Azure DevOps

Connect your Azure DevOps organization to the Praetorian Guard Platform (PGP) for automated repository discovery, secret scanning, and security finding management.

Overview

The Azure DevOps integration connects your source code management and project tracking infrastructure to the Praetorian Guard Platform (PGP). It automatically discovers Git repositories across your Azure DevOps organization, imports them as assets in your attack surface inventory, and enables secret scanning to detect credentials committed to source code. Optionally, it also creates and syncs Work Items in Azure DevOps from PGP risk findings, closing the loop between discovery and remediation tracking.

This is especially valuable for organizations using Azure DevOps as their primary development platform. Rather than manually inventorying which repositories exist and whether they've been scanned for secrets, the integration continuously enumerates your repos — including across multiple projects — and feeds them into PGP's scanning pipeline. If you also enable Work Item tracking, your developers receive actionable tickets directly in Azure DevOps when PGP discovers risks.

What the Integration Does

The integration has two independent capabilities that can be configured separately:

Repository Discovery and Secret Scanning

PGP enumerates all projects and Git repositories within your Azure DevOps organization (or a specific project, if scoped). Forked and disabled repositories are automatically filtered out. Each discovered repository is tracked as an asset in your PGP attack surface inventory.

Once discovered, repositories are automatically scanned by PGP's security capabilities:

  • Titus (github.com/praetorian-inc/titus) — Praetorian's high-performance credential detection engine with 459+ detection rules. Titus scans both current source code and Git commit history, so secrets that were committed and later removed are still detected. Runs automatically on all discovered repositories.

  • Constantine — LLM-powered source code vulnerability analysis that goes beyond credential detection to identify application-level security issues. Available on-demand for deeper analysis of specific repositories.

This capability is read-only — PGP clones and scans repositories but never modifies code, branches, or settings in Azure DevOps.

You can scope the integration at three levels:

  • Organization-wide: https://dev.azure.com/{org} — scans all projects and their repositories

  • Single project: https://dev.azure.com/{org}/{project} — scans only repositories in that project

  • Single repo: https://dev.azure.com/{org}/{project}/_git/{repo} — scans one specific repository

Work Item Tracking (Optional, Separate Integration)

PGP can create Azure DevOps Work Items (Bugs, Tasks, Issues, or any type supported by your project) from discovered risks. Each work item includes the risk name, a rich HTML description with a link back to PGP, impacted assets, evidence, proof artifacts, and a severity mapping:

PGP Severity

Azure DevOps Severity

Critical

1 - Critical

High

2 - High

Medium

3 - Medium

Low / Info

4 - Low

You can configure templates with different projects and work item types, enable auto-creation above a severity threshold, and PGP will sync work item status (Active, Resolved, Closed, Done) back automatically.

This capability is read-write — PGP creates and updates Work Items in your Azure DevOps projects.

Prerequisites

Before setting up the integration, you need:

  • An Azure DevOps organization accessible at https://dev.azure.com/{org}

  • Authentication credentials — either an Azure cloud integration (Entra ID) or a Personal Access Token (PAT)

  • Network connectivity between PGP and Azure DevOps (typically no issues since Azure DevOps is cloud-hosted)

Authentication Methods

PGP supports two authentication methods for Azure DevOps. Both are available for repository scanning and work item tracking.

Azure Cloud Integration (Recommended)

Uses your existing Azure cloud integration with Entra ID (formerly Azure AD) for automatic token rotation. PGP performs an OAuth token exchange using the service principal from your Azure integration. This is more secure because credentials are managed through Azure's identity platform and automatically rotated.

Setup requirement: The service principal must be added as a user in Azure DevOps. Go to Organization Settings > Users, add the Application ID (from your Terraform output), and grant Basic access level.

Personal Access Token (PAT)

Uses a static PAT for authentication. Simpler to set up, but PATs are long-lived static credentials that must be manually rotated.

Required PAT scopes:

Capability

Required Scopes

Repository scanning

Code (Read), Project and Team (Read)

Work item tracking

Work Items (Read & Write), Project and Team (Read)

To create a PAT: In Azure DevOps, click your profile icon > Personal access tokens > + New Token. Select the required scopes and set an expiration. For details, see Microsoft's PAT documentation.

Setup

Repository Scanning

Via Azure Cloud Integration

  1. Ensure you have an existing Azure cloud integration configured in PGP.

  2. Add the service principal to Azure DevOps: go to your Azure DevOps organization Organization Settings > Users. Add the Application ID and grant Basic access.

