View third-party providers code scan results in Azure DevOps

As we continue our integration with GitHub Advanced Security, we are excited to announce that you can now leverage the publish task (AdvancedSecurity-Publish@1) to import security results from third-party providers into the Advanced Security Code Scanning alerts hub!

Check out the release notes for details.

General

GitHub Advanced Security for Azure DevOps

Azure Pipelines

General

Improve search results with wildcard prefixes and substrings

We’re excited to announce our new search feature, which now supports wildcard as prefix and substring searches across code, work items, wiki, and packages. By adding a wildcard at the beginning and end of your search term, you can find all relevant strings that contain your term. For instance, entering "Test" in the search box yields results like "mytestclass","improvecodewithtest", and "test_wikiarticle". This feature rolls out over the next few weeks.

GitHub Advanced Security for Azure DevOps

The security overview risk page now links directly to each repository's individual Advanced Security alerts page. Similar to the coverage page, for a particular repository, hover over the row and click on the icon on the right side of the row to navigate directly to the alerts page.

Screenshot of links to repository alerts.

Publish task for integrating with third-party providers

The AdvancedSecurity-Publish@1 task allows you to easily retrieve results from third-party providers, enhancing the integration with GitHub advanced security for AzureDevOps. These providers can include both open-source and commercial security analysis pipeline tasks that generate results in the conforming SARIF format. By leveraging this, you can now view the results within the Advanced Security Code Scanning alerts hub, providing a unified view of code security alerts from currently supported analysis tools directly within Azure DevOps. This integration supports SARIF 2.1, offering you a comprehensive overview of their security posture.

For detailed instructions on configuring code scanning in GitHub Advanced Security with Azure DevOps, see Set up code scanning.

Azure Pipelines

macOS-14 Sonoma preview and macOS-11 retirement

The macOS-14 image is now available in preview for Azure Pipelines hosted agents. To use this image, update your YAML file to include vmImage:'macos-14':

- job: macOS14
  pool:
    vmImage: 'macOS-14'
  steps:
  - bash: |
      echo Hello from macOS Sonoma Preview
      sw_vers

For macOS-14 installed software, see image configuration.

The macOS-12 image will still be used when specifying macOS-latest. Once macOS-14 is generally available, macOS-latest will migrate directly to macOS-14. The macOS-latest label will skip macOS-13.

The macOS-11 image is deprecated and will be retired June 2024.

Node 10 removed from pipelines-* Agent packages

Our agents support tasks implemented in PowerShell or Node. The agent ships with multiple versions of Node accommodating different task requirements.

As new versions of Node are released, tasks are updated to utilize these newer Node versions. The required runtimes are included with the agent.

However, as older Nodes exit their maintenance window, some Pipelines tasks might still depend on them. Azure DevOps updates supported tasks to a Node version that's still supported, although third-party tasks might require older versions to run.

To manage this, we have two Pipeline agents packages:

Packages Node versions Description
vsts-agent-* 6, 10, 16, 20 Includes all Node versions that can be used as task execution handler
pipelines-agents-* 16, 20 Includes only recent Node versions. The goal for these packages is to not include any end-of-life version of Node.

If you want to run a task that requires the Node 10 execution handler on an agent that doesn't have Node 10 bundled, you can install the execution handler by inserting the NodeTaskRunnerInstaller@0 task in your pipeline:

  steps:
  - task: NodeTaskRunnerInstaller@0
    inputs:
      runnerVersion: 10

Next steps

Note

These features will roll out over the next two to three weeks.

Head over to Azure DevOps and take a look.

How to provide feedback

We would love to hear what you think about these features. Use the help menu to report a problem or provide a suggestion.

Make a suggestion

You can also get advice and your questions answered by the community on Stack Overflow.

Thanks,

Silviu Andrica