GitHub Advanced Security for Azure DevOps

Question

Anyone has any experience with «GitHub Advanced Security for Azure DevOps»?

https://learn.microsoft.com/en-us/azure/devops/repos/security/configure-github-advanced-security-features?view=azure-devops&tabs=yaml

It was in preview until last week and is now publicly available (09/20/2023)

I think, I configured everything as described. But I can't get the «Secret scanning» working.

I tried with existing php-repo, existing c#-repo, and created a new repo. I can commit and push everything, the «Secret scanning» does not detect any credentials.

I get no error. It just does nothing.

The «Dependency scanning» on the other hand works as expected on the c#-repo. So the configuration isn't that wrong...

So: anyone any idea? Or got that thing up and running? Or has a example repo which should trigger the alerts?

Any help is appreciated!

Answer 1

The secret scanning does not require to run through a pipeline. It checks from a various list of providers (around 70/80 partners right know) to detect patterns related to their specific token construction.

One way to detect if the feature works properly:

• On Azure DevOps, create a Personal Access Token with Right privileges.
• Keep the Token
• Revoke the Token.
• Add inside any file your PAT
• Try to push.

You might have two configurations: 1- The push is blocked, so on the repository configuration, the secret scan on push has been enabled. And you can't push new commit with a PAT. (meaning, you will need to edit your commit, and remove the sensitive value. 2- The push is allowed, then on the third tab, you will see your token, and the path where it has been specified.