Azure DevOps Server

Prerequisites

Before starting the integration, ensure that access to the relevant Azure DevOps organization is available and that the account being used has sufficient permissions to create Personal Access Tokens. These permissions are required to generate the token that will be used by Invicti ASPM during the integration process.

Integration Steps

1. Sign in to the Azure DevOps.

2. From the home page, open User settings and navigate to Personal access tokens.

   

3. Select + New Token to start the token creation process.

   

4. Define the token details:

   • Provide a descriptive name for the token.
   • Select All accessible organizations. If the All accessible organizations option is not selected, the token will fail during the integration process. During integration, the system already prompts for the organization to be used. When a specific organization is selected while creating the token, the system attempts to validate access across all organizations, which results in an error and causes the integration to fail.
   • Choose an appropriate expiration period for the token.
   • Configure the required scopes as follows:
     • Code: Full
     • Work Items: Read, Write & Manage
     • Identity: Read & Manage
     • User Profile: Read & Write

     ❗️

     If Azure DevOps is planned to be used as an Issue Manager, the integration should be configured with Full Access.

   • Complete the process by creating the token.

5. Copy and securely store the generated token. For security reasons, the token will not be displayed again after leaving or refreshing the page.

6. After this step, the process can be continued from the Invicti ASPM UI using the generated token

Under Advanced Settings, there are specific configuration options for Azure DevOps Services. When these toggles are enabled, the relevant permissions are granted not only to Administrators but also to Team Leads. This allows Team Leads to add their own organizations as new instances, onboard projects through these instances, and manage access to them independently.

If Azure DevOps will also be used as an Issue Manager, the checkbox at the top of the list must be selected as well.

In some scanners, due to their authentication handling mechanisms, Azure DevOps Personal Access Tokens may not function correctly during repository access. In such cases, a Username and Token combination is required to ensure that the Clone operation completes successfully.

When this scenario applies, both the Username and the Token must be provided during the integration process.

This section is optional and can be skipped under normal circumstances. It should only be configured if authentication-related issues are encountered during cloning.