Azure DevOps Integration

HackerOne offers a bi-directional Azure DevOps integration that enables you to synchronize your HackerOne events to Azure DevOps and vice versa, from Azure DevOps to HackerOne. This integration enables your development and security teams to stay aligned as it contributes to a better workflow of remediating security vulnerabilities by minimizing the manual back and forth between Azure DevOps and HackerOne.

Note: This integration is only available to HackerOne Enterprise customers.

Setup

To set up the bi-directional integration between HackerOne and your Azure DevOps instance, you’ll need to follow these 2 steps:

  1. Configure the integration on HackerOne
  2. Configure outgoing requests on Azure DevOps

Configure the Integration on HackerOne

To set up your Azure DevOps integration on HackerOne:

  1. Navigate to Program Settings > Program > Integrations on HackerOne
  2. Click Connect with Azure DevOps.

image

  1. Click Set up new integration to start the configuration process

  2. (Optional) Choose a name and description for your Azure DevOps integration. This will be helpful if you have multiple integrations configured.

  3. Click Next.

  4. Give your authentication a name.

  5. Click Create.

  6. Click Allow in the pop-up window asking for permissions. This ensures that HackerOne is enabled to communicate with Azure DevOps.

  7. Choose the appropriate Azure DevOps account from the dropdown.

image

  1. Choose the Azure DevOps Account, Project and Work Item Type you want to use for escalating reports.
  2. Click Next.
  3. Choose which fields from the HackerOne report you want to map to the fields in Azure DevOps. For example, you can map the HackerOne vulnerability details to the Azure DevOps description.

image

  1. Click Next.
  2. Choose which Azure DevOps Priority levels you want to map to the HackerOne severity. You can choose the same numbers for multiple severity ratings.

image

  1. Click Next.
  2. Choose which events you want to sync from HackerOne to Azure DevOps. You can choose from:
Option Details
Comments When someone comments on a report, an update will be posted on the associated Azure DevOps work item.
State Changes When someone changes the state of a report, an update will be posted on the associated Azure DevOps item.
Work Item Closed State You can choose from these options:
  • To Do
  • Doing
  • Done
  • Rewards When someone awards a suggests a bounty and/or bonus, an update will be posted on the associated Azure DevOps item.
    Disclosure When disclosure is requested or approved, an update will post on the associated Azure DevOps item.
    Synchronize Attachments You can synchronize attachments linked with reports and comments to the associated Azure DevOps work item.
    1. Click Next.
    2. Select the events you want to sync from Azure DevOps to HackerOne. You can choose from:
    Option Details
    Status changed Post an internal comment when a work item changes status.
    When status changes to done You can choose from these options:
  • Close HackerOne report
  • Do nothing
  • Priority changed Post an internal comment when a work item changes status.
    Assignee changed Post an internal comment when a work item changes the assignee.
    Comment added Post an internal comment when someone comments on a work item.
    1. Click Next.
    2. Copy the AzureDevOpsListener Public URL. (You’ll need this later to set up the outgoing requests from Azure DevOps to HackerOne.)
    3. Click Finish.
    4. Click Enable in the integrations overview to enable the integration.

    image

    Configure Outgoing Requests

    After configuring the integration on HackerOne, you’ll need to configure outgoing requests in Azure DevOps. This will enable you to send the configured events from Azure DevOps to HackerOne. Keep in mind that you’ll need to use Service Hooks in the configuration process.

    To configure synchronizing events from Azure DevOps to HackerOne:

    1. Go to Project Settings > Service hooks in Azure DevOps.
    2. Click on + Create subscription.
    3. Choose Web Hooks from the services list.

    image

    1. Click Next.
    2. Choose Work item updated from the dropdown for the Trigger on this type of event field.

    image

    1. (Optional) Apply any of the filters you'd like to use.
    2. Click Next.
    3. Fill out the URL field with your AzureDevOpsListener Public URL from Step 18 in Configure the Integration on HackerOne.

    image

    1. Click Finish.

    Your web hook should appear in the Service Hooks list.

    image