is accessible at no additional cost, those who opt for the paid version will gain access to enhanced code-to-cloud contextualization capabilities.
Upcoming Webinar for Developers
To further assist developers and address any lingering questions, Microsoft has scheduled a webinar demo and Q&A session on October 4. It will serve as an opportunity for developers to gain a deeper understanding of the new features and how they can be best utilized in their Azure DevOps organizations.