Overview
GitHub is the preferred platform for the Agentic Accelerator Framework. Azure DevOps (ADO) is a first-class citizen. Many organizations operate in a hybrid GitHub and ADO environment, and this framework supports both platforms with equivalent security, accessibility, code quality, and FinOps controls.
Feature Comparison
| Framework Feature | GitHub | Azure DevOps | Notes |
|---|---|---|---|
| Secret Scanning | GitHub Secret Protection | GHAzDO Secret Protection | Push protection on both |
| Dependency Scanning (SCA) | Dependabot + Dependency Review | GHAzDO Dependency Scanning | ADO uses pipeline task |
| Code Scanning (SAST) | CodeQL + Copilot Autofix | GHAzDO CodeQL | Same CodeQL engine on both |
| SARIF Upload (custom tools) | upload-sarif action |
AdvancedSecurity-Publish@1 |
Accessibility scanner works on both |
| IaC Scanning | MSDO GitHub Action | MSDO ADO Task | Same MSDO tool on both |
| DAST | ZAP GitHub Action | ZAP ADO Task | Same ZAP tool on both |
| Security Overview | Org-wide dashboard + API | Org-level UI-only (no API) | ADO compensated by Power BI |
| Security Campaigns | Bulk remediation + Autofix | Not available | GitHub-only feature |
| Copilot Autofix | AI-powered fix suggestions | Not available | GitHub-only feature |
| Custom GHCP Agents (platform) | Coding agent + agents tab | Not on ADO platform | Use VS Code agents for ADO repos |
| Custom GHCP Agents (IDE) | VS Code + JetBrains | VS Code (for ADO repos) | Same agents work in VS Code |
| Agent Instructions/Prompts | .github/ conventions |
Via VS Code (same files) | Agents run locally in IDE |
| PR Annotations | Inline SARIF annotations | Build validation annotations | Both support inline feedback |
| Defender for Cloud Integration | GitHub connector | ADO connector | Both feed into MDC |
| Defender for DevOps | GitHub repos visible | ADO repos visible | Unified view across both |
| Container Image Scanning | Trivy/Grype actions | Trivy/MSDO pipeline tasks | Same tools available |
| Accessibility SARIF to AdvSec | Code Scanning alerts | Code Scanning alerts (ADO) | Proven: a11y-scanner visible in ADO |
| Code Coverage Reporting | SARIF + PR comments | PublishCodeCoverageResults@2 |
ADO has native coverage tab |
| Power BI Security Dashboards | Via API (custom build) | advsec-pbi-report-ado |
ADO has dedicated PBI report |
| FinOps / Cost Analysis | GitHub Actions + Azure SDK | ADO Pipelines + Azure SDK | Same Azure APIs from both |
| APM Dependency Management | apm install + apm audit |
Works with any Git host | APM supports ADO repos |
| SBOM Generation | Anchore Syft / Microsoft SBOM | Same tools in ADO pipelines | Pipeline-agnostic tools |
GHAzDO Capabilities
GitHub Advanced Security for Azure DevOps (GHAzDO) brings core GHAS capabilities to ADO.
Secret Protection
- Push protection blocks secrets before they enter the repository
- Secret scanning alerts identify secrets already present
- Security Overview provides org-level visibility
Code Security
- CodeQL scanning uses the same engine as GitHub
- Dependency scanning identifies vulnerable components
- Third-party tool findings integrate through
AdvancedSecurity-Publish@1 - Security Overview aggregates all findings
PR Annotations
- Automatic annotations for dependency and code scanning on pull requests
- Build validation policies enforce scanning before merge
Hierarchical Enablement
- Enable at organization, project, or repository level
- Same hierarchical model as GitHub’s org and repo-level settings
ADO Pipeline Tasks
The following GHAzDO pipeline tasks replace GitHub Actions equivalents.
