We are looking to replace our expensive tool for SAST scanning (Veracode) with GitHub Advanced Security for Azure DevOps and the only major issue we have is we need to be able to do PCI compliant.
It would be great to save money and have tighter integration into CR requests and bug tasks.
Does anyone have any experience with either a functionality in GASAD to support PCI flaws or something with CodeQL out there to use.
Thanks!
As of now, there seems no default feature in GitHub Advanced Security for Azure DevOps that supports PCI scanning, analyzing or alert.
For this, you may create a feature request via: https://developercommunity.visualstudio.com/report?space=21&entry=suggestion . That will allow you to directly interact with the appropriate Product Group, and make it more convenient for the product group to collect and categorize your suggestions.
Besides, GitHub Advanced security for Azure DevOps does support Using custom queries with CodeQL. However, since we would expect the query to detect sensitive information, it would be best for us to use official tools to avoid liability.