GitHub Advanced Security in Azure DevOps

Ilias el Matani

Introduction

Working on a new software project where security is a essential qualitity feature, I've explored the implementation of GitHub Advanced Security within Azure DevOps. This integration not only fortifies the project against potential vulnerabilities but also aligns with our commitment to maintaining high security standards. This blog post will guide you through the process of implementing these security feature, specifically tailored for .NET software projects in Azure DevOps.

Setting Up GitHub advanced security in Azure DevOps

GitHub advanced security offers an array of tools to safeguard your software projects in Azure DevOps. The setup involves configuring secret scanning, dependency scanning, and code scanning.

Secret Scanning

Once you enable Advanced Security, secret scanning automatically initiates. This feature includes:

  • Push Protection: Prevents pushing code that exposes secrets.
  • Repository Scanning: Identifies and alerts on secrets that were accidentally committed.

Dependency Scanning

Dependency scanning is crucial for identifying vulnerabilities in open-source dependencies. It’s recommended to add this task following the build steps in your pipeline for .NET projects:

- task: AdvancedSecurity-Dependency-Scanning@1

Code scanning with CodeQL

For .NET projects, setting up CodeQL analysis is a crucial step. Implement the following tasks in your pipeline:

AdvancedSecurity-Codeql-Init@1 (Specify the language as 'csharp')
AdvancedSecurity-Codeql-Autobuild@1 or your custom build steps
AdvancedSecurity-Codeql-Analyze@1

Sample pipeline configuration for .NET

Here’s an example of how you might set up your Azure DevOps pipeline for a .NET project:

trigger:
  - main

pool:
  vmImage: windows-latest

variables:
  advancedsecurity.codeql.querysuite: security-extended

steps:
  - task: AdvancedSecurity-Codeql-Init@1
    inputs:
      languages: "csharp"

  - task: AdvancedSecurity-Codeql-Autobuild@1

  - task: AdvancedSecurity-Dependency-Scanning@1

  - task: AdvancedSecurity-Codeql-Analyze@1

  - task: AdvancedSecurity-Publish@1

Best practices and tips

  • Language Specification: Always specify the language relevant to your project in the CodeQL Init task.
  • Pipeline Configuration: Consider creating a separate pipeline for code scanning due to its intensive nature.
  • Alert Management: If you disable Advanced Security, all existing alerts and their states are retained for when you re-enable it.

Conclusion

Integrating GitHub Advanced Security in Azure DevOps for your software projects is a proactive approach to enhancing your code’s security. By following these steps and best practices, you can safeguard your projects against vulnerabilities and maintain high standards of code quality.