Add an Azure DevOps repository to Semgrep Managed Scans

Add Azure DevOps repositories to your Semgrep organization in bulk without adding or changing your existing CI workflows through Managed Scans.

Prerequisites and permissions

Semgrep Managed Scanning requires repositories hosted by Azure DevOps Services. It doesn't support Azure DevOps Server.
Semgrep recommends setting up and configuring Semgrep Managed Scanning with an Azure DevOps service account, not a personal account. Regardless of whether you use a personal or service account, the account must be assigned the Owner or Project Collection Administrator role for the organization.
During setup and configuration, you must provide a personal access token generated by the account. This token must be authorized with Full access.
- Once you have Managed Scanning fully configured, you can update the token provided to Semgrep to one that's more restrictive. The scopes you must assign to the token include:
  - Project and Team: Read & write
  - Code: Read
  - Code: Status
  - Pull Request Threads: Read & write

Enable Managed Scans and scan your first repository

In Semgrep AppSec Platform, click Projects.
Click Scan new project > Semgrep Managed Scan.
Select Azure Devops as your source code manager.
On the Add to Azure DevOps Pipeline page, provide the following information:
1. Your Access token. See User personal access tokens for token generation information. Ensure you set the Azure DevOps SCM name to organization_name/project_name.
2. The name of your Azure DevOps Project.
Click Connect to proceed.

You have finished setting up a Semgrep managed scan. Click Back to Managed Scans to see your projects.

After enabling Managed Scans, Semgrep performs a full scan on all the repositories in batches.
Once a repository has been added to Semgrep AppSec Platform, it becomes a project. A Semgrep AppSec Platform project includes all the repository's findings, history, and scan metadata.
Projects scanned through Managed Scans are tagged with managed-scan.

Add additional Azure DevOps projects

You can enable managed scanning for additional repositories after onboarding using the following steps:

In Semgrep AppSec Platform, click Projects.
Click Scan new project > Semgrep Managed Scan.
On the Enable Managed Scans for repos page, select the repositories you want to add to Semgrep Managed Scans.
1. Optional: If you don't see the repository you want to add, click Sync projects.
Select the repositories you want to scan from the list.
Click Enable Managed Scans. The Enable Managed Scans dialog appears. By default, Semgrep runs both full and diff-aware scans.
Optional: Disable PR or MR diff-aware scans by turning off the Enable PR/MR scans toggle.
Click Enable.

If the page doesn't display any repositories

In Semgrep AppSec Platform, click Projects.
If the page doesn't display the repository you want to add, click Sync projects.
If the page doesn't display any repositories, click Sync projects.
Optional: Perform a hard refresh (Ctrl+F5 or Cmd+Shift+R).

Convert or migrate an existing Semgrep CI job

You can immediately add any existing project to Managed Scans.

Follow the steps in Add additional Azure DevOps projects.
Delete the existing pipeline configuration file in your repository if appropriate.

If you plan to continue running some scans in Azure DevOps Pipelines (for example, using Managed Scans to run weekly full scans but Pipelines for diff-aware scans) you can leave the workflow file in place, and edit it to reflect your desired configuration.

tip

Semgrep preserves your findings, scans, and triage history.

Scan management and configuration

Manually run a full scan

In Semgrep AppSec Platform, click Projects.
Search for your repository's name.
Click the gear icon to access the settings page for that repository.
Click Run a new scan.

Disable diff-aware scans on PRs

In Semgrep AppSec Platform, click Projects.
Search for your repository's name.
Click the window icon under Details to access the settings page for that repository.
Click the toggle for diff-aware scans.

Delete a project

In Semgrep AppSec Platform, click Projects.
Search for your repository's name.
Click the window icon under Details to access the settings page for that repository.
Click the dropdown at the header and click Delete project.

Disable webhooks

Managed scanning of Azure DevOps projects requires webhooks. The webhooks are enabled by default when you add Azure DevOps as a source code manager when setting up Managed Scanning. Webhooks are required for diff-aware scans and triaging by PR or MR comments.

You can turn off webhooks at any time by following these steps:

In Semgrep AppSec Platform, go to Settings > Source code managers.
Find your Azure DevOps connection, and click the toggle to turn off Incoming webhooks.

Revoke Semgrep's access to your repositories

The following steps revoke the code access you previously granted Semgrep for all repositories you selected.

In Semgrep AppSec Platform, click Settings > Source Code Managers.
Find the Azure DevOps entry on the list of Source code managers and click Remove.
Click Remove to confirm.

Turn off Managed Scans for specific repositories in Semgrep AppSec Platform

Sign in to Semgrep AppSec Platform.
Go to Projects and find the project you no longer want scanned with Semgrep Managed Scanning. Click the project's Details page > Settings tab.
Toggle the switch for Managed diff scans to turn off scans of new pull and merge requests and Managed full scans to turn off full scans of the base branch.

Troubleshooting: multiple projects

If you currently scan Azure DevOps repositories in your CI pipeline, you may see findings assigned to two separate projects once you enable Semgrep Managed Scanning. For example, findings from Managed Scanning go to the semgrep/frontend/webpage project, while findings from CI scans go to the frontend/webpage project. If this is the case, Semgrep AppSec Platform flags these findings with Possible duplicate. Please contact support for addition assistance.

Appendices

Scan logs and statistics

Scan logs

Most recent scan

You can view logs for your most recent scan by clicking Projects > the project's latest scan time under Scan status.

Figure. The Projects page. Click the project's latest scan (underlined) to view the log.

info

It can take a few minutes for your latest scan logs to appear. However, if the logs do not update 15 minutes after the scan, there may be issues with the scan itself.

All scans

Click the project's Details page > Scans tab.
Click the scroll icon under Logs to view the log for the particular entry.

Scan statistics

Scan statistics, such as how many of your repositories are being scanned, the scan success rate, and so on, can be provided once a week upon request. Contact your Semgrep account manager to request scan statistics.

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.

Prerequisites and permissions​

Enable Managed Scans and scan your first repository​

Add additional Azure DevOps projects​

If the page doesn't display any repositories​

Convert or migrate an existing Semgrep CI job​

Scan management and configuration​

Manually run a full scan​

Disable diff-aware scans on PRs​

Delete a project​

Disable webhooks​

Revoke Semgrep's access to your repositories​

Turn off Managed Scans for specific repositories in Semgrep AppSec Platform​

Troubleshooting: multiple projects​

Appendices​

Scan logs​

Most recent scan​

All scans​

Scan statistics​