Azure DevOps PR Scans
The Conviso Platform PR Scans for Azure DevOps provide automated security feedback directly in Pull Requests.
When a developer creates or updates a PR, the platform detects the event and runs a scan focused on the PR context, then publishes status and findings back to the PR timeline.
Key Benefits
- Native PR feedback: Security status is posted in Azure DevOps PR checks.
- Automated execution: No manual trigger is required for each PR update.
- Developer-friendly output: Findings are summarized as a PR comment with severity and code context.
- Fast remediation loop: New commits in the same PR trigger a new scan cycle.
Prerequisites
Before enabling PR Scans, ensure that:
- Your Azure DevOps integration is already configured and connected.
- Repositories are imported and mapped as assets in the integration configuration.
- You have permission to edit integration settings in Conviso Platform.
Enabling PR Scans
Step 1 - Open Azure DevOps Integration
- Go to Integrations in Conviso Platform.
- Open the configured Azure DevOps integration.
- Go to the Configuration step.
Step 2 - Enable PR Scans Toggle
- Locate the PR Scans toggle.
- Turn it On to activate PR scan automation.
Step 3 - Validate Repository Mapping
Ensure the target repositories are present and enabled in the configuration table.
PR scans only run for repositories that are part of the integration scope.
Changes take effect for new PRs and new commits pushed to existing PRs.
Developer Workflow
1. Trigger
A scan is triggered when:
- A Pull Request is created.
- New commits are pushed to an open Pull Request.
2. Status Check
Conviso posts a PR status in Azure DevOps while the scan is running (pending) and updates it when processing finishes.
3. Findings Comment
After completion, Conviso updates a PR comment with:
- Severity summary (Critical, High, Medium, Low).
- Vulnerability details with file and line context.
- Guidance for remediation.
4. Re-scan Cycle
If the developer pushes a fix, the PR is scanned again and the status/comment are updated.
PR Scans vs AST Orchestrator
Conviso offers two complementary Azure DevOps security flows:
| Feature | PR Scans | AST Orchestrator |
|---|---|---|
| Primary goal | Fast PR feedback | Merge/branch pipeline execution |
| Trigger source | PR create/update events | Pipeline configuration on Azure DevOps |
| Typical scope | Pull Request context | Configurable by pipeline strategy |
| Setup effort | Low (toggle in integration) | Requires orchestrator pipeline setup |
For orchestrator setup, see Azure DevOps AST Orchestrator.
Troubleshooting
PR scan did not trigger
Check:
- PR Scans toggle is enabled in integration configuration.
- The repository is authorized/imported in Azure DevOps integration.
- The PR event reached the platform and worker processing completed.
Status or comment not updated
Check:
- Integration credentials and permissions are still valid.
- The repository remains mapped and active in Conviso configuration.
- There were no processing errors in background workers.
Support
If PR scans are not triggering or results look inconsistent, contact Conviso support with:
- Integration ID
- Repository full name
- Pull Request number
- Approximate event timestamp
Contribute to the Docs
Found something outdated or missing? Help us improve the documentation with a quick suggestion or edit.
How to contributeResources
By exploring our content, you'll find resources that will enhance your understanding of the importance of a Security Application Program.
Conviso Blog: Explore our blog, which offers a collection of articles and posts covering a wide range of AppSec topics. The content on the blog is primarily in English.
Conviso's YouTube Channel: Access a wealth of informative videos covering various topics related to AppSec. Please note that the content is primarily in Portuguese.