Safeguard
Product

GitHub Advanced Security for Azure DevOps: general availa...

GitHub Advanced Security for Azure DevOps hit GA on June 1, 2023 at $49/committer/month. Here's what it covers, what it misses, and how Safeguard fills the gaps.

Karan Patel
Cloud Security Engineer
7 min read

On June 1, 2023, Microsoft moved GitHub Advanced Security for Azure DevOps out of public preview and into general availability, closing a roughly 18-month preview window that started in November 2021. The GA release brought CodeQL-powered code scanning, secret scanning with push protection, and dependency (software composition) scanning directly into Azure Repos and Azure Pipelines, priced at $49 per active committer per month — the same per-seat model GitHub uses for GHAS on GitHub.com. For the large population of enterprises still running Azure DevOps Server or Azure DevOps Services alongside GitHub.com repositories, this was the first time they could get GitHub's flagship AppSec tooling without migrating source control. Below, we break down what actually shipped, what it costs, where it falls short, and how Safeguard fills the gaps for teams standardizing on it.

What is GitHub Advanced Security for Azure DevOps?

GitHub Advanced Security (GHAS) for Azure DevOps is Microsoft's port of GitHub's native security suite — CodeQL semantic code scanning, secret scanning, and dependency scanning — into the Azure DevOps platform, rather than requiring teams to move their code to GitHub.com. It ships as an add-on you enable per-project in Azure DevOps Services or Azure DevOps Server 2022+, surfacing alerts inside pull requests and the Azure Repos UI instead of GitHub's Security tab. Microsoft built this because a large share of its enterprise base — banks, government agencies, and regulated industries in particular — never moved off Team Foundation Server-descended Azure DevOps, even after acquiring GitHub in 2018. GHAS for Azure DevOps lets those organizations buy the same underlying scanning engines (CodeQL was itself acquired by GitHub via Semmle in 2019) without a source-control migration project.

What changed when GHAS for Azure DevOps went GA on June 1, 2023?

The GA milestone removed the "preview" caveats and unlocked general billing, SLA commitments, and feature parity targets with GitHub.com's GHAS. During the roughly 18-month preview (announced at GitHub Universe in November 2021), Microsoft iterated on CodeQL language coverage, alert triage UX, and pipeline task integration based on early-adopter feedback. At GA, Microsoft confirmed support for Azure DevOps Services (cloud) and committed to bringing the same capability to Azure DevOps Server for on-premises customers, which matters for regulated customers who cannot run cloud-only tooling. GA also meant GHAS for Azure DevOps could be purchased directly through the Azure DevOps organization billing blade or an Azure Enterprise Agreement, rather than requiring a separate sales-assisted preview enrollment.

What security capabilities does GHAS for Azure DevOps actually include?

It includes three scanning engines: CodeQL-based code scanning for SAST-style vulnerability detection across languages like C#, Java, JavaScript/TypeScript, Python, and Go; secret scanning that detects over 100 credential and token patterns (AWS keys, Azure SAS tokens, Stripe keys, and more) committed to Azure Repos; and dependency scanning that flags known-vulnerable open-source packages in your manifest files, functioning like a private-repo equivalent of Dependabot alerts. Secret scanning push protection — which blocks a git push before a detected secret ever lands in history — was included at GA for Azure Repos, mirroring the push protection GitHub rolled out to public repos on GitHub.com in 2023. All three engines run as tasks inside Azure Pipelines, so results appear as pull request status checks rather than requiring a separate dashboard visit, and alerts are triaged through a "GitHub Advanced Security" tab added to each Azure DevOps project.

How much does GitHub Advanced Security for Azure DevOps cost?

Pricing is $49 per active committer per month, billed to whichever Azure DevOps organization enables the feature, and it only counts committers who actually pushed code to a GHAS-enabled repository in that billing period — not every licensed Azure DevOps user. That mirrors GitHub.com's GHAS pricing exactly ($49/committer/month for GitHub Enterprise Cloud customers), so an organization running mixed GitHub and Azure DevOps estates pays the same per-head rate regardless of which platform a given engineer commits to. For a team of 200 active committers, that's roughly $9,800/month or $117,600/year — before accounting for the underlying Azure DevOps or GitHub Enterprise licensing GHAS sits on top of. Microsoft does not currently offer a bundled discount for customers licensing GHAS on both GitHub and Azure DevOps simultaneously, which is a real cost consideration for enterprises mid-migration between the two.

