Skip to main content

Azure DevOps Setup

Connect your Azure DevOps repositories to Cloudgeni to enable automated security scanning, pull request reviews, and compliance monitoring for your Infrastructure as Code.

What You'll Get

  • Automatic repository discovery from your Azure DevOps organizations
  • Pull request security reviews with inline comments
  • Service hooks integration for real-time scanning
  • Branch policy integration for security gates

Prerequisites

  • Azure DevOps account with Project Administrator access
  • Repositories containing IaC files (Terraform, Bicep, etc.)
  • Azure DevOps Services (cloud) or Server 2020+

Quick Start

Step 1: Navigate to Integrations

  1. Log in to your Cloudgeni dashboard
  2. Go to SettingsIaC Repositories
  3. Click Connect Git Provider
  4. Select Azure DevOps

Step 2: Authorize Cloudgeni

  1. Click Connect with Azure DevOps
  2. Sign in to your Microsoft account if prompted
  3. Select your Azure DevOps organization
  4. Review and accept the requested permissions
  5. Click Accept
Cloudgeni requests access to read your repositories and post pull request comments.

Step 3: Select Projects and Repositories

  1. After authorization, you’ll see your Azure DevOps projects
  2. Expand projects to see available repositories
  3. Toggle repositories you want to monitor
  4. Click Save Selection

Azure DevOps Server

Configure On-Premises Instance

For Azure DevOps Server (on-premises):
  1. In Cloudgeni, go to SettingsIaC Repositories
  2. Click Connect Git ProviderAzure DevOps
  3. Click Use Azure DevOps Server
  4. Enter your server URL (e.g., https://tfs.yourcompany.com/tfs)
  5. Configure authentication (see below)

Authentication Options

MethodBest For
OAuthAzure DevOps Services (cloud)
PATAzure DevOps Server, automation
Service PrincipalEnterprise deployments

Personal Access Token (PAT)

For Server deployments or automation:
  1. In Azure DevOps, go to User SettingsPersonal Access Tokens
  2. Click New Token
  3. Configure:
    • Name: Cloudgeni Integration
    • Organization: Select your organization
    • Expiration: Set appropriate expiration
    • Scopes: Code (Read & Write), Pull Request Threads (Read & Write)
  4. Copy the generated token
  5. Enter in Cloudgeni connection dialog

Permissions

Required Scopes

Cloudgeni requests these Azure DevOps permissions:
ScopePurpose
vso.codeRead repository content
vso.code_writePost PR comments
vso.projectList projects and repositories
vso.hooksConfigure service hooks

Access Levels

Azure DevOps RoleCan ConnectCan ScanPR Comments
Project AdministratorYesYesYes
ContributorLimitedYesYes
ReaderNoNoNo

Service Hooks

Automatic Setup

Cloudgeni automatically configures service hooks when you connect a repository. Hooks trigger on:
  • Code pushed to monitored branches
  • Pull request created or updated
  • Pull request merged

Manual Configuration

If automatic setup fails:
  1. Go to Project SettingsService hooks
  2. Click Create subscription
  3. Select Web Hooks
  4. Configure:
    • Trigger: Code pushed, Pull request created/updated
    • URL: https://api.cloudgeni.ai/webhooks/azure-devops
    • HTTP headers: Add authentication header (from Cloudgeni)
  5. Click Finish

Event Types

EventDescription
git.pushCode pushed to repository
git.pullrequest.createdNew pull request opened
git.pullrequest.updatedPR updated with new commits
git.pullrequest.mergedPR merged to target branch

Repository Management

Adding Repositories

  1. Go to SettingsIaC Repositories
  2. Find your Azure DevOps integration
  3. Click Manage Repositories
  4. Toggle additional repositories on
  5. Click Save

Removing Repositories

  1. Go to SettingsIaC Repositories
  2. Find the repository to remove
  3. Click the menu → Remove
  4. Confirm removal

Repository Settings

SettingDescription
Default BranchBranch to scan on push events
Scan TriggersWhich events trigger scans
PR CommentsEnable/disable pull request comments
Auto-remediationEnable AI-powered fix suggestions

Pull Request Integration

How It Works

When a pull request is created or updated:
  1. Cloudgeni receives service hook notification
  2. Changed IaC files are analyzed
  3. Security findings are posted as PR comments
  4. Status is updated on the PR

Comment Format

PR comments include:
  • Summary of findings by severity
  • Inline comments on specific lines
  • Remediation suggestions
  • Links to detailed findings in Cloudgeni

Thread Resolution

  • Comments are posted as threads
  • Mark threads as resolved when issues are fixed
  • Threads auto-resolve when code is updated

Branch Policies

Configure Required Checks

Add Cloudgeni as a required check for pull requests:
  1. Go to Project SettingsRepositories → Select repo
  2. Click Policies → Select branch
  3. Under Build Validation, click Add build policy
  4. Select your Cloudgeni pipeline
  5. Configure policy:
    • Trigger: Automatic
    • Policy requirement: Required
    • Build expiration: Immediately

Status Checks

Cloudgeni can post status checks to PRs:
StatusMeaning
SucceededNo critical/high findings
FailedCritical or high findings detected
PendingScan in progress

Azure Pipelines Integration

Combine repository connection with CI/CD scanning: 
# azure-pipelines.yml
trigger:
  - main

pool:
  vmImage: 'ubuntu-latest'

variables:
  - group: cloudgeni-variables

steps:
  - task: Bash@3
    displayName: 'Cloudgeni Security Scan'
    inputs:
      targetType: 'inline'
      script: |
        curl -sSL https://get.cloudgeni.ai/install.sh | bash
        cloudgeni scan --api-key $(CLOUDGENI_API_KEY)
See Azure Pipelines Integration for detailed setup.

Troubleshooting

OAuth Failed:
  • Verify you have Project Administrator access
  • Clear browser cookies and retry
  • Check organization policies allow third-party apps
Projects Not Showing:
  • Ensure you have access to the project
  • Check project visibility settings
  • Try refreshing the project list
Server Connection Failed:
  • Verify server URL is correct
  • Check PAT has required scopes
  • Ensure network connectivity to Cloudgeni
Hooks Not Triggering:
  • Verify service hook exists in project settings
  • Check webhook URL is correct
  • Review hook history for delivery failures
PR Comments Not Appearing:
  • Verify write permissions are granted
  • Check PR reviews are enabled in Cloudgeni
  • Review scan logs for errors
Scans Not Running:
  • Verify repository contains IaC files
  • Check default branch configuration
  • Review scan trigger settings
Branch Policy Not Working:
  • Verify policy is configured correctly
  • Check build pipeline exists
  • Ensure policy applies to target branch

Security Considerations

Token Storage

  • OAuth tokens are encrypted at rest
  • PATs are securely stored and never exposed
  • Access can be revoked at any time

Data Access

Cloudgeni accesses:
  • Repository file contents (for scanning)
  • Pull request metadata (for comments)
  • Branch and commit information
Cloudgeni does not access:
  • Azure DevOps user credentials
  • Pipeline variables or secrets
  • Work items or boards

Revoking Access

To disconnect Azure DevOps:
  1. In Cloudgeni: SettingsIaC RepositoriesDisconnect
  2. In Azure DevOps: User SettingsAuthorizations → Revoke

Azure Pipelines

Set up CI/CD scanning

PR Reviews

Automated security reviews

Static Analysis

Understanding scan results

Connection Issues

Troubleshoot connections