GitHub Advanced Security has recently started supporting the ability to analyze your code for security vulnerabilities and coding errors from third-party CI pipelines. This article will teach you how to configure the code scanning feature in your GitHub repository and scan your code for any vulnerabilities from Azure DevOps pipelines.

To integrate the GitHub advanced security feature with Azure DevOps, you must perform the following actions:

• Download the latest CodeQL dependencies in your agent.
• Give CodeQL access to your repository.
• Initialize CodeQL executable and create a QueryableDB.

Once you have completed these operations, you will be able to scan your application. The results will be uploaded to GitHub, and you will be able to review them from the GitHub interface.

IMPORTANT: Remember that the hosted agents used in azure pipelines are ephemeral, this means that you must install the CodeQL package every time your pipeline is run. This operation won’t be necessary if you have a self-hosted agent because you can pre-install the package and re-use it for each execution.

#azure #security #devops #microsoft #github