What does GHAS for Azure DevOps still not cover?

Even at GA, GHAS for Azure DevOps stops at detecting known vulnerability patterns and secrets already defined in Microsoft's rule sets — it does not provide software bill of materials (SBOM) generation, build provenance attestation (SLSA-style), artifact signing, or malicious-package behavioral analysis for your dependency tree. Its dependency scanning tells you a package version has a published CVE; it does not tell you whether that dependency was typosquatted, whether a maintainer account was recently compromised, or whether a package's publish behavior deviates from its historical baseline — the kind of software supply chain attack pattern behind incidents like the 2024 xz-utils backdoor. It also only scans repositories hosted in Azure Repos: if your organization has code split across Azure DevOps, GitHub.com, GitLab, and Bitbucket (common after acquisitions), GHAS gives you per-platform coverage with no unified risk view. Because CodeQL and dependency scanning results live inside separate Azure DevOps and GitHub UIs, security teams overseeing both estates end up stitching alerts together manually or building custom exports.

How does GHAS for Azure DevOps compare to GitHub Advanced Security on GitHub.com?

Feature-for-feature, GHAS for Azure DevOps trails GitHub.com's GHAS by design, since Microsoft ships new GHAS capabilities to GitHub.com first and back-ports them later. As of GA, capabilities like Copilot Autofix for code scanning alerts, dependency review in the PR diff view, and security overview dashboards at the organization level were either unavailable or delivered later to Azure DevOps than to GitHub.com. Both products share the same CodeQL query packs and the same $49/committer/month price, so the core scanning quality is comparable, but the surrounding workflow — alert dismissal reasons, security campaigns, dependency graph API access — has historically lagged on the Azure DevOps side by several months to a year per feature. For organizations already committed to Azure DevOps for source control and pipelines, GHAS for Azure DevOps is still the most direct way to get CodeQL scanning without a platform migration; the trade-off is accepting a perpetually "second" release cadence on newer GHAS features.

How Safeguard Helps

GHAS for Azure DevOps answers "does this code or dependency contain a known bad pattern," but it was never built to answer "can I trust the software supply chain that produced this build." Safeguard is designed to sit alongside GHAS — whether you run it on Azure DevOps, GitHub.com, or both — and cover the gaps outlined above.

Where GHAS's dependency scanning matches package versions against known-CVE databases, Safeguard continuously monitors your open-source dependency graph for behavioral supply chain risk: newly transferred package ownership, publish-time code that doesn't match the linked source repository, dependency confusion and typosquat lookalikes, and maintainer account anomalies — the class of attack that CVE databases only catch after the fact. Where GHAS gives you per-repository alerts scoped to whichever platform hosts that repo, Safeguard aggregates supply chain risk across GitHub, Azure DevOps, GitLab, and Bitbucket into one inventory, so security teams managing a mixed estate (common during and after M&A, or during a GitHub-to-Azure DevOps migration) get a single risk view instead of reconciling exports from multiple security tabs.

Safeguard also extends past detection into provenance: generating and verifying SBOMs, attesting build artifacts against SLSA-style provenance requirements, and enforcing signing policies before artifacts reach production — none of which GHAS for Azure DevOps provides even at GA. For teams that have adopted GHAS for its CodeQL and secret scanning strengths, Safeguard is not a replacement but a complement: it ingests GHAS alerts alongside its own supply chain findings so you get one prioritized risk queue instead of two disconnected security tabs. If your organization is evaluating the true cost of GHAS at $49/committer/month against the coverage it actually delivers, Safeguard can show you exactly which supply chain risks — package tampering, build-time compromise, unsigned artifacts — would still reach production even with GHAS fully enabled.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.