Azure DevOps Integration

Connect your Azure DevOps organization to PGP for automated repository discovery, secret scanning, and security finding management.

Written By Dan Crawford

Last updated About 15 hours ago

Standalone PAT Integration — This method uses a Personal Access Token and is intended for customers who need Azure DevOps repository scanning without a full Azure cloud integration. PATs are less secure than Azure Entra ID (formerly Azure AD) authentication because they are long-lived static credentials that must be manually rotated. The preferred approach is to integrate Azure DevOps through the Azure cloud integration, which uses Entra ID for automatic token management and also provides full cloud security assessment of your Azure environment. If you have already connected your Azure cloud account, you need to add the permission user_impersonation to the API Permissions of the App in EntraID — no separate PAT is needed.

Overview

The Azure DevOps integration enables Praetorian Guard Platform (PGP) to connect to your Azure DevOps organization, automatically discover your Git repositories, and scan them for hardcoded secrets and credentials.

What PGP Does With This Integration

Once connected, PGP performs the following automated security operations against your Azure DevOps environment:

Repository Discovery

PGP enumerates all projects and Git repositories within your Azure DevOps organization (or a specific project, if scoped). Forked and disabled repositories are automatically filtered out to reduce noise. Each discovered repository is tracked as an asset in your PGP attack surface inventory.

Secret & Credential Scanning

Discovered repositories are cloned and scanned using Titus, Praetorian’s high-performance credential detection engine. Titus includes 459+ detection rules that identify:

  • API keys and authentication tokens

  • Database credentials and connection strings

  • Cloud platform credentials (AWS, GCP, Azure)

  • CI/CD system secrets

  • Private keys and certificates

  • Service-specific secrets (Stripe, Twilio, SendGrid, etc.)

Titus scans both current source code and Git commit history, so secrets that were committed and later removed are still detected. When a secret is found, PGP creates a Risk with detailed evidence including the rule name, file path, commit hash, author information, and a code snippet showing the match in context.

Work Item Ticketing (Optional)

If configured with additional permissions, PGP can automatically create Azure DevOps Work Items (Bugs, Tasks, etc.) for discovered security findings. Work items include:

  • A direct link back to the finding in PGP

  • Impacted assets

  • Severity rating (Critical, High, Medium, Low)

  • Evidence and reproduction steps

PGP continuously syncs work item status — when a work item is marked as “Closed”, “Resolved”, or “Done” in Azure DevOps, the corresponding risk is automatically updated in PGP.

Setup Guide

Step 1: Create a Personal Access Token (PAT)

  1. Sign in to your Azure DevOps organization at https://dev.azure.com/{your_organization}.

  2. Click your profile icon in the top right, then select Personal access tokens under User Settings.

  3. Click + New Token.

  4. Configure the token:

    • Name: Give it a descriptive name (e.g., “PGP Integration”).

    • Organization: Select the organization you want to integrate.

    • Expiration: Set an appropriate expiration date. You’ll need to rotate this token before it expires.

    • Scopes: Select the permissions based on your use case (see below).

  5. Click Create and copy the token immediately — it won’t be shown again.

For full details on PAT management, see Microsoft’s PAT documentation.

Permissions for Repository Scanning Only

If you only need PGP to discover and scan your repositories for secrets:

ScopePermissionPurpose

Code

Read

Clone and scan repositories

Project and Team

Read

List projects and repositories

Permissions for Repository Scanning + Work Items

If you also want PGP to create and track Azure DevOps work items for security findings:

ScopePermissionPurpose

Code

Read

Clone and scan repositories

Project and Team

Read

List projects and repositories

Work Items

Read & Write

Create and update work items for findings

Step 2: Connect in PGP

  1. Navigate to the Integrations page in PGP.

  2. Find the Azure DevOps integration card.

  3. Click Try an alternative authentication method.

  4. Enter your Azure DevOps URL:

    • Organization-level: https://dev.azure.com/{your_organization} — scans all projects and repos in the org.

    • Project-level: https://dev.azure.com/{your_organization}/{your_project} — scans only repos within that specific project.

  5. Paste your Personal Access Token.

  6. Click Connect.

PGP will validate your credentials by testing API access against your organization, then begin discovering repositories automatically.

Best Practices

  • Use project-scoped URLs if you only need to monitor specific projects, rather than the entire organization.

  • Set short token expiration and rotate regularly. Weekly or monthly is recommended by Microsoft.

  • Start with read-only permissions (Code: Read) and add Work Items permissions later if needed.

  • Use a service account rather than a personal account for the PAT, so the integration isn’t disrupted by personnel changes.

Troubleshooting

IssueSolution

Azure DevOps token not available

Your PAT may have expired. Generate a new one and reconnect.

No repositories discovered

Verify the PAT has Code: Read scope and the URL is correct.

Work items not being created

Ensure the PAT has Work Items: Read & Write scope.

Rate limiting errors

PGP respects Azure DevOps rate limits with automatic retry logic. If persistent, check your organization’s rate limit policies.