Deploy Endor Labs Azure DevOps App
Endor Labs provides an Azure DevOps App that continuously scans Azure repos in your projects for security risks. You can selectively scan your repositories for SCA, secrets, SAST, or CI/CD tools.
Endor Labs scans Azure repos at the project level. When you add an Azure DevOps project, Endor Labs automatically scans all repositories within that project. If there are multiple projects you want to scan, you must add them separately.
Managed namespaces for Azure DevOps
When you add an Azure DevOps project to an Endor Labs namespace, Endor Labs creates a child namespace for the Azure DevOps project and maps all repositories in that project to this namespace. The child namespace that maps to the Azure DevOps project is a managed namespace. The managed namespace has the name, <organization name>-<project name>. For example, if your organization name is deerinc and project name is doe, the managed namespace will have the name, deerinc-doe.
Managed namespaces have the following restrictions:
- You cannot delete managed namespaces.
- You cannot delete repos present within managed namespaces.
- You cannot add projects or create namespaces within managed namespaces.
- You cannot create any new Endor Labs App installation within the managed namespaces.
You can add multiple projects to the same Endor Labs namespace. Each project will have its own managed namespace.
For example, your organization name is deerinc and you add three projects, buck,doe, andfawn, to the Endor Labs namespace, endor-azure.
The following image shows the namespace structure in Endor Labs.
graph TD
%% Endor Labs namespace
EN[endor-azure]
%% Azure projects
A1[deerinc-buck]
A2[deerinc-doe]
A3[deerinc-fawn]
%% connections
EN --> A1
EN --> A2
EN --> A3
class EN,EN2 endor
class A1,A2,A3 managed
classDef managed fill:#3FE1F3
Prerequisites for Azure DevOps App
Ensure the following prerequisites are in place before you install the Endor Labs Azure DevOps App.
- An Azure DevOps cloud account and organization. If you don’t have one, create one at Azure DevOps.
- Endor Labs Azure DevOps App requires read permissions to in your project. You can grant these permissions by providing read access to the Code category when you create an Azure DevOps personal access token for Endor Labs.
Install the Azure DevOps App
To automatically scan repositories using the Azure DevOps App:
-
Sign in to Endor Labs.
-
Select Projects from the left sidebar and click Add Project.
-
From AZURE, select Azure DevOps App.
-
Enter the host URL of your Azure project.
The URL must be in the format,
https://dev.azure.com/<ORG_NAME>/<PROJECT_NAME>. -
Enter your personal access token from Azure.
You must have at least read permissions in the Code category for your Azure DevOps personal access token.
-
Click Scanners and select the scan types to enable.
- SCA- Perform software composition analysis.
- Secret - Scan Azure repos for exposed secrets.
- CI/CD - Scan Azure repos and identify all the CI/CD tools used.
- SAST - Scan your source code for weakness and generate SAST findings.
- AI models - Scan source code to detect AI models and assess associated risks.
The available scan types depend upon your license.
-
Click Create.
Endor Labs Azure DevOps App scans your Azure repos every 24 hours and reports any new findings or changes to release versions of your code.
Manage Azure DevOps Apps on Endor Labs
You can edit or delete the Azure DevOps App integrations.
To edit the Azure DevOps App integration:
- Sign in to Endor Labs and select Manage > Integrations from the left navigation menu.
- Click Manage next to Azure under Source Control Managers.
- Click on the three vertical dots next to the integration, and select Edit Integration. You can update your personal access token.
- Click SCANNERS and based on your license, select and enable from the available list of scanners.
- Click Save. The changes are applicable from the next scanning cycle.
To delete an Azure DevOps App integration, click on the three vertical dots next to the integration, and select Delete Integration.
To manually trigger a scan, click Rescan Org. Azure DevOps App scans your repositories every 24 hours, use Rescan Org to manually schedule outside the 24-hour period.
Click Scan More Repositories to go to Projects, where you can add more projects to scan through the Azure DevOps App.
Feedback
Was this page helpful?
Thanks for the feedback. Write to us at support@endor.ai to tell us more.
Thanks for the feedback. Write to us at support@endor.ai to tell us more.