Get alerts from GitHub Advanced Security for Azure DevOps

Rob Bos
by Rob Bos
31 Oct, 2023
Xebia Background Header Wave

GitHub Advanced Security for Azure DevOps (GHAzDo) builds on top of the functionality for GitHub Advanced Security and is giving you extra security tools to embed into your developer way of working. It’s a great way to get started with security in your Azure Pipelines and Azure repos and I’ve written about it before in this blogpost.

Loading the alerts from the API’s

Before starting with the Advanced Security API’s you’ll need to get the ID for the repository you are working with. You’ll need to have the project name and the repository name itself. With that you can make this API call:<PROJECT NAME>/_apis/git/repositories?api-version=7.1-preview.1

It will return you the list of repos the token you are using has access to. The repo object will look like this:

  "id": "5e5195e1-1b44-4d4b-9310-5d33ee2c4dc",
  "name": "eShopOnWeb",
  "url": "",
  "project": {
    "id": "3651f6f0-74e5-48d7-8ff9-d62ae2464b1",
    "name": "GHAzDo trial",
    "url": "",
    "state": "wellFormed",
    "revision": 141,
    "visibility": "private",
    "lastUpdateTime": "2023-07-26T18:51:26.227Z"
  "defaultBranch": "refs/heads/main",
  "size": 62610330,
  "remoteUrl": "",
  "sshUrl": "",
  "webUrl": "",
  "isDisabled": false,
  "isInMaintenance": false


From this you need the “id” field of the response. That can then be injected into the next API call:<PROJECT NAME>/<REPO NAME>/_apis/AdvancedSecurity/repositories/<REPO ID>/alerts?top=50&orderBy=severity&alertType=3&ref=refs/heads/main&states=1

The filtering options determine the response you will get back:

topThe number of alerts you want to get back.
orderByThe field you want to order the results by.
criteria.alertTypeThe type of alert you want to get back. 1 = Dependency, 2 = Secrets, 3 = Code scanning
criteria.refThe branch you want to get the alerts for, only needed when looking at code scanning alerts
criteria.statesThe state of the alerts you want to get back. 1 = Open, 2 = Closed


You can also leave the alertType away from the url to get all alerts in one go. Do be aware that it will result in a different value for the alertType in the response, instead of the numbers listed in the table above:

  • code: Code scanning alerts
  • secret: Secret scanning alerts
  • dependency: Dependency alerts
Rob Bos
Rob has a strong focus on ALM and DevOps, automating manual tasks and helping teams deliver value to the end-user faster, using DevOps techniques. This is applied on anything Rob comes across, whether it’s an application, infrastructure, serverless or training environments. Additionally, Rob focuses on the management of production environments, including dashboarding, usage statistics for product owners and stakeholders, but also as part of the feedback loop to the developers. A lot of focus goes to GitHub and GitHub Actions, improving the security of applications and DevOps pipelines. Rob is a Trainer (Azure + GitHub), a Microsoft MVP and a LinkedIn Learning Instructor.

Get in touch with us to learn more about the subject and related solutions

Explore related posts