How to Configure GitHub Advanced Security for Azure DevOps | How to Perform Security scan for Azure Repos using GitHub Advanced Security

GitHub Advanced Security for Azure DevOps brings the secret scanning, dependency scanning and CodeQL code scanning solutions already available for GitHub users and natively integrates them into Azure DevOps to protect your Azure Repos and Pipelines. 

Pre-requisites:

• Azure DevOps account
• Enable GitHub advanced Security billing in ADO
• Application code, I am using Java project to scan

How to Set up dependency scanning?

Dependency scanning is a pipeline-based scanning tool. Results are aggregated per repository. It's recommended that you add the dependency scanning task to all the pipelines you'd like to be scanned.

Add the task Advanced Security Dependency Scanning task (AdvancedSecurity-Dependency-Scanning@1) directly to your YAML pipeline file or select the Advanced Security Dependency Scanning task from the task assistant.

How to Set up code scanning

Code scanning is also a pipeline-based scanning tool where results are aggregated per repository.

Add the tasks in the following order:

1. Advanced Security Initialize CodeQL (AdvancedSecurity-Codeql-Init@1)
2. Your custom build steps
3. Advanced Security Perform CodeQL Analysis (AdvancedSecurity-Codeql-Analyze@1)

Pipeline YAML Code for scanning Java code using GitHub Advanced Security

trigger:

- main

resources:

- repo: self

variables:

tag: '$(Build.BuildId)'

stages:

- stage: Build

displayName: Build image

jobs:

- job: Build

displayName: Build

pool:

vmImage: ubuntu-latest

steps:

- task: AdvancedSecurity-Codeql-Init@1

inputs:

languages: 'java'

- task: Maven@4

inputs:

mavenPomFile: 'pom.xml'

goals: 'install'

publishJUnitResults: true

testResultsFiles: '**/surefire-reports/TEST-*.xml'

javaHomeOption: 'JDKVersion'

mavenVersionOption: 'Default'

mavenAuthenticateFeed: false

effectivePomSkip: false

sonarQubeRunAnalysis: false

- task: AdvancedSecurity-Dependency-Scanning@1

- task: AdvancedSecurity-Codeql-Analyze@1

Where to see the Scan resule in Azure DevOps?

What is GitHub Advanced Security for Azure DevOps | How to Enable GitHub Advanced Security for Azure DevOps ?

GitHub Advanced Security for Azure DevOps brings the secret scanning, dependency scanning and CodeQL code scanning solutions already available for GitHub users and natively integrates them into Azure DevOps to protect your Azure Repos and Pipelines.

These scanning tools will natively embed automated security checks into the Azure DevOps platform, allowing developers to secure their code, secrets and supply chain without leaving their workflow.

Azure DevOps Advanced Security provides below security features to help organizations identify and address security vulnerabilities in their development processes.

• Secret Scanning push protection: check if code pushes include commits that expose secrets such as credentials
• Secret Scanning repo scanning: scan your repository and look for exposed secrets that were committed accidentally
• Dependency Scanning – search for known vulnerabilities in open source dependencies (direct and transitive)
• Code Scanning – use CodeQL static analysis engine to identify code-level application vulnerabilities such as SQL injection and authentication bypass.

Scope of GitHub Advanced Security for Azure DevOps

• only available for Git repositories
• only available for Azure DevOps services, not available in Azure DevOps Server(old TFS) 

Enable GitHub Advanced Security

You can enable Advanced Security at the organization, project, or repository level.

Repository-level onboarding

1. Go to your Project settings for your Azure DevOps project.
2. Select Repos > Repositories.
3. Select the repository you want to enable Advanced Security for.
4. Select Enable and Begin billing to activate Advanced Security. A shield icon now appears in the repository view for any repository with Advanced Security enabled.

Project-level onboarding

1. Go to your Project settings for your Azure DevOps project.
2. Select Repos.
3. Select the Settings tab.
4. Select Enable all and see an estimate for the number of active committers for your project appear.
5. Select Begin billing to activate Advanced Security for every existing repository in your project.
6. Optionally, select Automatically enable Advanced Security for new repositories so that any newly created repositories have Advanced Security enabled upon creation.

Organization-level onboarding

1. Go to your Organization settings for your Azure DevOps organization.
2. Select Repositories.
3. Select Enable all and see an estimate for the number of active committers for your organization appear.
4. Select Begin billing to activate Advanced Security for every existing repository in each project in your organization.
5. Optionally, select Automatically enable Advanced Security for new repositories so that any newly created projects have Advanced Security enabled upon creation.

Setup Secret Scanning 

Secret scanning push protection and repository scanning are automatically enabled when you turn on Advanced Security. You can enable or disable secret push protection from the repository settings page.

As mentioned, secret scanning repository scanning is automatically kicked off upon enabling Advanced Security for a selected repository.

DevSecOps Bootcamp Dec 2024 Schedule | DevSecOps & AWS Azure Cloud Coaching by Coach AK | DevSecOps and Cloud Computing Online Classes

Lot of new topics covered like GitHub Actions, GitHub Advanced Security, Helm, Prometheus and Grafana..)

The DevOps requirements in the IT market space is expected to grow by 35% by 2024. Getting a DevOps education now is a great investment into your future, which will pay off very fast!

You are in the right place to kick start your career in DevOps. DevOps is one of the top and hot IT skills right now. Currently almost all the employers are struggling to get right resources in their teams who can do the DevOps and automation work..You could be that person by attending this coaching program.

DevOps Coaching schedule - Dec 2024 (promotions are on, please contact Coach AK)

Date	Time	Type	When?
Dec 1st	11:35 AM CST - 01:30 PM CST on Saturdays 01:30 PM CST - 03:30 PM CST on Sundays	Weekends	Sat/Sundays
Dec 3rd	6:00 to 8:00 PM CST	Weekdays	Tuesdays/Thursdays

DevSecOps Coaching Highlights:

Comprehensive hands on knowledge on Git, GitHub, Jenkins, Maven, SonarQube, Nexus, Terraform, Ansible, Docker, Kubernetes, Helm, Prometheus, Docker registry, AWS and Azure cloud platform.

To join DevOps Coaching classes, please contact Coach AK below:

Contact no# : +1 (469)733-5248

WhatsApp #: +1 (469)733-5248

Email id: contact.devopscoaching@gmail.com
Contact Name: Coach AK