> ## Documentation Index
> Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Add an Azure DevOps repository to Semgrep Managed Scans

Add Azure DevOps repositories to your Semgrep organization in bulk without adding or changing your existing CI workflows through **Managed Scans**.

## Prerequisites and permissions

* Semgrep Managed Scans require repositories hosted by Azure DevOps Services. Azure DevOps Server is not supported.
* Semgrep recommends setting up and configuring Semgrep Managed Scans with an Azure DevOps service account, not a personal account. Regardless of whether you use a personal or service account, the account must be assigned the **Owner** or **Project Collection Administrator** role for the organization.
* During setup and configuration, you must provide a personal access token generated by the account. This token must be authorized with **Full access**.
  * Once you have Managed Scans fully configured, you can add restrictions to the token provided to Semgrep. The scopes you must assign to the token include:
    * `Code: Read`
    * `Code: Status`
    * `Member Entitlement Management: Read`
    * `Project and Team: Read & write`
    * `Pull Request Threads: Read & write`

## Enable Managed Scans and scan your first repository

<Steps>
  <Step>
    In Semgrep AppSec Platform, click <Icon icon="folder-open" iconType="solid" /> **Projects**.
  </Step>

  <Step>
    Click **Scan new project > Semgrep Managed Scan**.
  </Step>

  <Step>
    Select **Azure Devops** as your source code manager.
  </Step>

  <Step>
    On the **Add to Azure DevOps Pipeline** page, provide the following information:<br /><br />
    i. Your **Access token**. See [User personal access tokens](https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate) for token generation information. Ensure you set the Azure DevOps SCM name to `organization_name/project_name`.<br /><br />
    ii. The name of your **Azure DevOps Project**.
  </Step>

  <Step>
    Click **Connect** to proceed.
  </Step>
</Steps>

You have finished setting up a Semgrep managed scan. Click **Back to Managed Scans** to see your projects.

* After enabling Managed Scans, Semgrep performs a full scan on all the repositories in batches.
* Once a repository has been added to Semgrep AppSec Platform, it becomes a **project**. A Semgrep AppSec Platform project includes all the repository's findings, history, and scan metadata.
* Projects with a Managed Scan configuration are tagged with `managed-scan`, regardless of whether the project is actively being scanned by Semgrep Managed Scans or not. The **Projects** list also contains pending scans and scans that never started.

## Add additional Azure DevOps projects

You can enable Semgrep Managed Scans for additional repositories after onboarding using the following steps:

<Steps>
  <Step>
    In Semgrep AppSec Platform, click <Icon icon="folder-open" iconType="solid" /> **Projects**.
  </Step>

  <Step>
    Click **Scan new project > Semgrep Managed Scan**.
  </Step>

  <Step>
    On the **Enable Managed Scans for repos** page, select the repositories you want to add to Semgrep Managed Scans.<br /><br />
    i. Optional: If you don't see the repository you want to add, click **Sync projects**.
  </Step>

  <Step>
    Select the repositories you want to scan from the list.
  </Step>

  <Step>
    Click **Enable Managed Scans**. The **Enable Managed Scans** dialog appears. By default, Semgrep runs both full and diff-aware scans.
  </Step>

  <Step>
    Optional: Disable PR or MR diff-aware scans by turning off the **Enable PR/MR scans** toggle.
  </Step>

  <Step>
    Click **Enable**.
  </Step>
</Steps>

### If the page doesn't display any repositories

<Steps>
  <Step>
    In Semgrep AppSec Platform, click <Icon icon="folder-open" iconType="solid" /> **Projects**.
  </Step>

  <Step>
    If the page doesn't display the repository you want to add, click **Sync projects**.
  </Step>

  <Step>
    If the page doesn't display any repositories, click **Sync projects**.
  </Step>

  <Step>
    Optional: Perform a hard refresh (<kbd>Ctrl</kbd>+<kbd>F5</kbd> or <kbd>Cmd</kbd>+<kbd>Shift</kbd>+<kbd>R</kbd>).
  </Step>
</Steps>

### Convert or migrate an existing Semgrep CI job

You can immediately add any existing project to Managed Scans.

<Steps>
  <Step>
    Follow the steps in [Add additional Azure DevOps projects](#add-additional-azure-devops-projects).
  </Step>

  <Step>
    Delete the existing pipeline configuration file in your repository if appropriate.
  </Step>
</Steps>

If you plan to continue running some scans in Azure DevOps Pipelines (for example, using Managed Scans to run weekly full scans but Pipelines for diff-aware scans) you can leave the workflow file in place, and edit it to reflect your desired configuration.

