Skip to main content

Overview

ZeroPath supports Azure DevOps Services as a first-class VCS provider. After connecting an Azure DevOps Services organization, you can import Azure Repos repositories, run full scans, scan pull requests from service-hook events, post status checks and inline comments, and create patch pull requests for validated findings.
Azure DevOps support currently targets Azure DevOps Services cloud organizations such as https://dev.azure.com/{organization}. Azure DevOps Server is not included in this v1 setup path.

Prerequisites

  • A ZeroPath organization where you can create VCS installations and repositories.
  • An Azure DevOps Services organization and at least one project with Azure Repos enabled.
  • Permission in Azure DevOps to read repositories and create service hooks for the projects you want ZeroPath to monitor.
  • Either a Microsoft Entra account that can authorize ZeroPath or a personal access token with the required scopes.

Connect Azure DevOps Services

Repository Imports

ZeroPath discovers repositories by listing projects in the connected Azure DevOps Services organization and then listing Git repositories within each project. You can import repositories in three ways:
  • Single repository - select one repository and click Add selected Azure DevOps repositories.
  • Selected batch - select multiple repositories in the table and import them together.
  • Add all - import every accessible, non-archived Azure DevOps repository without paging through the full list in the browser.
Imported repositories receive the same default scanner settings, tags, repository limits, audit events, and repository-added notifications as other supported VCS providers.

PR Scanning

ZeroPath creates Azure DevOps service-hook subscriptions for connected projects. When a pull request is created or updated, ZeroPath schedules a PR scan against the changed files. PR scan results can include:
  • A ZeroPath status posted to the Azure DevOps pull request.
  • Inline review comments on affected diff lines.
  • A PR summary comment with the scan result.
  • Automatic resolution of stale comment threads when findings are fixed or triaged.
Bot commands are not currently available on Azure DevOps PR comments. Use the dashboard for triage actions such as false-positive marking, assignment, and patch generation.

Patch Pull Requests

When a finding is eligible for an automatic fix, ZeroPath can create an Azure DevOps pull request using the same patch workflow as other supported VCS providers:
  • Generate a patch branch.
  • Commit the fix with the standard ZeroPath commit-message convention.
  • Open a pull request targeting the original branch.
  • Add summary context and link the patch PR back to the finding in ZeroPath.

Troubleshooting

Confirm the OAuth identity or PAT can access the Azure DevOps Services organization and the projects you expect. The connection must be able to list projects and repositories.
Check whether a repository with the same name or URL is already linked in ZeroPath. Also verify that your organization has not reached its repository limit.
Confirm PR scanning is enabled in ZeroPath repository settings and that the Azure DevOps connection still has permission to manage service hooks for the relevant project.
Verify that the OAuth grant or PAT includes write access for statuses, pull request comments, and pull request threads. Reconnect the installation after rotating credentials.
Confirm the credential can create branches, push commits, and open pull requests in the target repository. Branch policies in Azure DevOps may also block automated branch updates.

Operational Notes

  • Disconnecting an Azure DevOps installation stops new scans from being scheduled for that connection.
  • Rotate PATs by reconnecting the Azure DevOps installation with the new token.
  • If new projects are added after setup, reconnect or resync service hooks so ZeroPath can subscribe to PR and repository-created events for those projects.