| title | titleSuffix | description | ms.service | ms.subservice | ms.topic | ms.custom | ms.author | author | monikerRange | ms.date |
|---|---|---|---|---|---|---|---|---|---|---|
Troubleshooting dependency scanning for GitHub Advanced Security for Azure DevOps |
Azure Repos |
Troubleshooting dependency scanning for GitHub Advanced Security for Azure DevOps |
azure-devops |
azure-devops-integration |
how-to |
cross-service |
laurajiang |
laurajjiang |
azure-devops |
02/20/2025 |
Learn how to troubleshoot dependency scanning issues in GitHub Advanced Security for Azure DevOps.
[!INCLUDE github-advanced-security-prerequisites]
If the dependency scanning task is completing without flagging any components and failing to generate alerts for components with known vulnerabilities, ensure that you at have a package restore step before the AdvancedSecurity-Dependency-Scanning@1 task.
For example, for a C# (.NET Core) project, here's a sample YAML snippet:
[!div class="tabbedCodeSnippets"]
- task: DotNetCoreCLI@2
displayName: 'Restore NuGet packages'
inputs:
command: 'restore'
projects: '**/*.csproj'
# If you are using a private package feed such as Azure Artifacts, you will need additional variables.
# For more information, see https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/reference/dotnet-core-cli-v2?view=azure-pipelines
feedsToUse: 'select'
...
- task: AdvancedSecurity-Dependency-Scanning@1For a JavaScript project, here's a sample YAML snippet:
[!div class="tabbedCodeSnippets"]
- task: Npm@1
displayName: 'npm install'
inputs:
command: 'install'
workingDir: '$(System.DefaultWorkingDirectory)'
- task: AdvancedSecurity-Dependency-Scanning@1The default time that the dependency scanning task runs before timing out is 300 seconds, or 5 minutes. If the task is timing out before completion, you can set a pipeline variable DependencyScanning.Timeout, which expects an integer representing seconds, such as DependencyScanning.Timeout: 600. Anything under the default time-out of 300 seconds has no effect.
To use this variable, add DependencyScanning.Timeout as a pipeline variable:
[!div class="tabbedCodeSnippets"]
- task: AdvancedSecurity-Dependency-Scanning@1
env:
DependencyScanning.Timeout: 600If the dependency scanning build task is blocking a successful execution of your pipeline and you need to urgently skip the build task, you can set a pipeline variable DependencyScanning.Skip: true.
The dependency scanning build task uses the pipeline identity to call the Advanced Security REST APIs. By default, pipelines in the same project have access to fetch alerts. If you remove those permissions from the build service account or if you have a custom setup, for example, a pipeline hosted in a different project than the repository, grant these permissions manually.
Grant Advanced Security: View Alerts permission to the build service account used in your pipeline, which for project-scoped pipelines is [Project Name] Build Service ([Organization Name]), and for collection-scoped pipelines is Project Collection Build Service ([Organization Name]).
- Use the pipeline environment variable
advancedsecurity.publish.repository.infer: trueto infer the repository to publish from the repository in the working directory. - As another option, if you don't explicitly check out a repository or use an alias to check out your repository, utilize the variable
advancedsecurity.publish.repository: $[ convertToJson(resources.repositories['YourRepositoryAlias']) ]
For more information, check the release notes.