<Tip>
  **TIP**

  Semgrep preserves your findings, scans, and triage history.
</Tip>

## Scan management and configuration

### Manually run a full scan

<Steps>
  <Step>
    In Semgrep AppSec Platform, click <Icon icon="folder-open" iconType="solid" /> **Projects**.
  </Step>

  <Step>
    Search for your repository's name.
  </Step>

  <Step>
    Click the <Icon icon="gear" iconType="solid" /> **gear icon** to access the settings page for that repository.
  </Step>

  <Step>
    Click **Run a new scan > Rule-based detection**.
  </Step>
</Steps>

> You can manually run a full scan for both primary and non-primary branches.

### Re-run a failed scan or a scan that never finished

<Steps>
  <Step>
    In Semgrep AppSec Platform, click <Icon icon="folder-open" iconType="solid" /> **Projects**.
  </Step>

  <Step>
    Click on the project name.
  </Step>

  <Step>
    Find the scan that failed or never finished using the **Status** column, and click **Details** to open the **Scan logs** dialog.
  </Step>

  <Step>
    Ensure that you're on the **Overview** tab of the **Scan logs** dialog, then click **Retry scan**.
  </Step>
</Steps>

### Disable diff-aware scans on PRs

<Steps>
  <Step>
    In Semgrep AppSec Platform, click <Icon icon="folder-open" iconType="solid" /> **Projects**.
  </Step>

  <Step>
    Search for your repository's name.
  </Step>

  <Step>
    Click the <Icon icon="window-restore" iconType="solid" /> **window icon** under **Details** to access the settings page for that repository.
  </Step>

  <Step>
    Click the toggle for diff-aware scans.
  </Step>
</Steps>

### Delete a project

<Steps>
  <Step>
    In Semgrep AppSec Platform, click <Icon icon="folder-open" iconType="solid" /> **Projects**.
  </Step>

  <Step>
    Search for your repository's name.
  </Step>

  <Step>
    Click the <Icon icon="window-restore" iconType="solid" /> **window icon** under **Details** to access the settings page for that repository.
  </Step>

  <Step>
    Click the dropdown at the header and click **Delete project**.
  </Step>
</Steps>

To delete an archived project:

<Steps>
  <Step>
    In Semgrep AppSec Platform, click <Icon icon="folder-open" iconType="solid" /> **Projects**.
  </Step>

  <Step>
    Switch to the **Not Scanning** tab of the **Projects** page.
  </Step>

  <Step>
    Select the checkbox to **Show archived** projects.
  </Step>

  <Step>
    Search for the archived repository's name.
  </Step>

  <Step>
    Click the <Icon icon="window-restore" iconType="solid" /> **window icon** under **Details** to access the settings page for that repository.
  </Step>

  <Step>
    Click the dropdown at the header and click **Delete project**.
  </Step>
</Steps>

### Configure fail open to prevent diff-aware scans from blocking pull requests and merge requests

By default, diff-aware managed scans are set to **fail open** if a scan errors out or takes too long. This means that diff-aware scans are marked as successful on the pull request (PR) or merge request (MR), even if they haven't completed after the specified timeout, allowing you to make the Semgrep status check required in your source code manager (SCM) while not blocking someone from merging a PR or MR if the check encounters an unexpected issue or takes too long.

<Frame caption="Sample pull request showing the status of a diff-aware scan.">
  <img src="https://mintcdn.com/semgrep-ee9d73d8/dAOv4YoaZfaIbJZH/images/pr-status-check-06f80c71ec387d84294255bdbfcdc25e.png?fit=max&auto=format&n=dAOv4YoaZfaIbJZH&q=85&s=dba084bd8b933fb73a83917b580d3e11" alt="Sample pull request showing the status of a diff-aware scan." width="1520" height="346" data-path="images/pr-status-check-06f80c71ec387d84294255bdbfcdc25e.png" />
</Frame>

#### How fail open works

<Steps>
  <Step>
    If enabled, the fail open feature is triggered whenever you open a PR or MR.
  </Step>

  <Step>
    Initially, Semgrep sends an update to mark the PR or MR as `pending`.
  </Step>

  <Step>
    Once the diff-aware scan begins, the PR or MR is updated to a status of `running`.
  </Step>

  <Step>
    The diff-aware scan completes, and the PR or MR is updated to a status of `succeeded` or `failed`.
  </Step>

  <Step>
    If the diff-aware scan is in `pending` or `running` status longer than the configured timeout, then the fail open process updates the PR or MR to display a status of `succeeded`. This prevents the Semgrep scan from blocking the developer from merging their changes.
  </Step>
</Steps>

If Semgrep marks a PR or MR as `succeeded`, you can merge the PR or MR without waiting for the diff-aware scan to complete. However, if the PR or MR is still open and the scan completes *after* the fail open timeout is reached, Semgrep can still report the findings and mark the status as `failed`.

