Overview

Integrating Bridgecrew with Azure Repos makes it possible for Bridgecrew to scan your Infrastructure-as-Code files and monitor configuration issues in development. Bridgecrew takes on the permissions of the OAuth token used, including the repositories that the user has access to. In order for Bridgecrew to have access to the repositories, ensure "Limit job authorization scope to current project for non-release pipelines" is Off.

Multi-Token Integrations in Azure Repos

Bridgecrew supports multiple Azure Repos integrations for a single Bridgecew tenant, performed by using multiple OAuth user tokens without the need to change the permission settings within Azure Repos. You can onboard multiple organizations from the same Azure Repos account (using a single VCS user token), or enable multiple tokens to onboard multiple organizations, whether they belong to the same Azure Repos account or not. This capability increases your enterprise's readiness and scale.

How to Integrate

Authorizing Organizations and Managing Tokens and Repositories

1. From the Integrations Catalogue, under Code Repositories, select Azure Repos .

2. Under Configure Account, select whether you want to integrate a single organization or multiple organizations for a single user token. Note that this purpose of this step is only to guide you through configuring your Azure Repos permission settings to support integrating multiple organizations for a single user token - it does not affect Bridgecrew's capability to support multiple user tokens.
   Selecting Skip will direct you to selecting repositories, but you must have at least one integrated account to do so.

3. Select Authorize. You will be directed to your Azure Repos account. Depending on whether you selected a single organization or multiple organizations in step 2, follow the instructions in the wizard accordingly. Each Azure Repos organization you authorize will be included in future scans.

📘

Note

For integrating multiple organizations, ensure the "Third-party application access via OAuth" is On in your Azure Repos account.

4. After authorization, you will be redirected to Bridgebrew to Select Repositories.
5. From the drop-down menu, select a user token.
6. For this token, select whether to:

• Permit all existing repositories
• Permit all existing and future repositories
• Choose from repository list - if you select this option, a list of relevant repositories will be displayed.

After you finish selecting repositories for a certain token, you can navigate to another token and repeat the process as needed - your previous selections will be saved.

7. Select Next. Note that selecting Previous will redirect you to the Configure Account tab.

📘

Note

If the same repository is associated with multiple tokens, selecting or unselecting this repository for one token will affect all the tokens associated with it.

8. Your settings will be saved. Select Done to exit or Previous to edit your configuration.

You can see all the user token in the Integration Grid in the Integrations page.

Editing and Revoking Tokens

You can see the list of VCS user tokens and edit it as follows:

• To edit the repository selection for a certain token, select Reselect repositories from the drop-down menu.
• To delete a VCS token and all its repositories, select Revoke OAuth User Token from the drop-down menu.

Integrating Multiple Users - Alternative Method

An alternative method to the one described above is to grant other users premission to access your integrated Azure Repos account. This means all authorizations will be performed from a single VCS token, without the option to navigate between tokens while selecting repositories. All added users will be able to view all the projects and repositories of the relevant organization and make their own integrations.

📘

Note

In this scenario, you still need to ensure the "Third-party application access via OAuth" is On in your Azure Repos account.

To invite users to access a certain organization, in your Azure Repos account:

1. Go to the relevant organization.
2. Go to Organization Settings.
3. Under General, select Users.
4. Click Add Users.

5. Enter the email addresses of the users you would like to add, then select Add.

6. Under Security, go to Permissions.
7. Under the Groups tab, select Project Collection Administrators to add the relevant users to this group. This will grant each user the access to all the projects and repositories associated with this organization.

8. Under Members, click Add and enter the email addressess of the relevant users.

Each user you have added will recieve an invitation email. They need to select Join Now to complete the process.

The relevant organization will now be displayed in the Azure Repos account of each user. All added users will be able to add new Azure Repos integrations from the Bridgecrew console by configuring their accounts and selecting the relevant repositories.

📘

Note

In Azure Repos, you can see details of rights granted to Bridgecrew under Authorizations.

The rest of the integration process (in Bridgecrew) is the same as described at the beginning of this article, but with one VCS token to select repositories for instead of a list of tokens.

After the next Azure Repos scan you conduct, the scanned repository will appear in the Integration grid; for further details, see here.

Examples

The images below shows three different examples for Bridgecrew PR comments on different issues: suggested fix, license compliance error, and SCA (vulnerability) issue.