Skip to content

Integrate Azure DevOps with BoostSecurity

BoostSecurity lets you connect your Azure DevOps projects to enable security checks on your repositories, including CI/CD supply chain security checks.

Prerequisites

Before you begin, make sure you have:

  • Created a Personal Access Token (PAT) on your Azure with certain permissions.
  • Installed the Azure DevOps BoostSecurity Scanner marketplace application.
  • Created a non-empty boost repo in the organization where you installed the BoostSecurity marketplace application.
  • Ensured "Third-party application access via OAuth" is permitted in your ADO organization settings by navigating to the security section, opening the organization policy at https://dev.azure.com/{ORGANIZATION_NAME}/_settings/organizationPolicy, and setting the "Third-party application access via OAuth" option to "On" under the application connection policies section.

How To Create a Personal Access Token With The Correct Permissions

To create a PAT with the correct permissions,

  • Go to your "User Settings" in ADO and navigate to your "Personal Access Tokens".

    • In the top right corner, next to your user icon, expand the user settings contextual menu.
    • Open the personal access token setting by click on the corresponding menu item.

    ADO User Settings

  • Create a new personal access token as follows:

    • Set the expiration for the token. It is recommended to set it to the longest period according to your organization guidance.
    • In the “Organization” input field, select all organizations to grant the PAT access to them.
    • In "Scope", select the "custom defined" option, expand to show allow scopes and set the required permissions.

    ADO Permissions

    • Click on Create to create your new PAT.

Permissions

This Integration and Zero Touch Provisioning will use the following permissions:

Scope Group Permissions
Agent Pools Read
Analytics Read
Build Read & Execute
Code Read and WriteStatus
Extensions Read & Manage
Pipeline Resources Use & Manage
Project & Team Read
Pull Request Threads Read & Write
Variable Groups ReadCreate & Manage

1. Connect Azure DevOps to BoostSecurity

To install the BoostSecurity integration for Azure:

  1. Go to the Integrations page.

  2. Select the Azure DevOps Account integration from the Available section.

    Azure DevOps Account

  3. Click Install: A window will appear, prompting you to provide the Personal Access Token and Integration Name for Azure, then click Install.

    Ensure the token has access to all the organizations.

    Installation

    Note

    If the Personal Access Token is set to expire, the BoostSecurity Azure DevOps integration will need to be updated with a new token once the original one expires.

  4. Click Complete to save.

Once the installation is complete, the BoostSecurity Azure DevOps Account card is added to the Settings > Integrations > Installed section. At this point, BoostSecurity integration is enabled for your Azure project. You can repeat these steps to allow integration with additional Azure projects.

2. Zero Touch Provisioning for ADO

Follow these steps to set up ZTP for Azure DevOps

  1. Go to the Integrations page, select your Azure DevOps integration and click on the configuration tab.

  2. On the ZTP column, you will notice that the "ZTP status" is set to Not Set. Click on the actions menu next to the status and select Enable.

    Enable ZTP

  3. On the ZTP Wizard, the first step is to give BoostSecurity permissions for the Zero Touch Flow on your Azure DevOps Organization. The Zero Touch Flow would require a Personal Access Token with these permissions.

    Give Permissions

  4. Click the Next button to proceed.

  5. BoostSecurity configures the boost repo on your ADO organization.

    Configure Boost Repo

  6. Install and authorize the BoostSecurity.io Zero Touch provisioning on your organizations. Click on the Accept button at the bottom of the page.

    Grant Permissions for CI Provisioning

    Please note the warning below:

    On your first scan, you need to authorize the "boostsecurityio.boost-scanner" pipeline to access the variable group boostsecurityio. before you can see results on your dashboard.

  7. The pipeline configuration is ready.

    ZTP Flow complete

    Note

    By clicking the Enable Boost Recommended Scanners button, Boost will provision multiple scanners for every repository it has access to. These scanners will then request new scans to be conducted for each of those repositories. Please note that this process would have a financial impact on your services, so ensure that this is the correct course of action before proceeding.

    If you are connecting to a large collection of repos, you may want to enable scanning in a more targeted manner.

Zero Touch Provisioning is now enabled!!!

3. Enable Default Scanner Protection

After successfully integrating your Azure DevOps organization, enabling the BoostSecurity scanner is recommended.

To do this:

  1. Go to the Scanner Coverage page and select the Default Scanner Protection column for your ADO integration.

  2. Toggle SAST, SBOM, SCA, or Secrets to enable the BoostSecurity Scanner default protection on your ADO resource.

    Enable CI/CD Scanner