Edit

Share via

Integrate third-party scanning tools

  • Article

GitHub Advanced Security for Azure DevOps creates code scanning alerts in a repository using information from Static Analysis Results Interchange Format (SARIF) files. The SARIF file properties are used to populate alert information, such as the alert title, location, and description text.

You can generate SARIF files using many static analysis security testing tools, including CodeQL. The results must use SARIF version 2.1.0. For more information on SARIF, see SASRIF tutorials.

Upload a code scanning analysis with Azure Pipelines

To use Azure Pipelines to upload a third-party SARIF file to a repository, your pipeline will need to use the AdvancedSecurity-Publish task, which is part of the tasks bundled with GitHub Advanced Security for Azure DevOps. The main input parameters to use are:

  • SarifsInputDirectory: configures the directory of SARIF files to be uploaded. The expected directory path is absolute.
  • Category: optionally assigns a category for results in the SARIF file. This enables you to analyze the same commit in multiple ways and review the results using the code scanning views in GitHub. For example, you can analyze using multiple tools, and in mono-repos, you can analyze different slices of the repository based on the subset of changed files.

Here is an example of an integration with the Microsoft Security DevOps task owned by the Microsoft Defender for Cloud team:

trigger:
- main

pool:
  vmImage: ubuntu-latest

steps:
- task: MicrosoftSecurityDevOps@1
  inputs:
    command: 'run'
    categories: 'IaC'
- task: AdvancedSecurity-Publish@1
  inputs:
    SarifsInputDirectory: '$(Build.ArtifactStagingDirectory)/.gdn/'

Result fingerprint generation

If your SARIF file doesn't include partialFingerprints, the AdvancedSecurity-Publish task will calculate the partialFingerprints field for you and attempt to prevent duplicate alerts. Advanced Security can only create partialFingerprints when the repository contains both the SARIF file and the source code used in the static analysis. For more information about preventing duplicate alerts, see Providing data to track code scanning alerts across runs.

Validate tool results

You can check that the SARIF properties have the supported size for upload and that the file is compatible with code scanning. For more information, see Validating your SARIF file. To validate if a SARIF file conforms specifically to Advanced Security's requirements, see SARIF validator and select Azure DevOps ingestion rules.