Skip to main content
You can configure PR scans when creating a new Azure DevOps App installation or for an existing Azure DevOps App integration. Endor Labs automatically configures webhooks to scan your pull requests. You can also choose to receive PR comments on your pull requests. After you configure PR comments, Endor Labs posts a comment on the pull request if any issues are detected during the PR scan. See Azure DevOps PR comments for more information.

Create an access token

To enable PR scans and PR comments, provide a personal access token with the Code read and write permissions. The token must belong to a user with at least Basic access level in your Azure DevOps organization and the Project Administrator role for the projects you want to scan.
  1. Sign in to your Azure DevOps organization and navigate to your account settings.
  2. Create a personal access token with custom scope.
  3. Select Read & write under Code.
  4. Click Save
  5. Copy the generated access token and store it in a secure location. You need it when configuring the Azure DevOps App integration in Endor Labs.

Configure PR scans during a Azure DevOps App installation

After you complete the initial installation of the Azure DevOps App in Endor Labs, you can configure PR scans. You can also choose to apply PR scans to specific repositories rather than all the repositories in your organization or project through a scan profile. See configure PR scans for specific repositories for more information.
  1. Select Pull Request Settings and toggle on Enable Pull Request scans to enable automatic scanning of PRs submitted by users. Pull request configurations in Bitbucket Cloud
  2. Optionally, toggle on Post comments on Pull Requests to allow Endor Labs to comment on PRs for policy violations. When you enable PR comments, Endor Labs posts a comment on the pull request if any issues are detected during the PR scan. You need to set up action policies in Endor Labs to receive the comments. See Azure DevOps PR comments for more information.
  3. By default, PR scans skip reachability analysis for faster results. Under Advanced Options, toggle on Enable Full scan with reachability when you want reachability analysis and call graph generation for supported languages.
  4. Click Save PR Settings.

Configure PR scans for existing Azure DevOps integrations

You can configure PR scans for existing Azure DevOps integrations or after creating a new Azure DevOps integration.
Permissions for your access tokenEnsure that the access token has the Code read and write permissions. Refer to Create an access token
  1. Select User menu > Integrations from the left sidebar.
  2. Click Manage next to Azure DevOps under Source Control Managers.
  3. Click the vertical three dots next to the Azure DevOps integration that you want to update.
  4. Select Edit Configuration.
  5. Select Pull Request Settings. Edit Bitbucket Cloud PR settings
  6. Toggle on Enable Pull Request Scans to enable PR scans.
  7. Optionally, toggle on Post comments on Pull Requests to enable PR comments. Ensure that you complete the PR comments configuration in Endor Labs to receive the comments. See Azure DevOps PR comments for more information.
  8. Click Save PR Settings to save the PR settings.
  9. Click Update Configuration to save the changes. The changes are applied from the next scanning cycle.
    Click Rescan Org after editing the integration to apply changes immediately instead of waiting for the next scheduled scan.

Configure PR scans for specific repositories

You can configure PR scans and PR comments only for specific repositories. If you select the options to configure PR scans in your Azure DevOps App integration, pull requests for all the repositories in your project or workspace are scanned. Instead, you can choose to configure PR scans and PR comments for selected repositories using scan profiles.
  1. Enable PR scans and PR comments during the initial Azure DevOps App installation. This ensures that the webhooks are properly configured and recognized by Endor Labs.
  2. Edit the Azure DevOps App integration and disable Pull Request Scans and Pull Request Comments. This prevents PR scans from running for all repositories in the project or organization.
  3. Create a scan profile with Pull Request Scans and optionally Pull Request Comments enabled under Developer Workflow. Configure PR scans for selected projects
  4. Associate the scan profile with the specific repository where you want PR scans to run.
This approach allows you to control which repositories have PR scans enabled while ensuring that the webhook is properly configured during the initial installation.

Azure DevOps PR comments

PR comments are automated comments added to pull requests when Endor Labs detects policy violations or security issues during scans. When a PR is raised or updated, Endor Labs runs scans on the proposed changes and adds a comment if any violations are detected based on the configured action policies. After you enable PR comments, you need to set up an action policy to allow comments to be posted on pull requests.

Configure action policy for PR comments

The action policy that you create triggers the posting of comments on your pull request after a scan is complete. See Action policy for more information. You can create multiple action policies based on your requirements, which the PR scan can trigger. If you create action policy with the Secret template, you get an inline comment with the line number where the secret is detected. Ensure that you configure the following important settings in the action policy:
  1. Choose an appropriate action policy template or create a custom action policy. You can choose an action policy template like Vulnerabilities or create a custom action policy.
  2. Under Action, select Enforce Policy, then choose:
    • Warn to post a comment without breaking the build.
    • Break the Build to fail the build and block the pull request.
  3. Define the scope of the policy using tags. Only projects that match the specified tags will receive PR comments.
  4. Select Propagate this policy to all child namespaces if you want to apply the policy to all child namespaces.

PR comments template

Endor Labs provides a default template for PR comments that you can use out-of-the-box. You can also create custom templates using Go Templates. The following section shows the default template for PR comments. You can create your custom template by editing the default template and saving the changes. The following specification shows the additional functions that you can use in your custom template. You can access these functions by using their corresponding keys. To edit the default template:
  1. Select User menu > Integrations from the left sidebar.
  2. Click Edit Template next to Azure DevOps under Template for PR Comments. Azure DevOps supports both markdown and HTML tags in PR comments. azure pr comments template
  3. Update the template with the required changes.
  4. Select Propagate this template to all child namespaces if you want to apply the template to all child namespaces.
  5. Click Save Template to save the changes.
Restore the default templateYou can restore the default template by clicking Restore to Default in the template editor to go back to the initial template.
Action policy propagation in child namespacesIf you select Propagate this policy to all child namespaces, and update the policy in the child namespace, the policy in the child namespace takes precedence over the policy in the parent namespace. If you select the propagate option for the child namespace, its child namespaces will also inherit the policy. Since namespace hierarchy follows the organization and project hierarchy of Azure DevOps, you can effectively use this option to control the policy for different levels of your organization.

PR scan comments in Azure DevOps

After you enable PR comments, Endor Labs posts a comment on the pull request if any issues are detected during the PR scan based on the action policies. The following example shows a comment on the pull request as a result of the action policy for policy violations. Click Details to view the more information of the finding in Endor Labs. Azure DevOps comment example For secrets, Endor Labs also generates a comment with the line number where the secret is detected. Azure DevOps secrets comment example

View PR scan findings in Azure DevOps

When you create a new pull request, the Endor Labs Azure DevOps App scans the pull request. Endor Labs generates findings based on the finding policy.
  1. Select Projects from the left sidebar.
  2. Select the project for which you want to view the PR scan findings.
  3. Select PR runs to view the PR scan findings. View PR runs
  4. Select the PR for which you want to view the findings. View PR scan findings
  5. Click View Findings to view the findings on the PR. View PR scan findings in detail
See View Findings for more information on Findings in Endor Labs.