#### Configure fail open

By default, fail open is enabled. However, you can disable this feature and adjust the timeout value:

<Steps>
  <Step>
    Sign in to [Semgrep AppSec Platform](https://semgrep.dev/login).
  </Step>

  <Step>
    Go to **Settings > General > Managed Scans**.
  </Step>

  <Step>
    Click the <Icon icon="toggle-large-on" iconType="solid" /> **Fail open** toggle to turn off this feature.
  </Step>

  <Step>
    Set the **Timeout** value in minutes. The default value is **10 minutes**, the minimum value is **1 minute**, and the maximum value is **60 minutes**.

    <Frame caption="Semgrep AppSec Platform settings page with fail open configuration options.">
      <img src="https://mintcdn.com/semgrep-ee9d73d8/yMsI1pCt6oL_Pkb9/images/fail-open-config-ccc1c4b81d5710e419b725b1a1d193e0.png?fit=max&auto=format&n=yMsI1pCt6oL_Pkb9&q=85&s=0d13c1f03296177e06617c934127eefc" alt="Semgrep AppSec Platform settings page with fail open configuration options." width="1900" height="702" data-path="images/fail-open-config-ccc1c4b81d5710e419b725b1a1d193e0.png" />
    </Frame>
  </Step>
</Steps>

## Disable webhooks

Managed Scans of Azure DevOps projects require webhooks. The webhooks are enabled by default when you add Azure DevOps as a source code manager when setting up Managed Scans. Webhooks are required for diff-aware scans and triaging by PR or MR comments.

You can turn off webhooks at any time by following these steps:

<Steps>
  <Step>
    In Semgrep AppSec Platform, go to [Settings > Source code managers](https://semgrep.dev/orgs/-/settings/source-code).
  </Step>

  <Step>
    Find your Azure DevOps connection, and click the <Icon icon="toggle-large-on" iconType="solid" /> toggle to turn off **Incoming webhooks**.
  </Step>
</Steps>

## Revoke Semgrep's access to your repositories

The following steps revoke the code access you previously granted Semgrep for all repositories you selected.

<Steps>
  <Step>
    In Semgrep AppSec Platform, click <Icon icon="gear" iconType="solid" /> **Settings > Source Code Managers**.
  </Step>

  <Step>
    Find the Azure DevOps entry on the list of **Source code managers** and click **Remove**.
  </Step>

  <Step>
    Click **Remove** to confirm.
  </Step>
</Steps>

## Turn off Managed Scans for specific repositories in Semgrep AppSec Platform

<Steps>
  <Step>
    Sign in to Semgrep AppSec Platform.
  </Step>

  <Step>
    Go to Projects and find the project you no longer want scanned with Semgrep Managed Scanning. Click the project's **Details** page > **Settings** tab.
  </Step>

  <Step>
    Toggle the switch for **Managed diff scans** to turn off scans of new pull requests and merge requests and **Managed full scans** to turn off full scans of the base branch.

    <Frame>
      <img src="https://mintcdn.com/semgrep-ee9d73d8/dAOv4YoaZfaIbJZH/images/turn-off-sms-4b1b14b41b9fb0f8b3f2e9bffc2d96e8.png?fit=max&auto=format&n=dAOv4YoaZfaIbJZH&q=85&s=39d543308f295cbf3806f42669bc56b7" alt="Semgrep AppSec Platform toggles to turn off managed scans of repositories" width="1900" height="472" data-path="images/turn-off-sms-4b1b14b41b9fb0f8b3f2e9bffc2d96e8.png" />
    </Frame>
  </Step>
</Steps>

## Enable status checks

To protect branches whose repositories are automatically scanned by Semgrep, enable Azure DevOps status checks:

<Steps>
  <Step>
    Sign in to Azure DevOps and navigate to the Azure DevOps project you've connected to Semgrep.
  </Step>

  <Step>
    Go to **Repos > Branches**.
  </Step>

  <Step>
    Find the branch to which the status check should be applied, and click the <Icon icon="ellipsis-vertical" iconType="solid" /> three vertical dots to open up the **More options** dialog.
  </Step>

  <Step>
    Select **Branch policies**.
  </Step>

  <Step>
    Ensure that the branch to which you want the status check applied is selected. Navigate to **Status Checks**, and click the **Add +** button to proceed.

