Connection Methods
- Personal Access Token (Recommended)
- OAuth
Best for: Most users
- Full control over permissions
- Works with Azure DevOps Services and Server
- No OAuth setup required
Personal Access Token Setup
1
Open Azure DevOps
Navigate to dev.azure.com and sign in
2
Open User Settings
Click your profile icon (top right) → Personal access tokens
3
Create New Token
Click + New TokenName:
CodeThreat Security Scanner
Organization: Select your organization
Expiration: Choose expiration date
Scopes: Select:- ✅ Code: Read
- ✅ Pull Requests: Read
- ✅ Project and Team: Read
- ✅ Service Hooks: Read & write (for webhooks)
4
Create and Copy Token
Click Create and copy the token immediately
5
Add to CodeThreat
Settings → Integrations → Azure DevOps → Select Personal Access TokenPaste token and enter organization name (from URL:
dev.azure.com/{organization})6
Import Repositories
Select repositories from your Azure DevOps projects
Azure DevOps Server
CodeThreat supports on-premises Azure DevOps Server (formerly TFS).Requirements
- Azure DevOps Server 2019 or later
- Network connectivity to your server
- Valid SSL certificate
Webhook Configuration
CodeThreat creates service hooks in Azure DevOps for automated scanning.Service Hook Events
- Code pushed: Trigger scans on commits
- Pull request created: Scan new PRs
- Pull request updated: Rescan on PR changes
Verify Service Hooks
- In Azure DevOps: Project → Project settings → Service hooks
- Find hooks with target URL:
https://app.codethreat.com/webhooks/azuredevops - Click the hook → Test to verify delivery
Pull Request Integration
Get security feedback in Azure DevOps pull requests.PR Status Checks
CodeThreat appears as a status check on PRs:- ✅ Succeeded: No critical/high vulnerabilities
- ❌ Failed: Security issues found
- ⏳ Pending: Scan in progress
Branch Policies
Require CodeThreat checks before merging:- Azure DevOps Project → Repos → Branches
- Select branch → Branch policies
- Status checks → Add status policy
- Select CodeThreat Security Scan
- Set policy to Required
Permissions
To connect Azure DevOps, you need:- Project Collection Administrator (to create service hooks)
- Or Project Administrator (project-level connection)
Best Practices
- Use organization-wide tokens
- Set token expiration (rotate every 90-180 days)
- Enable PR scanning
- Use branch policies to require security checks
Troubleshooting
Connection failed:- Verify token scopes are correct
- Check organization name matches Azure DevOps
- Ensure token hasn’t expired
- Verify you have Read access to repositories
- Check if project name filter is too restrictive
- Re-authorize the connection
- Check service hook status in Azure DevOps
- Verify CodeThreat webhook URL is reachable
- Ensure firewall allows outbound HTTPS