> ## Documentation Index
> Fetch the complete documentation index at: https://zeropath.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Azure DevOps Integration

> Connect Azure DevOps Services repositories to ZeroPath for scans, PR checks, comments, and patch pull requests

## Overview

ZeroPath supports Azure DevOps Services as a first-class VCS provider. After connecting an Azure
DevOps Services organization, you can import Azure Repos repositories, run full scans, scan pull
requests from service-hook events, post status checks and inline comments, and create patch pull
requests for validated findings.

<Warning>
  Azure DevOps support currently targets **Azure DevOps Services cloud** organizations such as
  `https://dev.azure.com/{organization}`. Azure DevOps Server is not included in this v1 setup path.
</Warning>

## Prerequisites

* A ZeroPath organization where you can create VCS installations and repositories.
* An Azure DevOps Services organization and at least one project with Azure Repos enabled.
* Permission in Azure DevOps to read repositories and create service hooks for the projects you
  want ZeroPath to monitor.
* Either a Microsoft Entra account that can authorize ZeroPath or a personal access token with the
  required scopes.

## Connect Azure DevOps Services

<Tabs>
  <Tab title="Microsoft Entra OAuth (Recommended)">
    Use OAuth when your organization can approve a delegated Microsoft Entra connection. This is the
    recommended path because users do not need to copy long-lived PATs into ZeroPath.

    <Steps>
      <Step title="Open Azure DevOps setup">
        In ZeroPath, go to [Add Repositories](https://zeropath.com/app/repositories?m=AddRepos\&tab=azureDevOps), select the **Azure DevOps** tab, and click **Setup Azure DevOps**.
      </Step>

      <Step title="Enter your organization URL">
        Enter your Azure DevOps Services organization URL, for example
        `https://dev.azure.com/my-organization`.
      </Step>

      <Step title="Authorize ZeroPath">
        Continue through the Microsoft consent screen. ZeroPath exchanges the authorization code for
        encrypted credential material and validates access by listing Azure DevOps projects and
        repositories.
      </Step>

      <Step title="Import repositories">
        After the callback, accessible repositories appear in the Azure DevOps tab. Select individual
        repositories, import a selected batch, or click **Add all accessible Azure DevOps
        repositories**.
      </Step>
    </Steps>
  </Tab>

  <Tab title="Personal Access Token">
    Use the PAT path when OAuth approval is not available yet or when your Azure DevOps access model
    requires a token owned by a specific service account.

    <Steps>
      <Step title="Create a PAT">
        In Azure DevOps Services, create a personal access token for the organization you want to
        connect.
      </Step>

      <Step title="Grant required scopes">
        Grant repository read/write access, pull request thread read/write access, status or build
        status access, and service hook management access. These permissions allow ZeroPath to list
        repositories, clone code, scan PRs, post comments/statuses, create patch PRs, and reconcile
        service hooks.
      </Step>

      <Step title="Connect with PAT">
        In ZeroPath, open the Azure DevOps setup dialog, choose **Personal Access Token**, enter your
        organization URL and PAT, then click **Connect with PAT**.
      </Step>

      <Step title="Import repositories">
        Once ZeroPath validates the token, import individual repositories, selected batches, or all
        accessible repositories.
      </Step>
    </Steps>
  </Tab>
</Tabs>

## Repository Imports

ZeroPath discovers repositories by listing projects in the connected Azure DevOps Services
organization and then listing Git repositories within each project.

You can import repositories in three ways:

* **Single repository** - select one repository and click **Add selected Azure DevOps repositories**.
* **Selected batch** - select multiple repositories in the table and import them together.
* **Add all** - import every accessible, non-archived Azure DevOps repository without paging through
  the full list in the browser.

Imported repositories receive the same default scanner settings, tags, repository limits, audit
events, and repository-added notifications as other supported VCS providers.

## PR Scanning

ZeroPath creates Azure DevOps service-hook subscriptions for connected projects. When a pull request
is created or updated, ZeroPath schedules a PR scan against the changed files.

PR scan results can include:

* A ZeroPath status posted to the Azure DevOps pull request.
* Inline review comments on affected diff lines.
* A PR summary comment with the scan result.
* Automatic resolution of stale comment threads when findings are fixed or triaged.

<Info>
  Bot commands are not currently available on Azure DevOps PR comments. Use the dashboard for
  triage actions such as false-positive marking, assignment, and patch generation.
</Info>

## Patch Pull Requests

When a finding is eligible for an automatic fix, ZeroPath can create an Azure DevOps pull request
using the same patch workflow as other supported VCS providers:

* Generate a patch branch.
* Commit the fix with the standard ZeroPath commit-message convention.
* Open a pull request targeting the original branch.
* Add summary context and link the patch PR back to the finding in ZeroPath.

## Troubleshooting

<AccordionGroup>
  <Accordion title="No projects or repositories appear">
    Confirm the OAuth identity or PAT can access the Azure DevOps Services organization and the
    projects you expect. The connection must be able to list projects and repositories.
  </Accordion>

  <Accordion title="Repository import fails">
    Check whether a repository with the same name or URL is already linked in ZeroPath. Also verify
    that your organization has not reached its repository limit.
  </Accordion>

  <Accordion title="PR scans do not start">
    Confirm PR scanning is enabled in ZeroPath repository settings and that the Azure DevOps
    connection still has permission to manage service hooks for the relevant project.
  </Accordion>

  <Accordion title="Statuses or comments do not appear">
    Verify that the OAuth grant or PAT includes write access for statuses, pull request comments, and
    pull request threads. Reconnect the installation after rotating credentials.
  </Accordion>

  <Accordion title="Patch PR creation fails">
    Confirm the credential can create branches, push commits, and open pull requests in the target
    repository. Branch policies in Azure DevOps may also block automated branch updates.
  </Accordion>
</AccordionGroup>

## Operational Notes

* Disconnecting an Azure DevOps installation stops new scans from being scheduled for that
  connection.
* Rotate PATs by reconnecting the Azure DevOps installation with the new token.
* If new projects are added after setup, reconnect or resync service hooks so ZeroPath can subscribe
  to PR and repository-created events for those projects.