This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Deploy Endor Labs Azure DevOps App

Get up and running with Endor Labs Azure DevOps App.

Table of Contents

This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Get up and running with Endor Labs Azure DevOps App.

Endor Labs provides an Azure DevOps App that continuously scans Azure repos in your projects for security risks. You can selectively scan your repositories for SCA, secrets, SAST, or CI/CD tools.

You can choose to configure the Azure DevOps App at the organization level or the project level. When you configure the Azure DevOps App at the organization level, Endor Labs adds all the projects under the organization and scans all the repos in the projects. When you add an Azure DevOps project, Endor Labs scans all repos within that project.

See Manage Azure App to learn how to manage your Azure App integration in Endor Labs.

You need to add an Azure organization or a project to an Endor Labs namespace. Organizations and projects in Azure DevOps are mapped as managed namespaces in Endor Labs.

Managed namespaces have the following restrictions:

  • You cannot delete managed namespaces.
  • You cannot delete repos present within managed namespaces.
  • You cannot add projects or create namespaces within managed namespaces.
  • You cannot create any new Endor Labs App installation within the managed namespaces.

When you add an Azure organization to an Endor Labs namespace, Endor Labs creates a child namespace for the organization and creates child namespaces for each project in the organization under the organization namespace. The organization namespace and project namespaces are managed namespaces. You can add multiple projects to the same Endor Labs namespace. Each project will have its own managed namespace.

If your organization name is deerinc and you have three projects, buck, doe, and fawn, Endor Labs creates four managed namespaces: deerinc, buck, doe, and fawn. The namespaces buck, doe, and fawn are child namespaces of the deerinc namespace.

The following image shows the namespace structure in Endor Labs.

graph TD

      %% Endor Labs namespace
      EN[endor-azure]

      %% Azure projects
      O1[deerinc]
      P1[buck]
      P2[doe]
      P3[fawn]


      %% connections
      EN --> O1
      O1 --> P1
      O1 --> P2
      O1 --> P3

      class EN,EN2 endor
      class O1,P1,P2,P3 managed
      classDef managed fill:#3FE1F3

When you add an Azure DevOps project to an Endor Labs namespace, Endor Labs creates a child namespace for the Azure DevOps project and maps all repositories in that project to this namespace. The child namespace that maps to the Azure DevOps project is a managed namespace. The managed namespace has the name, <organization name>-<project name>. For example, if your organization name is deerinc and project name is doe, the managed namespace will have the name, deerinc-doe.

You can add multiple projects to the same Endor Labs namespace. Each project will have its own managed namespace. For example, your organization name is deerinc, which has three projects, buck,doe, andfawn. You add each project to the Endor Labs namespace, endor-azure.

The following image shows the namespace structure in Endor Labs.

graph TD

      %% Endor Labs namespace
      EN[endor-azure]

      %% Azure projects
      A1[deerinc-buck]
      A2[deerinc-doe]
      A3[deerinc-fawn]


      %% connections
      EN --> A1
      EN --> A2
      EN --> A3

      class EN,EN2 endor
      class A1,A2,A3 managed
      classDef managed fill:#3FE1F3

Ensure the following prerequisites are in place before you install the Endor Labs Azure DevOps App.

  • An Azure DevOps cloud account and organization. If you don’t have one, create one at Azure DevOps.
  • Endor Labs Azure DevOps App requires read permissions to in your projects. You can grant these permissions by providing read access to the Code category when you create an Azure DevOps personal access token for Endor Labs.

To automatically scan repositories using the Azure DevOps App:

  1. Sign in to Endor Labs.

  2. Select Projects from the left sidebar and click Add Project.

  3. From AZURE, select Azure DevOps App.

    Configure Azure DevOps App

  4. Enter the host URL of your Azure project.

    The URL must be in the format, https://dev.azure.com/<ORG_NAME>/ when you add an Azure organization. When you add an Azure DevOps project, the URL must be in the format, https://dev.azure.com/<ORG_NAME>/<PROJECT_NAME>.

  5. Enter your personal access token from Azure.

    You must have at least read permissions in the Code category for your Azure DevOps personal access token.

  6. Click Scanners and select the scan types to enable.

    • SCA: Perform software composition analysis and discover AI models used in your repository.
    • Secret: Scan Azure repos for exposed secrets.
    • CI/CD: Scan Azure repos and identify all the CI/CD tools used.
    • SAST: Scan your source code for weakness and generate SAST findings.

    The available scan types depend upon your license.

  7. Select Include Disabled Repositories to scan your archived repositories. By default, the Azure archived repositories aren’t scanned.

  8. Click Create.

Endor Labs Azure DevOps App scans your Azure repos every 24 hours and reports any new findings or changes to release versions of your code.

Manage Azure DevOps App on Endor Labs

You can make changes to the Azure App integrations or delete them. You can view the activity logs for the Azure App and rescan your Azure projects on demand.

  1. Sign in to Endor Labs and select Manage > Integrations from the left sidebar.

  2. Click Manage next to Azure under Source Control Managers.

    Manage Azure App

  3. Click the three vertical dots next to the integration.

    You can choose from the following options:

To edit the Azure App integration:

  1. Click the three vertical dots next to the integration, and select Edit Integration.
  2. You can update your personal access token and choose the scanners. Edit Azure App
  3. Click Save. The changes are applicable from the next scanning cycle.

To delete an Azure App integration, click the three vertical dots next to the integration, and select Delete Integration.

Manage Azure App

When you delete the integration, it will also delete all child namespaces, projects and references associated with the auto-generated root group namespace. It also deletes any manually created namespaces and projects under auto-generated namespace.

Endor Labs detects and reports installation and synchronization errors during organization sync. These include expired tokens, insufficient permissions, invalid host configurations, and certificate issues. Sync logs report those errors that you can resolve.

Sync logs showing error

To view sync logs, click the three vertical dots next to the integration, and select View Sync Logs.

The sync logs display details of synchronization attempts, including timestamps, error types, and diagnostic messages. These logs help identify issues such as authentication failures or configuration problems.

The sync logs detect and display the following categories of sync failures:

  • Expired or invalid Personal Access Tokens (PATs): The PAT used for authentication has expired or is no longer valid. Edit the integration and provide a valid token.
  • Insufficient PAT permissions: The PAT does not have the required scopes, such as repository read access. You must generate and provide a PAT with the correct access.
  • Certificate related access issues: The certificates required to connect to the SCM are invalid, outdated, or untrusted. This error occurs in self-hosted GitLab instances that use custom SSL certificates. Update the certificate configuration or ensure the certificate chain is properly trusted to resolve the issue.
  • Incorrect or invalid host URLs: The configured URL is incorrect or unreachable. Since you cannot edit the host URL, you need to delete and reinstall the integration using the correct URL.

After you resolve the issue, the error is automatically cleared during the next successful scan. You can manually re-trigger the scan using Rescan Org to verify the resolution immediately.

sync logs

Azure App scans your repositories every 24 hours. Click Rescan Org to manually trigger a scan outside the 24-hour period.

Click Scan More Repositories to go to Projects, where you can add more projects to scan through the Azure App.