You’re definitely not alone — GitHub Advanced Security and Azure DevOps don’t offer the same level of features, even though they’re both Microsoft tools. GitHub’s security tooling, especially secret scanning and SAST, is more mature at this point. That “scan for generic passwords” option you mentioned is one of many features that just don’t exist in Azure DevOps yet.

We tested this ourselves — same repo in both platforms, and GitHub consistently flagged more secrets and potential issues. Azure DevOps, while functional, feels a bit behind and lacks the configurability GitHub has. From what I’ve seen, Microsoft isn’t aiming for full feature parity — they seem to treat the two as separate ecosystems.

The real challenge is maintaining consistency when your codebases live in both platforms. Right now, we’re handling it by adding an extra layer of scanning into our CI/CD pipelines, separate from what the platforms provide. That way, we get uniform results no matter where the repo lives.

So yeah — it’s not just a delay or a settings issue. The platforms are genuinely different. If consistent security checks matter, it’s worth building a layer of abstraction yourself, or using tools that don’t depend on the platform's native features.