All of our staging build pipelines are centralized into one repository inside a single project. Each pipeline builds a solution located in a different repository/project.

We are using GitHub Advanced Security for Azure DevOps to provide Dependency Analysis.

When I run the AdvancedSecurity-Dependency-Scanning@1 task inside a pipeline, the dependency alerts are stored against the pipeline repository and NOT the repository containing the source code.

I need them to be stored against the source code repository - so that the alerts from different repositories can be separated out from each other, and can be managed/mitigated by contributors in the respective project.

As stated before, I am using the AdvancedSecurity-Dependency-Scanning@1 task. Unfortunately, there does not seem to be any input parameters that can be used to specify the repository.

I have looked for any input parameters that would enable me to specify the repo for the alerts to be stored against. I have also considered the resources section of YAML, and cannot find any way of changing this.

1

There are 1 answers

0
Miao Tian-MSFT On

According to the document of Dependency scanning,

Dependency scanning is a pipeline-based scanning tool. Results are aggregated per repository. It's recommended that you add the dependency scanning task to all the pipelines you'd like to be scanned.

Therefore, currently the dependency alerts are aggregated against the pipeline repository, and there may be no option to change this setting. You can create a suggestion for Azure DevOps here and other users may vote on it.