Edit

Share via

Strengthening security and repository integration

  • Article

With this update, we’re improving security and authentication across Azure DevOps. Overlapping secrets for Azure DevOps OAuth make secret rotation seamless, while GitHub Advanced Security brings better filtering to the security overview page while ensuring multi-repository publishing correctly routes dependency and code scanning alerts.

Hosted image updates in Azure Pipelines, include Ubuntu-24.04, Windows 2025, and mac-OS 15 Sequoia, ensuring a more secure and reliable experience.

Check out the release notes for details.

General

GitHub Advanced Security for Azure DevOps

Azure Pipelines

Test Plans

General

Overlapping secrets for Azure DevOps OAuth

We're excited to introduce the new overlapping secrets feature in Azure DevOps OAuth, designed to enhance security, and streamline secret rotations. This feature lets you add a new secret to your OAuth client while the previous one remains active, ensuring continuous operation of your applications. You can manage these secrets programmatically via API or through the Visual Studio App page UI.

As part of ongoing security improvements, Azure DevOps OAuth is scheduled for deprecation in 2026. We encourage you to migrate to Microsoft Entra ID OAuth for improved security features and longer-term investment. In the interim, we recommend regularly rotating your secrets using our new overlapping secrets feature.

Deprecation of Languages statistics tags from the Project Summary page

In the coming weeks, we'll be deprecating the Languages statistics tags from the Project Summary page. Removing these tags will help optimize performance, resulting in faster load times and a more responsive interface.

The update will occur automatically, with no action required on your part.

Screenshot of tags being removed.

Delivery Plans permission added

As part of our ongoing security enhancements, we’ve introduced a new Manage Delivery Plans project-level permission. This change was implemented to prevent unintentional read/write access for users in the Readers group.

Screenshot of manage delivery plans.

GitHub Advanced Security for Azure DevOps

Security overview risk page enhanced with new columns and filtering options

Under the Risk tab, you'll find newly added columns displaying new, fixed, and dismissed security alerts across your organization. We’ve added filtering options to refine results by project, tool (secrets, dependencies, or code scanning results), and a time-based filter to define search boundaries.

Additionally, applying a filter adds a URL query parameter, enabling you to share the pre-filtered view with others in your organization.

Screenshot of Security overview risk page.

Multi-repository publishing scenarios supported for GitHub Advanced Security for Azure DevOps

Previously, when a pipeline definition was housed in one repository and the source code to be scanned by GitHub Advanced Security was in another, results were processed and submitted to the wrong repository. Instead of publishing alerts to the repository with the source code, they appeared in the repository where the pipeline was defined.

Now, both dependency scanning and code scanning correctly route alerts to the repository containing the scanned source code in multi-repository scenarios.

To enable this feature, set the pipeline environment variable advancedsecurity.publish.repository.infer: true to infer the repository to publish from the repository in the working directory.

Alternatively, if you don't explicitly check out a repository or use an alias to check out your repository, utilize the variable advancedsecurity.publish.repository: $[ convertToJson(resources.repositories['YourRepositoryAlias']) ] instead.

YAML code snippet:

  trigger:
  - main

resources:
  repositories:
    - repository: BicepGoat
      type: git
      name: BicepGoat
      ref: refs/heads/main
      trigger:
        - main

jobs:
  # Explicit - `advancedsecurity.publish.repository` explicitly defines the repository to submit SARIF to.
  - job: "AdvancedSecurityCodeScanningExplicit"
    displayName: "🛡 Infrastructure-as-Code Scanning (Explicit)"
    variables:
      advancedsecurity.publish.repository: $[ convertToJson(resources.repositories['BicepGoat']) ]
    steps:
      - checkout: BicepGoat
      - task: TemplateAnalyzerSarif@1
        displayName: Scan with Template Analyzer
      - task: AdvancedSecurity-Publish@1
        displayName: Publish to IaC Scanning Results to Advanced Security


  # Infer - `advancedsecurity.publish.repository.infer` specifies that the `AdvancedSecurity-Publish` must
  # infer repository to submit SARIF to from the working directory on the build agent.
  - job: "AdvancedSecurityCodeScanningInfer"
    displayName: "🛡 Infrastructure-as-Code Scanning (Infer)"
    variables:
      advancedsecurity.publish.repository.infer: true
    steps:
      - checkout: BicepGoat
      - task: TemplateAnalyzerSarif@1
        displayName: Scan with Template Analyzer
      - task: AdvancedSecurity-Publish@1
        displayName: Publish to IaC Scanning Results to Advanced Security

Service hooks for GitHub Advanced Security for Azure DevOps alerts (preview)

You can now configure service hooks for GitHub Advanced Security alert events, including:

  • New alert created
  • Alert data changed
  • Alert state changed

Just like other repository events, you can filter by repository and branch. For alerts specifically, you can filter by alert type (dependencies, code scanning, or secrets) and alert severity.

Screenshot of filter by alert type .

To participate in the preview, fill out the preview interest form or send us an email!

pnpm v9 support comes to GitHub Advanced Security for Azure DevOps dependency scanning

With pnpm v8 reaching end-of-life at the end of April, the next dependency scanning update will include support for pnpm v9. This update is in response to your Developer Community request for pnpm v9 support.

Azure Pipelines

Hosted image updates

We’re rolling out updates to keep Azure Pipelines’ hosted agents secure and current. These updates include adding support for Ubuntu-24.04, Windows 2025 images, and macOS-15 Sequoia, while deprecating older images like Ubuntu-20.04 and Windows Server 2019.

