Deep Dive into GitHub Advanced Security Integration with Azure DevOps

GitHub has been heavily investing in security. In May 2020, they announced the beta release of GitHub Advanced Security. Since then, they have continued to introduce new features and enhance existing ones, making it a potent tool for application security teams and development leaders managing hundreds or even thousands of repositories.

What is GitHub Advanced Security?

GitHub Advanced Security is a comprehensive solution that consolidates multiple GitHub security features. This allows users to easily assess application security risks detected by code scanning, Dependabot, and secret scanning all in one place.

The key features are:

• Dependency Scanning: Managing dependencies isn’t straightforward. Libraries often depend on other libraries, forming a complex tree. Each dependency has its own version and potential vulnerabilities. Especially for large projects, monitoring this can be challenging. This feature identifies all upstream dependencies by generating a dependency graph.
• Code Scanning: This feature scans the code to detect security vulnerabilities and coding errors. It supports both CodeQL (maintained by GitHub) and other third-party engines that output SARIF data.