Adding Azure DevOps Repositories
This guide includes adding a PullRequest user to your Organization, authorizing your Azure DevOps account with PullRequest, installing and syncing your repositories.
Last updated
This guide includes adding a PullRequest user to your Organization, authorizing your Azure DevOps account with PullRequest, installing and syncing your repositories.
Last updated
NOTE: If your organization uses the Azure Active Directory (Azure AD) access management service, please let your HackerOne implementation or accounts contact know.
In order for our system to post feedback to your Azure pull requests, a posting user must be added to your team.
Open your Azure DevOps Organization Settings and click Users -> Add Users
In the Users field, add: azure@pullrequest.com
If you've coordinated with your HackerOne team to use an alternate service user which has already been created, this step is not required. Ensure that the service user has been added to Project Team(s) that cover scope of repositories that will utilize the service.
The user will need Basic access and will need to be added to all of the Projects you'll need review coverage on.
If possible, we recommend selecting Add all Project access so there's no disruption in service as coverage is needed. You'll be able to maintain control for restricting and enabling service for certain repositories through our dashboard (see Step 5).
Once the user is aded, an invitation will be sent to the HackerOne implementation team to accept.
If you haven't already, visit https://app.pullrequest.com/signup and create a user account by authenticating with Azure DevOps.
We recommend logging into Azure DevOps in your browser prior to this step.
After signing up, you'll be prompted to authorize and connect with a version control hosting provider. Click the Sync with Azure DevOps option.
You'll then be prompted to authorize your Microsoft account with PullRequest, click Accept.
Our integration adheres to the principle of least privilege, ensuring that it only has the access necessary to perform its intended function—providing valuable insights in pull request discussions. Here are the permissions we require and how we use them.
Required Permissions for Azure DevOps Integration
Code (read and write)
To enable our service to post comments on pull requests in your Azure DevOps repositories, it requires the vso.code_write Code scope. It includes the ability to "create and manage code reviews" - this is necessary for posting pull request comments and interacting with discussion threads.
Our service never updates or deletes source code in your repository. The write permission is used exclusively for adding and interacting with comments to pull requests. Our integration only makes API calls related to commenting and DOES NOT execute any code-modifying operations. Code (status)
The vso.code.status scope is required to create and get statuses associated with a pull request or an iteration. This is necessary for our system to post back results of automated scans and communicate workflow state to end-users in the Azure DevOps interface.
To keep project, repository and team information up-to-date in our dashboard tools, the service requires the vso.project Project and Team scope.
Dashboard visibility and access to configuration settings in our dashboard are based on the end-user's permissions in Azure DevOps. Our system relies on the vso.graph Graph & Identity scope to ensure access within the service is based on access within Azure DevOps and is always up-to-date.
After authorizing with your Microsoft account, you'll be directed to a page to select which Azure DevOps Organization you want to install PullRequest on.
NOTE: Some Microsoft user accounts are treated like as Organization and will be shown in this list. It's likely you'll need to connect to your company's Organization instead of your Microsoft username (see below).
You'll be asked to allow PullRequest to access All repositories or Only select repositories.
PullRequest recommends selecting the All repositories option so you won't need to repeat this step each time your team creates a new repository.
After you've made your selection, click the Connect button.
Your repositories should now appear on the PullRequest dashboard page when the Azure DevOps Organization is selected from the Organizations drop-down menu at the top-left portion of the screen.
Before sending code reviews to the PullRequest network, a member of the PullRequest team will need to accept the invitation sent in step 1 to add the PullRequest posting user.
You'll be able to confirm this when the azure PullRequest user is displayed with the PullRequest logo as an avatar in your Organization Settings screen.
