Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
GitHub Advanced Security for Azure DevOps provides comprehensive security scanning capabilities with granular permission controls. This article guides you through configuring permissions for security alerts, managing access levels, and setting up secure authentication for Advanced Security APIs.
GitHub Advanced Security for Azure DevOps works with Azure Repos. To use GitHub Advanced Security with GitHub repositories, see GitHub Advanced Security.
Prerequisites
| Category | Requirements |
|---|---|
| Permissions | - To view a summary of all alerts for a repository: Contributor permissions for the repository. - To dismiss alerts in Advanced Security: Project administrator permissions. - To manage permissions in Advanced Security: Member of the Project Collection Administrators group or Advanced Security: manage settings permission set to Allow. |
For more information about Advanced Security permissions, see Manage Advanced Security permissions.
Permission definitions
Advanced Security introduces three specialized permissions that control access to security features:
| Permission | Description | Use cases |
|---|---|---|
| Advanced Security: Read alerts | View security alerts, vulnerabilities, and scan results | Security analysts, developers reviewing code |
| Advanced Security: Manage and dismiss alerts | Dismiss false positives, manage alert lifecycle | Security engineers, lead developers |
| Advanced Security: Manage settings | Enable/disable Advanced Security features (billable action) | Project administrators, security managers |
Default permission assignments
| Azure DevOps group | Default permissions |
|---|---|
| Contributors | Advanced Security: Read alerts |
| Project administrator | Advanced Security: Read alerts, manage, and dismiss alerts |
| Project collection administrator | Advanced Security: Read alerts, manage and dismiss alerts, manage settings |
Note
Only users with "Manage settings" permission can enable Advanced Security features, which might incur billing charges. Use caution when granting this permission.
Manage Advanced Security permissions
You can customize Advanced Security permissions for specific repositories to meet your security requirements. This action is useful when you need to grant different access levels to team members based on their roles and responsibilities.
Common scenarios for permission customization:
- Security team access: Grant full permissions to security analysts
- Developer access: Provide read-only access for development teams
- Compliance requirements: Restrict settings management to authorized personnel
Configure repository-specific permissions
If the permission dropdowns are disabled, contact your project administrator for the necessary permissions to manage security settings.
To adjust permissions for a specific repository:
Select Project settings > Repositories.
Select the specific repository you wish to adjust permissions for.
Select Security.
Select the security group you wish to adjust permissions for.
Change a permission. When successful, a checkmark displays next to the selected permission.
Authentication for Advanced Security APIs
Use Microsoft Entra ID tokens (Recommended)
Microsoft Entra ID tokens are the preferred authentication method for accessing GitHub Advanced Security for Azure DevOps APIs. They provide enhanced security through OAuth 2.0 standards and seamless integration with enterprise identity systems.
Benefits of Microsoft Entra ID authentication:
- Enhanced security: OAuth 2.0 compliance with automatic token refresh
- Enterprise integration: Native support for conditional access policies and multifactor authentication
- Audit and compliance: Better tracking and logging for security operations
- Least privilege access: Fine-grained scope control aligned with your organization's security policies
For detailed implementation guidance, see Microsoft Entra authentication for Azure DevOps.
Use personal access tokens
Important
We recommend the more secure Microsoft Entra tokens over higher-risk personal access tokens. Learn more about our efforts to reduce PAT usage. Review our authentication guidance to choose the right authentication mechanism for your needs.
You can use a personal access token to use the Advanced Security APIs. For more information, see Use personal access tokens.
Advanced Security offers three extra scopes for a PAT: read, read and write, and read, write, and manage.