| Task | Purpose | GitHub Equivalent |
|---|---|---|
AdvancedSecurity-Codeql-Init@1 |
Initialize CodeQL analysis | github/codeql-action/init@v3 |
AdvancedSecurity-Codeql-Analyze@1 |
Run CodeQL analysis | github/codeql-action/analyze@v3 |
AdvancedSecurity-Dependency-Scanning@1 |
Dependency vulnerability scanning | Dependabot / Dependency Review |
AdvancedSecurity-Publish@1 |
Publish custom SARIF results | github/codeql-action/upload-sarif@v4 |
PublishTestResults@2 |
Publish JUnit test results | Third-party actions |
PublishCodeCoverageResults@2 |
Publish Cobertura coverage | Third-party actions |
Example ADO Pipeline
steps:
# CodeQL scanning
- task: AdvancedSecurity-Codeql-Init@1
inputs:
languages: 'csharp'
enableAutomaticCodeQLInstall: true
- task: AdvancedSecurity-Dependency-Scanning@1
- task: AdvancedSecurity-Codeql-Analyze@1
# Custom accessibility scanning
- script: >
npx a11y-scan scan
--url "$(SCAN_URL)"
--threshold 80
--format sarif
--output a11y-results.sarif
displayName: Run accessibility scan
- task: AdvancedSecurity-Publish@1
inputs:
sarif_file: a11y-results.sarif
displayName: Publish a11y SARIF
# Native ADO test and coverage
- task: PublishTestResults@2
inputs:
testResultsFormat: 'JUnit'
failTaskOnFailedTests: true
- task: PublishCodeCoverageResults@2
inputs:
codeCoverageTool: 'Cobertura'
summaryFileLocation: '$(Build.SourcesDirectory)/coverage/cobertura-coverage.xml'
Power BI: advsec-pbi-report-ado
The devopsabcs-engineering/advsec-pbi-report-ado repository provides a Power BI report in PBIP format that compensates for ADO’s lack of a Security Overview API. This report delivers richer analytics than the native ADO Security Overview UI.
Architecture
| Component | Detail |
|---|---|
| Data source | ADO Advanced Security REST API at advsec.dev.azure.com (API v7.2-preview.1) |
| Authentication | PAT with vso.advsec scope |
| Data model | Star schema: 1 fact table (Fact_SecurityAlerts) + 5 dimension tables |
| Parameters | OrganizationName + optional ProjectName for multi-org deployment |
| Pagination | Continuation token-based enumeration across all projects, repos, and alerts |
Dimension Tables
| Table | Purpose |
|---|---|
Dim_AlertType |
Alert type classification (dependency, secret, code) |
Dim_Date |
Date dimension for trend analysis |
Dim_Repository |
Repository metadata |
Dim_Severity |
Severity levels |
Dim_State |
Alert states (active, fixed, dismissed) |
Key DAX Measures
- Total Alerts, Active Alerts, Fixed Alerts, Fixed Rate %
- Critical Active count
- Mean Time to Fix
- Alert counts by type: Dependency Alerts, Secret Alerts, Code Alerts
Report Pages
| Page | Content |
|---|---|
| Security Overview | DevOps Security Findings donut charts, severity distribution, alerts by tool |
| Alerts by Type | Breakdown by dependency, secret, and code alerts |
| Trend Analysis | Alert trends over time with date filtering |
Deployment
# Configure for your ADO organization
.\scripts\setup-parameters.ps1 -OrganizationName "yourorg"
# Open in Power BI Desktop
Start-Process AdvSecReport.pbip
# Automated deployment to Fabric workspace
.\scripts\deploy.ps1
Custom Agent Compatibility
Custom GHCP agents have different availability across the two platforms.
| Capability | GitHub | Azure DevOps |
|---|---|---|
| Platform-hosted agents (coding agent, agents tab) | Available | Not available |
| VS Code agents (chat panel) | Available | Available (same agents work) |
| JetBrains agents | Available | Not tested |
| Agent instructions and prompts | .github/ conventions loaded automatically |
Loaded via VS Code when developing ADO-hosted code |
| Organization-wide sharing | .github-private repo |
.github-private (agents work in VS Code for ADO repos) |
[!NOTE] Custom GHCP agents work in VS Code for ADO-hosted repositories. The same
.agent.mdfiles apply regardless of the source control platform. The limitation is that ADO’s web platform does not host the coding agent or agents tab.
ADO Advanced Security REST API
ADO Advanced Security exposes a REST API at a separate domain from the standard ADO API.
| Property | Value |
|---|---|
| Base URL | https://advsec.dev.azure.com/{organization} |
| API version | v7.2-preview.1 |
| Authentication | PAT with vso.advsec scope |
| Endpoints | Alerts listing, alert details, alert state updates |
| Pagination | Continuation token-based |
This API powers the Power BI report and can be used for custom automation, reporting, and integration with external systems.
Defender for Cloud: Unified View
Microsoft Defender for Cloud provides a unified security posture view across both platforms.
GitHub repos --> GitHub connector --> Defender for Cloud --> Defender for DevOps
ADO repos --> ADO connector --> Defender for Cloud --> Defender for DevOps
Both connectors feed findings into the same Defender for Cloud instance, enabling governance teams to view security posture across GitHub and ADO repositories in a single console. Accessibility, coverage, and FinOps findings appear alongside security alerts when published as SARIF to Code Scanning.