Get alerts from GitHub Advanced Security for Azure DevOps

GitHub Advanced Security for Azure DevOps (GHAzDo) builds on top of the functionality for GitHub Advanced Security and is giving you extra security tools to embed into your developer way of working. It’s a great way to get started with security in your Azure Pipelines and Azure repos and I’ve written about it before in this blogpost.

Loading the alerts from the API’s

Before starting with the Advanced Security API’s you’ll need to get the ID for the repository you are working with. You’ll need to have the project name and the repository name itself. With that you can make this API call:

https://dev.azure.com/<PROJECT NAME>//_apis/git/repositories?api-version=7.1-preview.1

It will return you the list of repos the token you are using has access to. The repo object will look like this:

{
            "id": "5e5195e1-1b44-4d4b-9310-5d33ee2c4dc",
            "name": "eShopOnWeb",
            "url": "https://dev.azure.com/raj-bos/3651f6f0-74e5-48d7-8ff9-d62ae2464b1/_apis/git/repositories/5e5195e1-1b44-4d4b-9310-5d33ee2c4dc",
            "project": {
                "id": "3651f6f0-74e5-48d7-8ff9-d62ae2464b1",
                "name": "GHAzDo trial",
                "url": "https://dev.azure.com/raj-bos/_apis/projects/3651f6f0-74e5-48d7-8ff9-d62ae2464b1",
                "state": "wellFormed",
                "revision": 141,
                "visibility": "private",
                "lastUpdateTime": "2023-07-26T18:51:26.227Z"
            },
            "defaultBranch": "refs/heads/main",
            "size": 62610330,
            "remoteUrl": "https://raj-bos@dev.azure.com/raj-bos/GHAzDo%20trial/_git/eShopOnWeb",
            "sshUrl": "git@ssh.dev.azure.com:v3/raj-bos/GHAzDo%20trial/eShopOnWeb",
            "webUrl": "https://dev.azure.com/raj-bos/GHAzDo%20trial/_git/eShopOnWeb",
            "isDisabled": false,
            "isInMaintenance": false
        }

From this you need the “id” field of the response. That can then be injected into the next API call:

https://advsec.dev.azure.com/<PROJECT NAME>/<REPO NAME>/_apis/AdvancedSecurity/repositories/<REPO ID>/alerts?top=50&orderBy=severity&alertType=3&ref=refs/heads/main&states=1

The filtering options determine the response you will get back:

Param	Description
top	The number of alerts you want to get back.
orderBy	The field you want to order the results by.
alertType	The type of alert you want to get back. 1 = Dependency, 2 = Secrets, 3 = Code scanning
ref	The branch you want to get the alerts for, only needed when looking at code scanning alerts
states	The state of the alerts you want to get back. 1 = Open, 2 = Closed

You can also leave the alertType away from the url to get all alerts in one go. Do be aware that it will result in a different value for the alertType in the response, instead of the numbers listed in the table above: