How to turn on GitHub Advanced Security (GHAS) for Azure DevOps for all the repositories and projects with the help of PowerShell or CLI code.?
I have multiple organizations and hundreds of projects in it. When I turn on the GitHub Advanced Security (GHAS) at organization level, it is only ON for the future projects and repos. It will be practically impossible to turn it ON for all the projects and for each repo manually. I can run a cade to extract all the repost from all the project from all the organization. Is there a code that can turn it ON with the help of PowerShell/CLI/Rest-API.
Thanks
Within an Azure DevOps organization, if you want to enable GitHub Advanced Security (GHAS) for all projects and all repositories, you first need to ensure the option "Automatically enable Advanced Security for new projects" is enabled on Organization Settings so that the GHAS feature can be automatically enabled for all the future new projects.
Then you can try with the following ways:
Manually enable from Organization Settings on the web UI.
On the Organization Settings page, click "Enable all".
Then go to check if the option "
Automatically enable Advanced Security for new repositories" is enabled in each of the existing projects, and the GHAS feature is enabled for each of the existing repositories.
If it does not work via manual from web UI, you can try with the related Azure DevOps REST API.
- Use the API "Projects - List" to list all the accessible projects within a specified Azure DevOps organization. From the response of this API, you can get the names and IDs of each project.
- Then in a loop for each project, you can use the API "Project Enablement - Update" to enable the option "
Automatically enable Advanced Security for new repositories" in the project, and enable the GHAS feature for all existing repositories within the project.
To call these API, you need the following permissions:
The Personal Access Token (PAT) should have the following scopes at least.
The user account/identity of the PAT should be a member of the Project Collection Administrators group (PCA) in the Azure DevOps organization. The PCA users can access all projects and manage the settings of GHAS within the organization.
Below is a sample of the PowerShell script to call the related REST API. You can refer to it.
$organization = "xxxx"
$pat = "xxxx"
$base64Token = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f "", $pat)))
$headers = @{
Authorization = "Basic $base64Token"
"Content-Type" = "application/json"
}
# List projects of the specified Azure DevOps organization.
$uri_list_projects = "https://dev.azure.com/${organization}/_apis/projects?api-version=7.1"
$projects = (Invoke-RestMethod -Method GET -Uri $uri_list_projects -Headers $headers).value | Select-Object -Property id, name
foreach ($project in $projects)
{
$projectName = $project.name
Write-Host "Enabling GitHub Advanced Security for project ($projectName)..."
$uri_update_project_ghas = "https://advsec.dev.azure.com/${organization}/${projectName}/_apis/management/enablement?api-version=7.2-preview.1"
# advSecEnabled: Indicates whether to enable GitHub Advanced Security for all existing repositories within the project.
# blockPushes: Indicates whether to block pushes containing secrets within the project.
# enableOnCreate: Indicates whether to enable the option "Automatically enable Advanced Security for new repositories" within the project.
$body_update_project_ghas = @{
advSecEnabled = $true
blockPushes = $true
enableOnCreate = $true
} | ConvertTo-Json -Depth 5
Invoke-RestMethod -Method PATCH -Uri $uri_update_project_ghas -Headers $headers -Body $body_update_project_ghas
}
- Is there a way to add the Developer Powershell for VS 2019 as an integrated terminal in VSCode?
- How can I mute/unmute my sound from PowerShell
- PowerShell code returning correct value. However, looking to enhance program by capturing the ID tag listed above the desired value
- PSCommandNotFoundSuggestion message shows without suggestions (PowerShell 7.5)
- Scheduled powershell script not running dot sourced scripts
- How to load the classes in PowerShell module globally?
- PowerShell - Password Generator - How to always include number in string?
- Problem using PowerShell Class contained in module when running Pester test for a different module that utilizes the Class module
- Automated Deployment to an F5 Load Balanced Environment
- [System.Collections.Generic.List[string]] as return value
- How to exclude folders from a recursive list of path\name with Get-ChildItem in Powershell 2.0 (similar to dir /s /b /a-d in DOS)?
- Powershell get case sensitive path as displayed in windows
- A PowerShell Script to install fonts on Windows 11
- Why does a space at the end of a pwsh command launch it as a separate window/process?
- exchange online Get-DistributionGroupMember command not getting Initials
- Suppress receive-job console output when the job uses write-host
- Granting SeServiceLogonRight to a user from PowerShell
- Where to put PowerShell scripts?
- Forcing specific SPN for URL in .Net
- Code to check for Administrator privileges not working on some servers
- Rename-item: Cannot rename because item at ... does not exist
- `Invoke-Conda` cannot catch any arguments after powershell 7.5.0 update
- Toast Notification - Open a web page with specific character on the link
- Fabric-Rest API: why updateFromGit is returning invalid git hash or missing options?
- Does anyone know how to calculate Authenticode File hash in PowerShell?
- WDAC policy doesnt disable
- PowerShell Invoke-WebRequest throws WebCmdletResponseException
- How to restart or shutdown a remote computer with comment from powershell
- how to get a string of a mutable array?
- Powershell Foreach-Object -Parallel how to change the value of a variable outside the loop (track progress)