    <Frame caption="Configure status checks for a branch in Azure DevOps.">
      <img src="https://mintcdn.com/semgrep-ee9d73d8/yMsI1pCt6oL_Pkb9/images/ado-status-checks-setup-7b2a3ba57922077d629fca96080ad7a7.png?fit=max&auto=format&n=yMsI1pCt6oL_Pkb9&q=85&s=84e8d1512db543c8e4e36c27875d2b0e" alt="Configure status checks for a branch in Azure DevOps" width="2524" height="1886" data-path="images/ado-status-checks-setup-7b2a3ba57922077d629fca96080ad7a7.png" />
    </Frame>
  </Step>

  <Step>
    In the dialog that appears:<br /><br />
    i. Leave the **Status to check** box blank, since this value is auto-populated as you provide values in subsequent steps.<br /><br />
    ii. Select the **Enter genre/name separately** box. Provide the following values:<br /><br />
    a. **Genre**: `security`<br /><br />
    b. **Name**: `semgrep-cloud-platform/scan`

    Once you provide the **Genre** and **Name**, Azure DevOps auto-populates **Status to check**. <br /><br />
    iii. Choose whether the status check needs to succeed or not to complete pull requests. Selecting **Required** means that a status of `succeeded` is necessary to complete pull requests. Selecting **Optional** means that a status of `failed` will not block the completion of pull requests.

    <Frame caption="Add status policy dialog in Azure DevOps.">
      <img src="https://mintcdn.com/semgrep-ee9d73d8/yMsI1pCt6oL_Pkb9/images/ado-add-status-policy-5c20588b6ec763758c00bf97fe67c5c0.png?fit=max&auto=format&n=yMsI1pCt6oL_Pkb9&q=85&s=920b345b00844f9f77644fa7ded52c99" alt="Add status policy dialog in Azure DevOps." width="1900" height="1204" data-path="images/ado-add-status-policy-5c20588b6ec763758c00bf97fe67c5c0.png" />
    </Frame>
  </Step>

  <Step>
    Click **Save** to proceed.
  </Step>
</Steps>

At this point, all subsequent pull requests opened against this branch are subject to the status check you created.

<Frame caption="PR notification after a status check passes.">
  <img src="https://mintcdn.com/semgrep-ee9d73d8/yMsI1pCt6oL_Pkb9/images/ado-status-checks-ccb36f40dfe28484c85cd7b9944e1b53.png?fit=max&auto=format&n=yMsI1pCt6oL_Pkb9&q=85&s=f5e74de8b2a77c1e95768ee75dde3fb4" alt="PR notification after a status check passes." width="1900" height="621" data-path="images/ado-status-checks-ccb36f40dfe28484c85cd7b9944e1b53.png" />
</Frame>

See [Configure a branch policy for an external service](https://learn.microsoft.com/en-us/azure/devops/repos/git/pr-status-policy?view=azure-devops) for additional information about status checks.

## Troubleshooting: multiple projects

If you currently scan Azure DevOps repositories in your CI pipeline, you may see findings assigned to two separate projects once you enable Semgrep Managed Scans. For example, findings from Managed Scans go to the `semgrep/frontend/webpage` project, while findings from CI scans go to the `frontend/webpage` project. If this is the case, Semgrep AppSec Platform flags these findings with **Possible duplicate**. Please [contact support](/support) for addition assistance.

## Appendices

<Accordion title="Scan logs and statistics">
  ### Scan logs

  To view your scan logs in Semgrep AppSec Platform, go to **Projects**, then click on the project name. The projects in the list are sorted by scan date, with the most recent scans listed first.

  <Note>
    **INFO**

    It can take a few minutes for your latest scan logs to appear. However, if the logs do not update 15 minutes after the scan, there may be issues with the scan itself.
  </Note>

  ### Scan statistics

  **Scan statistics**, such as how many of your repositories are being scanned, the scan success rate, and so on, can be provided once a week upon request. Contact your Semgrep account manager to request scan statistics.
</Accordion>
