Azure DevOps
Overview
Visualize and analyze Azure DevOps resources, including projects, repositories, pipelines, artifacts, and work items. Gain insights into visibility, governance, and pipeline execution. Monitor compliance, manage permissions and policies, and analyze repositories and artifacts for vulnerabilities. Enable comprehensive tracking of development activities and ensure alignment with organizational security and compliance requirements.
Configurations
| Configuration | Description |
|---|---|
| Blueprint Account Name | A human-readable name for your account that will be used to identify this account across the application. |
| Azure PAT | Azure Personal Access Token with the necessary permissions. |
| Azure Organization URL | The URL of your Azure DevOps organization. |
| Data Crawl Frequency | The frequency at which Kscope will crawl the account for resources. |
| Event Crawl Frequency | The frequency at which Kscope will crawl the account for events. |
| Resource Selection | Selectively include or exclude certain resources. |
Permissions
The Azure DevOps blueprint requires a Personal Access Token (PAT) which you can create by navigating to https://dev.azure.com/{organization}/_usersSettings/tokens (replace {organization} with your organization name). Please ensure that you give the token a descriptive name, set an appropriate expiration date, and manually select the required permissions listed below.
Required Permissions:
Group
graph:read
User
graph:read
Project
projects-and-teams:readpackaging:readbuild:read
Team
projects-and-teams:read
Repository SBOM
code:readcode:write
Secret Scan
code:read
Remediation
code:readcode:write
Permission Details:
| Permission | Scope | Why it's needed |
|---|---|---|
code:read | Code | Read repository content, branches, commits, and perform secret scanning |
code:write | Code | Create branches and push commits for remediation pull requests |
build:read | Build | Access build definitions, build results, and pipeline information |
project:read | Project and team | Read project information, team details, and organizational structure |
graph:read | Graph | Access user and group information for identity management |
packaging:read | Packaging | Read package and artifact information from Azure Artifacts |
For more details on the Azure DevOps permissions, you can refer to the following documentation: Azure DevOps Services REST API Reference
SBOM Generation
The Azure DevOps blueprint includes SBOM (Software Bill of Materials) generation for repositories. This provides comprehensive vulnerability scanning and dependency analysis for source code and applications.
For information about supported languages and package managers for SBOM generation, see: SBOM
Schema Model
| Resources | Source Entity | Normalized Entity | Description |
|---|---|---|---|
| Commit Reference | azuredevops.project.CommitRef | Commit | A commit reference in Azure DevOps project. |
| Tag Definition | azuredevops.project.TagDefinition | Tag | A tag definition in Azure DevOps project. |
| Group | azuredevops.group.Group | UserGroup | A specific group within Azure DevOps. |
| Identity Reference | azuredevops.project.IdentityRef | Identity | An identity reference in Azure DevOps project. |
| Reviewer Identity Reference | azuredevops.project.ReviewerIdentityRef | Identity | A reviewer identity reference in Azure DevOps. |
| Pipeline | azuredevops.project.Pipeline | Pipeline | A pipeline in Azure DevOps project. |
| Pull Request | azuredevops.project.PullRequest | PullRequest | A pull request in Azure DevOps project. |
| Pull Request Completion Options | azuredevops.project.PullRequestCompletionOptions | Option | Completion options for pull requests. |
| Project Reference | azuredevops.project.ProjectRef | Project | A project reference in Azure DevOps. |
| Project | azuredevops.project.Project | Project | A project in Azure DevOps. |
| Web API Team | azuredevops.project.WebAPITeam | Team | A web API team in Azure DevOps. |
| Repository | azuredevops.project.Repository | Repository | A repository in Azure DevOps project. |
| Fork | azuredevops.project.Fork | Repository | A forked repository in Azure DevOps. |
| Author | azuredevops.project.Author | Identity | The author of a commit in Azure DevOps. |
| Status | azuredevops.project.Status | Status | A status in Azure DevOps project. |
| Status Context | azuredevops.project.StatusContext | Context | A context for statuses in Azure DevOps. |
| Comment | azuredevops.project.Comment | Comment | A comment in Azure DevOps project. |
| Push | azuredevops.project.Push | Push | A push event in Azure DevOps project. |
| Pull Request Comment Thread | azuredevops.project.PullRequestCommentThread | Thread | A comment thread on a pull request. |
| Comment Thread Context | azuredevops.project.CommentThreadContext | Context | Context for a comment thread in Azure DevOps. |
| Comment Position | azuredevops.project.CommentPosition | Position | Position of a comment in Azure DevOps. |
| User | azuredevops.user.User | User | A user in Azure DevOps. |
| Feed | azuredevops.project.Feed | Feed | A feed in Azure DevOps project. |
| Upstream Source | azuredevops.project.UpstreamSource | Source | An upstream source in Azure DevOps feed. |
| Feed View | azuredevops.project.FeedView | View | A view in Azure DevOps feed. |
| Feed Permission | azuredevops.project.FeedPermission | Permission | Permissions for Azure DevOps feed. |
| Package | azuredevops.project.Package | Package | A package in Azure DevOps feed. |
| Minimal Package Version | azuredevops.project.MinimalPackageVersion | Version | A minimal package version in Azure DevOps. |
| Work Item Comment Version Reference | azuredevops.project.WorkItemCommentVersionRef | CommentRef | Reference to a comment version in work item. |
| Work Item Reference | azuredevops.project.WorkItemReference | Reference | Reference to a work item in Azure DevOps. |
| Work Item | azuredevops.project.WorkItem | Record | A work item in Azure DevOps project. |
| Work Item Comment | azuredevops.project.WorkItemComment | Comment | A comment on a work item in Azure DevOps. |
| Work Item Relation | azuredevops.project.WorkItemRelation | Relation | A relation between work items in Azure DevOps. |
| Team | azuredevops.team.Team | Team | A team in Azure DevOps. |
| Team Member | azuredevops.team.TeamMember | Member | A member of a team in Azure DevOps. |
| Identity | azuredevops.project.Identity | Identity | Identity of a user in Azure DevOps. |
| Branch Stats | azuredevops.project.BranchStats | Stats | Branch statistics in Azure DevOps. |
| Commit | azuredevops.project.Commit | CodeCommit | A commit in Azure DevOps project. |
| User Date | azuredevops.project.UserDate | UserDate | User date information in Azure DevOps. |
| Build | azuredevops.project.Build | Build | A build in Azure DevOps project. |
| Task Orchestration Plan | azuredevops.project.TaskOrchestrationPlan | Plan | A task orchestration plan in Azure DevOps. |
| Definition | azuredevops.project.Definition | Definition | A build definition in Azure DevOps. |
| Build Artifact | azuredevops.project.BuildArtifact | Artifact | An artifact of a build in Azure DevOps. |
| Artifact Resource | azuredevops.project.ArtifactResource | Resource | A resource associated with a build artifact. |
| Task Agent Pool | azuredevops.project.TaskAgentPool | Pool | A task agent pool in Azure DevOps. |
| Agent Pool Queue | azuredevops.project.AgentPoolQueue | Queue | An agent pool queue in Azure DevOps. |
| Build Request Validation Result | azuredevops.project.BuildRequestValidationResult | Result | Validation result for a build request. |
| Build Log | azuredevops.project.BuildLog | Log | A build log in Azure DevOps project. |
| gitleak findings | sca.secretscan.Finding | Vulnerability | A secret detected by gitleak scan. |