Microsoft, GitHub announce application security testing tools for Azure DevOps
GitHub has announced that its application security testing tools are now more widely available for subscribers of Microsoft’s Azure DevOps Services.
Enabling GitHub Advanced Security for Azure DevOps (Source: Microsoft)
What is GitHub Advanced Security for Azure DevOps?
GitHub Advanced Security for Azure DevOps is a suite of tools native to the platform and, like the GitHub Advanced Security offering, encompasses tools for:
- Detecting and preventing secret exposure in users’ application development process (“Secret scanning”)
- Identifying vulnerabilities in open source packages used in Azure Repos (“Dependency scanning”)
- Detecting static code vulnerabilities (“Code scanning”)
Secret scanning
Secret scanning includes both repo scanning and push protection.
“GitHub Advanced Security for Azure DevOps can not only help you find secrets that have already been exposed in Azure Repos, but also help you prevent new exposures by blocking any pushes to Azure Repos that contain secrets,” says Aaron Hallberg, Director of Product for Azure DevOps, Microsoft.
“If you block the secret exposure at push time, before it’s persisted in Azure Repos, it’s a five-minute job to clean up your commit and repush.”
Dependency scanning
The tool identifies the open-source packages used in Azure Repos and the vulnerabilities in them, and advises users on how to upgrade those packages to mitigate vulnerabilities.
The information on which the guidance is based is pulled from the GitHub Advisory Database.
Code scanning
The code scanning tool is powered by CodeQL, a semantic code analysis engine that can detect security vulnerabilities across code written in many different programming languages: C#, C/C++, Python, JavaScript/TypeScript, Java, Kotlin, Go, etc.
Developers can now run CodeQL scans directly from Azure Pipelines on code from Azure Repos and act on the results within the Azure DevOps environment.
“Issues detected in each of these categories are presented in a repository-scoped Advanced Security experience using the Azure DevOps design language,” Hallberg noted.
Availability and price
GitHub Advanced Security for Azure DevOps has been in private preview since November 2022 and is now in public preview (users need to sign up for it).
It costs $49 per active committer per month, and billing is done through Azure.