Adding Azure DevOps Repositories

This guide includes adding a HackerOne Code servcice user to your Organization, authorizing your Azure DevOps account with HackerOne Code, installing and syncing your repositories.

Step 1: Invite the HackerOne Code service user

In order for our system to post feedback to your Azure pull requests, a posting user must be added to your team.

If your organizaion will provide the service user, please let your HackerOne team know. We'll work with you to ensure it's configured for our system to be able to interact with expected repositories and pull requests.

Open your Azure DevOps Organization Settings and click Users -> Add Users

In the Users field, add: [email protected]

If you've coordinated with your HackerOne team to use an alternate service user which has already been created, this step is not required. Ensure that the service user has been added to Project Team(s) that cover scope of repositories that will utilize the service.

The user will need Basic access and will need to be added to all of the Projects you'll need review coverage on.

If possible, we recommend selecting Add all Project access so there's no disruption in service as coverage is needed. You'll be able to maintain control for restricting and enabling service for certain repositories through our dashboard (see Step 5).

Once the user is aded, an invitation will be sent to the HackerOne implementation team to accept.

Step 2: Create a user account by authenticated with Azure DevOps

If you haven't already, visit https://app.pullrequest.com/signup and create a user account by authenticating with Azure DevOps.

We recommend logging into Azure DevOps in your browser prior to this step.

Step 3: Authorize and Sync Organization Projects

After signing up, you'll be prompted to authorize and connect with a version control hosting provider. Click the Sync with Azure DevOps option.

You'll then be prompted to authorize your Microsoft account with the HackerOne Code's PullRequest app, click Accept.

Required Permissions

Our integration adheres to the principle of least privilege, ensuring that it only has the access necessary to perform its intended function—providing valuable insights in pull request discussions. Here are the permissions we require and how we use them.

Required Permissions for Azure DevOps Integration Code (read and write) To enable our service to post comments on pull requests in your Azure DevOps repositories, it requires the vso.code_write Code scope. It includes the ability to "create and manage code reviews" - this is necessary for posting pull request comments and interacting with discussion threads.

Our service never updates or deletes source code in your repository. The write permission is used exclusively for adding and interacting with comments to pull requests. Our integration only makes API calls related to commenting and DOES NOT execute any code-modifying operations. Code (status)

The vso.code.status scope is required to create and get statuses associated with a pull request or an iteration. This is necessary for our system to post back results of automated scans and communicate workflow state to end-users in the Azure DevOps interface.

Project and team (read)

To keep project, repository and team information up-to-date in our dashboard tools, the service requires the vso.project Project and Team scope.

Graph (read)

Dashboard visibility and access to configuration settings in our dashboard are based on the end-user's permissions in Azure DevOps. Our system relies on the vso.graph Graph & Identity scope to ensure access within the service is based on access within Azure DevOps and is always up-to-date.

Step 4: Configuring scope of Azure DevOps projects

After authorizing with your Microsoft account, you'll be directed to a page to select the Azure DevOps Organization(s) in scope of service.

NOTE: Some Microsoft user accounts are treated like as Organization and will be shown in this list. It's likely you'll need to connect to your company's Organization instead of your Microsoft username (see below).

Be sure to select the Azure DevOps Organization your team uses rather than your Microsoft username.

Step 5: Select Repositories

You'll be asked to allow to access All repositories or Only select repositories.

After you've made your selection, click the Connect button.

Step 6: View Repositories

Your repositories should now appear on the dashboard page when the Azure DevOps Organization is selected from the Organizations drop-down menu at the top-left portion of the screen.

Step 7: Verify the posting user has been added

Before scanning and validation is enabled, a member of the HackerOne team will need to accept the invitation sent in step 1 to add the service user.

If you've used our global user, the azure user will be displayed in your Organization Settings screen (see below).

Last updated