For more details, please visit our blog post.

macOS-15 Sequoia is generally available

The macOS-15 image will be available on Azure Pipelines hosted agents starting April 1. To use this image, update your YAML file to include vmImage:'macos-15':

- job: macOS15
  pool:
    vmImage: 'macOS-15'
  steps:
  - bash: |
      echo Hello from macOS Sequoia
      sw_vers

For macOS-15 installed software, see image configuration.

The macOS-14 image will still be used when specifying macOS-latest. We'll update macOS-latest to use macOS-15 in April.

Windows-2025 image is available in preview

The windows-2025 image is now available in preview for Azure Pipelines hosted agents. To use this image, update your YAML file to include vmImage:'windows-2025':

- job: win2025
  pool:
    vmImage: 'windows-2025'
  steps:
  - pwsh: |
      Write-Host "(Get-ComputerInfo).WindowsProductName"
      Get-ComputerInfo | Select-Object WindowsProductName
      Write-Host "`$PSVersionTable.OS"
      $PSVersionTable.OS

For Window Server 2025 installed software, see image configuration.

The ubuntu-latest pipeline image will start using ubuntu-24.04

In the coming weeks, pipeline jobs specifying ubuntu-latest will start using ubuntu-24.04 instead of ubuntu-22.04.

For guidance on tasks that use tools that are no longer on the ubuntu-24.04 image, see our blog post. To keep using Ubuntu 22.04, use the ubuntu-22.04 image label:

- job: ubuntu2404
  pool:
    vmImage: 'ubuntu-24.04'
  steps:
  - bash: |
      echo Hello from Ubuntu 24.04
      lsb_release -d
  - pwsh: |
      Write-Host "`$PSVersionTable.OS"
      $PSVersionTable.OS

The ubuntu-20.04 pipeline image is deprecated and will be retired April 1

We're deprecating support for the Ubuntu 20.04 image in Azure Pipelines because it will reach its end of support soon. Find the deprecation plan with brownout schedule in our blog post.

Workload identity federation uses Entra issuer

Just over a year ago, we made Workload identity federation generally available. Workload identity federation allows you to configure a service connection without a secret. The identity (App registration, Managed Identity) underpinning the service connection can only be used for the intended purpose: the service connection configured in the identity's federated credential.

We're now changing the format of the federated credential for new Azure and Docker service connections. Existing service connections will work as before.

  Azure DevOps issuer Entra issuer (new service connections)
Issuer https://vstoken.dev.azure.com/<organization id> https://login.microsoftonline.com/<Entra tenant id>/v2.0
Subject sc://<organization name>/<project name>/<service connection name> <entra prefix>/sc/<organization id>/<service connection id>

There's no change in configuration and the way tokens are obtained stays the same. Pipeline tasks don't need to be updated and work as before.

The steps to create a service connection aren't changing and in most cases, the new issuer isn't visible. When configuring an Azure service connection manually, you'll see the new federated credentials displayed:

Screenshot of FIC example.

Copy these values as before when creating a federated credential for an App registration or Managed Identity.

Automation

When creating a service connection in automation with the REST API, use the federated credential returned by the API:

authorization.parameters.workloadIdentityFederationIssuer
authorization.parameters.workloadIdentityFederationSubject

Likewise, when creating a service connection with the Terraform azuredevops provider, the azuredevops_serviceendpoint_azurerm resource returns workload_identity_federation_issuer and workload_identity_federation_subject attributes.

More information

Gradle@4 task

A new Gradle@4 task has been created with support for Gradle 8.0. The built-in code coverage option is removed from the Gradle task starting with Gradle@4. To use code coverage with Gradle in your pipeline:

Configuration of the SonarQube analysis was moved to the SonarQube or SonarCloud extensions in the task Prepare Analysis Configuration.

Identity of user who requested a stage to run

To improve security of your YAML pipelines, you may wish to know who requested a stage to run. To address this need, were adding two new predefined variables, Build.StageRequestedBy and Build.StageRequestedById. These variables are similar to the Build.RequestedFor and Build.RequestedForId variables, but for a stage, not a run.

When a user explicitly triggers a user, for example, in case of a manually triggered stage or rerunning a stage, their identity is used to fill in the two variables.

Test Plans

Publish code coverage results v2 task improvements

With this release we're including several improvements to the v2 task:

  • Expanded support for various code coverage formats, including: .coverage,.covx,.covb,.cjson,.xml,.lcov, and pycov1.
  • Generation of a comprehensive cjson file (and a Code Coverage report) that contains detailed code coverage information such as file names, lines covered/not covered, etc.

Screenshot of code coverage.

  • Support for diff coverage (PR coverage): v2 can generate diff coverage PR comments for multiple languages within the same pipeline.
  • v2 task now supports the Build Quality Check task, which wasn't supported in v1 task.

Export test cases with custom columns in XLSX

You can now export test cases with custom columns in XLSX. Based on your feedback, Test Plans supports exporting test cases with custom columns, giving you greater flexibility and control over the data you share and analyze. This enhancement helps you tailor exports to your needs, ensuring the information you export is relevant and actionable.

Next steps

Note

These features will roll out over the next two to three weeks.

Head over to Azure DevOps and take a look.

Go to Azure DevOps

How to provide feedback

We would love to hear what you think about these features. Use the help menu to report a problem or provide a suggestion.

Make a suggestion

You can also get advice and your questions answered by the community on Stack Overflow.

Thanks,

Silviu Andrica