  3. In PGP, navigate to Integrations > Source Code Managers > Azure DevOps.

Field

Required

Description

Azure Cloud Integration

Yes

Select your Azure cloud integration from the dropdown for Entra ID authentication

Organization/Project URL

Yes

Your Azure DevOps URL (e.g., https://dev.azure.com/your-org or https://dev.azure.com/your-org/your-project)

  1. Click Connect. PGP validates access by listing projects in your organization.

Via PAT

  1. In PGP, navigate to Integrations > Source Code Managers > Azure DevOps and click Use a Personal Access Token instead.

Field

Required

Description

Organization/Project URL

Yes

Your Azure DevOps URL (e.g., https://dev.azure.com/your-org)

Personal Access Token

Yes

PAT with Code (Read) and Project and Team (Read) scope

  1. Click Connect. PGP validates the PAT by listing projects.

Work Item Tracking

Via Azure Cloud Integration

  1. In PGP, navigate to Integrations > IT Service Management > Azure DevOps Work Items.

Field

Required

Description

Azure Cloud Integration

Yes

Select your Azure cloud integration from the dropdown

Organization URL

Yes

Your Azure DevOps organization URL (e.g., https://dev.azure.com/your-org)

  1. Click Connect, then configure a template:

  • Select a Project from the dropdown (populated dynamically)

  • Select a Work Item Type (Bug, Task, Issue, etc. — populated based on project)

  • Optionally enable auto-create with a severity threshold

Via PAT

  1. In PGP, navigate to Integrations > IT Service Management > Azure DevOps Work Items and click Use a Personal Access Token instead.

Field

Required

Description

Organization URL

Yes

Your Azure DevOps organization URL

Personal Access Token

Yes

PAT with Work Items (Read & Write) and Project and Team (Read) scope

  1. Click Connect, then configure a template (same as above).

What Data Is Synced

Repositories to PGP Assets (Read-Only)

  • All active, non-fork Git repositories in the configured scope are imported as repository assets

  • Each asset includes the repository name, web URL, default branch, and project association

  • Forked and disabled repositories are automatically excluded

  • On subsequent runs, PGP reconciles the current state — new repositories are added, removed ones are detected

  • Repositories run up to 25 concurrent scan operations per project

Work Items from PGP Risks (Read-Write)

  • PGP creates Work Items in the configured Azure DevOps project from risk findings

  • Work items include: title, rich HTML description, severity, impacted assets, evidence, proof artifacts, and a link back to PGP

  • PGP syncs work item status back: Active, Resolved, Closed, and Done states are tracked

  • Comments can be added to existing work items for status updates

  • Multiple templates can be configured for different projects and work item types

Azure DevOps API Endpoints Used

Repository Scanning

Endpoint

Purpose

GET /{org}/_apis/projects

List all projects in the organization (paginated via continuation token)

GET /{org}/_apis/projects/{project}

Get single project details (when project-scoped)

GET /{org}/{project}/_apis/git/repositories

List Git repositories in a project (paginated)

Work Item Tracking

Endpoint

Purpose

GET /{org}/_apis/projects

List projects for template configuration

GET /{org}/{project}/_apis/wit/workitemtypes

List available work item types for a project

POST /{org}/{project}/_apis/wit/workitems/$<type>

Create a new work item

PATCH /{org}/_apis/wit/workitems/{id}

Update an existing work item

POST /{org}/_apis/wit/workitems/{id}/comments

Add a comment to a work item

GET /{org}/_apis/wit/workitems/{id}

Fetch work item status for sync

All endpoints use API version 7.1 (comments use 7.1-preview.4).

Troubleshooting

Issue

Cause

Fix

"Azure DevOps token not available"

For Entra ID: service principal lacks Azure DevOps API permissions. For PAT: token may have expired.

Verify the service principal has Azure DevOps access in Organization Settings > Users, or generate a new PAT.

No projects found in organization

The authenticated user lacks project access

Check permissions in Organization Settings > Users. The service principal or PAT user needs access to at least one project.

"Invalid Azure DevOps URL"

URL uses legacy format or is malformed

URL must use https://dev.azure.com/{org}. Legacy visualstudio.com URLs are not supported.

No repositories discovered

All repos in the project may be forks or disabled

PGP automatically filters forks and disabled repos. Verify the project has active, non-fork repositories.

Work items not being created

Insufficient permissions for work item operations

Ensure the PAT has Work Items (Read & Write) scope, or the service principal has appropriate Azure DevOps permissions.

Rate limiting errors

Too many concurrent API calls to Azure DevOps

PGP respects Azure DevOps rate limits with automatic retry and exponential backoff (up to 120 seconds). If persistent, check your organization's rate limit policies.

Security and Data Handling

  • Repository scanning is read-only — PGP clones repositories for scanning but never pushes code, creates branches, or modifies any repository settings

  • Work item tracking is read-write — PGP creates and updates Work Items in your configured projects, with full audit trail

  • When using Entra ID authentication, credentials are automatically rotated through Azure's identity platform — no static secrets are stored

  • PAT credentials are encrypted at rest and in transit within your PGP deployment

  • Only repository metadata (names, URLs, branches) and work item fields are accessed — PGP does not access Azure DevOps pipelines, build artifacts, or organization settings beyond what is needed for discovery and ticketing

  • PGP uses up to 25 concurrent connections per project during repository enumeration to balance throughput with API courtesy

Best Practices

  • Prefer the Azure Cloud Integration over PAT for automatic credential rotation and stronger security

  • Use project-scoped URLs if you only need to monitor specific projects rather than the entire organization

  • Use a service account for PATs so the integration is not disrupted by personnel changes

  • Set short PAT expiration and rotate regularly if using PAT authentication

Integration category: Source Code Managers / IT Service Management. Data direction: Read-only (repositories), Read-write (work items). Authentication: Azure Entra ID (recommended) or Personal Access Token.