HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Scan Azure DevOps for secrets

Connect Azure DevOps as a data source to HCP Vault Radar to scan your Azure DevOps projects for sensitive data and secrets. Vault Radar supports scanning Azure DevOps Server and Azure DevOps Cloud.

If you are new to HCP Vault Radar, checkout the HCP Vault Radar quickstart series.

Prerequisites

  • HCP IAM user with the HCP owner, or admin role

  • Vault Radar agent deployed and running (agent scan only)

  • Access to an Azure DevOps organization and project

  • A personal access token with access scoped to All accessible organizations with the following permission scopes:

    Code > Read
Entitlements > Read
Graph > Read
Identity > Read
Member Entitlement Management > Read
Notifications > Read, Write, Manage
Project and Team > Read
Service Connections > Read
User Profile > Read
Work Items > Read, Write

Add an Azure DevOps data source

You can add and scan Azure DevOps Cloud or Azure DevOps Server using the HCP Vault Radar cloud scan or HCP Vault Radar agent scan.

Scan up to 5000 repositories

Vault Radar allows you to scan up to 5000 repositories per connection. If you have more than 5000 repositories, Vault Radar will select the 5000 repositories with the most recent activity.

Add Azure DevOps Cloud as a data source to scan your Azure DevOps projects for secrets.

  1. Log into the HCP Portal with an HCP IAM user that has the HCP owner or admin role.

  2. Click Vault Radar.

  3. Click Settings.

  4. Click Data Source Hosts.

  5. Click Add data source host.

  6. Select HCP Vault Radar Scan.

  7. Select Azure DevOps Cloud.

  8. Enter the personal access token in the Enter your Azure DevOps personal access token field.

  9. Click Next.

  10. Select either All data sources or Select data sources.

  11. Click Finish

Assign a group to a resource

Once you add a data source, an HCP user with the admin role must assign a group to each of the monitored resources within each data source. You can assign each resource to only one group.

Note

Users with the HCP IAM admin role do not need to be a member of other groups. Accounts with the admin role have full access to Vault Radar.

If you do not already have a group, refer to the Identity and Access Management groups documentation to create a group.

  1. Navigate to the Project dashboard.

  2. Click Access control (IAM).

  3. Click Add new assignment.

  4. Search the name of the group in the Search for an assignee search field.

  5. Click the group name in the search results.

  6. Click the Select service pulldown menu and select Vault Radar.

  7. Click the Select role pulldown menu and select the Vault Radar Developer role.

  8. Click Save.

  9. Click Back to Dashboard.

  10. Click Vault Radar.

  11. Click Resources.

  12. Select the resource you want to assign to a group and click Assign groups.

  13. Click the Assign resoruce to group pulldown menu.

  14. Select the group that requires access to the resource.

  15. Select either the Viewer or Contributor role.

  16. Click OK.

Update data source host

  1. Navigate to Settings, and then Data Source Hosts, and click the three dots to the right.

  2. To update the monitored data sources, click Edit data sources

  3. To update the token, click Edit data source host details

Tutorials

If you are new to HCP Vault Radar, checkout the HCP Vault Radar quickstart series.

Edit this page on GitHub