Azure DevOps vs GitHub: what’s the best tool for DevSecOps?

Jun 16, 2022
  • IT
  • Microsoft

If building cyber resilience is high on your list of priorities, you’ve probably heard about DevSecOps. Making this approach to security manageable, however, requires high levels of automation for testing and validation. Currently, Microsoft offers two powerful tools for developers to easily automate security processes: Azure DevOps and GitHub. But which one should you choose? And do you really have to?

For most of its history, Microsoft has been firmly opposed to open-source software. That officially changed in 2018, when current Microsoft CEO Satya Nadella decided to acquire GitHub for 7.5 million dollars. Back then, the open-source code repository had over 28 million users. Now, that number has gone up to 73 million.

Microsoft already offered a similar service that enables developers to collaborate on projects and build and deploy applications: Azure DevOps, formerly known as Team Foundation Server (TFS) and Visual Studio Team System (VSTS). So which one is the right fit for your DevSecOps project? 

read our primer on DevSecOps

Raised differently 

Let’s take a look at the main differences first. Rooted firmly in Microsoft’s tradition, Azure DevOps is geared more towards closed-source projects. And while it’s open-source friendly, it doesn’t go nearly as far as GitHub. Where Azure DevOps definitely takes the cake, however, is in its comprehensiveness. The platform covers the entire software development lifecycle, including, for example, tools for project management and release management. It even includes native support for scrum and Kanban boards, customizable dashboards and integrated reporting.

GitHub, on the other hand, is currently the most popular code hosting platform on the web thanks to its powerful social and collaboration features: users can easily share ideas, work together, and even fork projects for experimentation and specialization. And while the platform is focused on open source development, users can switch between public and private modes. 

GitHub loves DevSecOps

What’s more, when it comes to supporting DevSecOps, GitHub has a serious advantage over Azure DevOps. Direct code scanning, for example, automatically checks code for vulnerabilities, plaintext passwords, encryption keys and other ‘secrets’ or potential issues. The feature also prevents developers from introducing new problems and enables users to track dependencies and receive security alerts. In other words, GitHub comes with DevSecOps capabilities baked in. 

Doing the same in Azure DevOps is possible as well. However, you’ll need to integrate with third-party tools. So, what if you’re an existing Azure DevOps user, with projects that require advanced planning, but still want to set up solid tooling for your DevSecOps framework? Luckily, there is a third option: combining Azure DevOps with GitHub.

Why not both?

Microsoft has ensured that both of its DevOps solutions work exceptionally well together. As a result, you can use code from GitHub to trigger pipelines in Azure DevOps. Or take full advantage of Azure DevOps project management, sprint planning and authentication features and have your code in GitHub. 

Since each tool’s strengths are pretty well-defined, working with both at the same time won’t add a lot of complexity. Project managers will naturally gravitate towards Azure DevOps, while developers will appreciate what GitHub brings to the table. In fact, junior developers on the team have likely been brought up with GitHub, and probably already used it in their personal lives. 

To switch or not to switch?

At delaware, we prefer to do new projects – especially DevSecOps projects – in GitHub. However, we’re also well aware that Azure DevOps is still widely used by a lot of our customers. Our advice is to carefully map your requirements over each solution’s strengths. For projects that require a lot of advanced project management, Azure DevOps is arguably still the best choice – for the time being. But even then, adding GitHub to your existing stack could be the best way forward. 

Making the switch to GitHub is also relatively easy. Like with any IT project, you’ll need to think some things through in advance. How are we going to handle naming and rights? What about project management and repos? That’s not a lot of work per se, but failing to consider these things can result in unexpected drawbacks. Needless to say, we’re always available to help customers make an informed decision. 

Open source is the future

It’s no secret that Microsoft’s attention is currently primarily focused on GitHub. As a result, a lot of features that were once unique to Azure DevOps, like workflow management and test plans, are being added to GitHub as well. That means it’s likely that we’ll move to a one-tool solution in the near future. Since recently, GitHub even has its own powerful editor, GitHub Codespaces, enabling developers to write code live in the cloud. For people who are used to working in Visual Studio Code, the lay-out will be immediately familiar. 

All of which is to say that, even if Azure DevOps is the best fit for your organization right now and you want to keep getting value out of your current investment, keeping a close eye on GitHub is always a good idea. Not only does the tool come with a lot of advantages, it’s also the place where innovation is happening. Where possible, allow your teams to experiment and learn with GitHub. Think of it as an electric car: the diesel version will still get you from A to B reliably, but sooner or later you’ll probably have to make the switch either way. 

However, a full phase-out of Azure DevOps seems unlikely in the short term. Microsoft has a solid track record of continuing to support its older solutions. Given Azure DevOps merits and the amount of users that continue to rely on it, both slutions are likely to coexist for many years to come. 

cybersecurity: from tooling and monitoring to employee best practices

related content