Starting today (September 20, 2023), GitHub Advanced Security for Azure DevOps is generally available and can now be enabled by administrators at the organization, project, or repository level.

The highlights before going into details below:

• The same features as GitHub Advanced Security, built into the Azure DevOps user interface

• No GitHub Enterprise license required

• Pay-as-you-go pricing without any long-term commitments

• Billed monthly per active code committer

• Paid with the same Azure subscription used for other Azure DevOps services

• Azure Commitment Discount (ACD) and Microsoft Azure Consumption Commitment (MACC) eligible

Why use GitHub Advanced Security?

Remediating code already in production is expensive. A breach can be disastrous. The best (and cheapest) time to find and fix vulnerabilities is during development when developers can design security into the application while changes can still be easily made.

Secret Scanning

Find and manage hard-coded secrets:

• Proactively identify secrets as early as possible — finds secrets (including Azure secrets) the moment they are pushed to Azure DevOps and immediately notifies developers when they are found.

• Detect more than 200 token types from more than 100 partners — scans for secret formats provided by secret scanning partners on every commit to your repository.

• Proactively protect against leaked secrets in your repositories — block secrets found in plain text files from being pushed to Azure DevOps.

Dependency Scanning

Provides visibility into vulnerable and out-of-date open-source dependencies:

• Automated security alerts — keep your projects secure and up-to-date by monitoring them for vulnerable and out-of-date components.

• Integrated with the developer workflow — integrates directly into your developer workflow for a seamless experience and faster fixes.

• Rich vulnerability data — GitHub tracks vulnerabilities in packages from supported package managers using data from security researchers, maintainers, and the National Vulnerability Database.

Code Scanning

Find and fix vulnerabilities as you code:

• CodeQL — turns source code into relational data that can be queried for vulnerabilities.

• Find and fix vulnerabilities fast — uses automated scans to find and fix vulnerabilities before they are merged into your codebase.

• Community of top security experts — use queries created by a community of world-class security experts.

• Integrated with the developer workflow — integrate security results directly into your developer workflow for a frictionless experience and faster development.

Integration with Microsoft Defender for DevOps

View all your Advanced Security alerts across all your repos in the Microsoft Defender for Cloud console, giving security teams full visibility into the security posture of pre-production application code.

Resources

• Register for the Securing your Azure DevOps workflow with GitHub Advanced Security webinar taking place on October 4, 2023

• GitHub Advanced Security for Azure DevOps

• Overview of Microsoft Defender for DevOps

• Configure GitHub Advanced Security for Azure DevOps features