Aaron Hallberg

In October of last year we announced that GitHub Advanced Security was coming to Azure DevOps, starting with a private preview in November. Since then, we’ve been working hard on the product and incorporating feedback from our private preview customers. Today, we are excited to announce that GitHub Advanced Security for Azure DevOps is available to everyone in a public preview! Sign up for the preview, and we’ll do our best to get your Azure DevOps organization(s) enabled as soon as possible.

As a reminder – GitHub Advanced Security for Azure DevOps brings the same industry leading developer security capabilities as GitHub Advanced Security to Azure DevOps, integrated directly into Azure Repos and Azure Pipelines. This includes the same secret scanning, dependency scanning, and CodeQL code scanning capabilities available within GitHub Enterprise.

Secret Scanning: Exposed credentials are implicated in over 50% of security breaches. GitHub Advanced Security for Azure DevOps can not only help you find secrets that have already been exposed in Azure Repos, but also help you prevent new exposures by blocking any pushes to Azure Repos that contain secrets. All with a single click.

Animation showing enabling push protection with one click and then having a push blocked

We’ve used secret scanning push protection inside Microsoft for years, and it’s been a huge help reducing developer toil: if you only catch a secret once it’s already made it into Azure Repos, the only way to really be safe is to rotate that secret everywhere it’s used and then permanently revoke it. Depending on how widely the secret is used, this could be days of effort and stress – if you miss rotating the secret in just one of the places it’s used, you could cause a live site outage! On the other hand, if you block the secret exposure at push time, before it’s persisted in Azure Repos, it’s a five-minute job to clean up your commit and repush. So much easier!

Dependency Scanning: Open-source supply chain attacks are on the rise. GitHub Advanced Security for Azure DevOps identifies open-source package vulnerabilities present in your code – through both direct and transitive dependencies – and provides straightforward guidance from the GitHub Advisory Database on how to upgrade your packages to mitigate the vulnerabilities.

Screen capture of the Advanced Security experience within Azure DevOps with the Dependencies tab enabled

Code Scanning: GitHub Advanced Security includes the industry leading CodeQL static analysis engine to detect hundreds of code security vulnerabilities such as SQL injection and authorization bypass across a wide range of languages including C#, C/C++, Python, JavaScript/TypeScript, Java, Kotlin, Go and more. GitHub Advanced Security for Azure DevOps enables you to run CodeQL scans directly from Azure Pipelines on code from Azure Repos and act on the results without ever having to leave your Azure DevOps environment.

Issues detected in each of these categories are presented in a repository-scoped Advanced Security experience using the Azure DevOps design language. All that is to say – it will all feel native to Azure DevOps and totally natural to Azure DevOps customers!

Screen capture of the Advanced Security experience within Azure DevOps with a CodeQL issue selected

Pricing: GitHub Advanced Security for Azure DevOps has the same pricing as GitHub Advanced Security – $49 per active committer per month. Billing is done through Azure, so you can use the same Azure subscriptions and payment vehicles used for the rest of your Azure DevOps bill. And because billing is metered, the costs will be pro-rated based on the repositories you enable and the length of time they are enabled. There’s no purchase commitment necessary at all – you can scale your usage up, or down, or off at any time just by enabling or disabling the protections on whichever repos you select in the Azure DevOps configuration settings.

We are incredibly excited to be reaching this milestone and to be making these powerful capabilities available to all Azure DevOps customers. They will go a long way toward helping you secure your DevOps infrastructure, your code, and your production environments.

To learn more about GitHub Advanced Security for Azure DevOps, see https://aka.ms/advanced-security. To learn more about other upcoming Azure DevOps investments in security and beyond, see https://aka.ms/AzureDevOpsRoadmap.