Azure Repos Integration

Connect your Azure DevOps Repos to Safeguard.sh for automated SBOM generation and continuous security scanning.

Overview

Azure Repos integration supports:

Public and private repositories
Azure DevOps Services (cloud) and Azure DevOps Server (on-premises)
Git repositories
Multiple organizations and projects

Prerequisites

Azure DevOps account with repository access
Personal Access Token (PAT) with appropriate permissions
Safeguard.sh account with ESSCM access

Creating a Personal Access Token

Step 1: Access Token Settings

Sign in to Azure DevOps
Click your profile icon in the top right
Select Personal access tokens
Click + New Token

Step 2: Configure Token

Setting	Value
Name	Safeguard.sh Integration
Organization	Select your organization (or All accessible organizations)
Expiration	Set appropriate expiration (max 1 year)
Scopes	Custom defined

Step 3: Set Permissions

Select these scopes:

Scope	Permission	Purpose
Code	Read	Access repository contents
Project and Team	Read	List projects and repos
Graph	Read	Access user/team info

Click Create and copy the token immediately (it won't be shown again).

Configuring in Safeguard.sh

Public Repositories

Navigate to Integrations page
Click Connect on the Azure Repos card
Select the Public tab
Enter configuration details:

Field	Description
Name	Configuration name (e.g., "Azure Public Repos")
Description	Optional description
Repository URL	Full URL (e.g., `https://dev.azure.com/org/project/_git/repo`)

Click Add to add the repository
Click Next to proceed
Configure project settings and click Connect

Private Repositories

Navigate to Integrations page
Click Connect on the Azure Repos card
Select the Private tab
Enter credentials:

Field	Description
Name	Configuration name
Description	Optional description
Organization URL	Your Azure DevOps URL (e.g., `https://dev.azure.com/myorg`)
Personal Access Token	The PAT you created

Click Verify Credentials
Once verified, click Next
Select the projects and repositories to scan
Configure branch/tag settings
Click Connect

Azure DevOps Server (On-Premises)

For on-premises Azure DevOps Server:

Use your server URL (e.g., https://tfs.company.com/tfs/DefaultCollection)
Ensure the server is accessible from Safeguard.sh (may require VPN or network configuration)
Use the same PAT authentication method

Network Requirements

Endpoint	Port	Purpose
Your Azure DevOps Server	443 (HTTPS)	Repository access
Safeguard.sh API	443	SBOM upload

Repository URL Formats

Type	Format
Azure DevOps Services	`https://dev.azure.com/{org}/{project}/_git/{repo}`
Azure DevOps Server	`https://{server}/{collection}/{project}/_git/{repo}`
SSH	`git@ssh.dev.azure.com:v3/{org}/{project}/{repo}`

Branch and Tag Selection

When configuring repositories, you can specify:

Default branch - Usually main or master
Specific branches - Feature branches, release branches
Tags - Version tags like v1.0.0
All branches - Scan all branches (increases scan time)

Build Pipeline Integration

Integrate with Azure Pipelines for automated scanning:

# azure-pipelines.yml
trigger:
  - main
  - release/*

pool:
  vmImage: 'ubuntu-latest'

steps:
  - task: NodeTool@0
    inputs:
      versionSpec: '18.x'
    displayName: 'Install Node.js'

  - script: |
      npm install -g @safeguard-sh/cli
      safeguard sbom generate --source . --name "$(Build.Repository.Name)" --version "$(Build.BuildNumber)"
      safeguard gate check --policy production
    env:
      SAFEGUARD_API_KEY: $(SafeguardApiKey)
    displayName: 'Security Scan'

  - task: PublishBuildArtifacts@1
    inputs:
      pathToPublish: './sbom.json'
      artifactName: 'sbom'
    displayName: 'Publish SBOM'

Webhook Configuration

Enable webhooks for automatic scanning on push:

In Azure DevOps, go to Project Settings → Service hooks
Click + Create subscription
Select Web Hooks
Configure:

Setting	Value
Trigger	Code pushed
Repository	Select your repository
Branch	Your target branch
URL	`https://api.safeguard.sh/webhooks/azure-devops`
HTTP headers	`X-Safeguard-Key: YOUR_WEBHOOK_KEY`

Azure Repos