Note: This integration is only available to HackerOne Enterprise customers.
HackerOne offers a bi-directional Azure DevOps integration that enables you to synchronize your HackerOne and Azure DevOps events. This integration aligns your development and security teams, streamlining the security vulnerability remediation workflow by reducing manual back-and-forth between Azure DevOps and HackerOne.
Setup
To set up the bi-directional integration between HackerOne and your Azure DevOps instance, you’ll need to follow these two steps:
Configure the Integration on HackerOne
To set up your Azure DevOps integration on HackerOne:
Navigate to Program Settings > Program > Integrations on HackerOne
Click Connect with Azure DevOps.
Click Set up new integration to start the configuration process
(Optional) Choose a name and description for your Azure DevOps integration. This will be helpful if you have multiple integrations configured.
Click Next.
Give your authentication a name.
Click Create.
Click Allow in the pop-up window asking for permissions. This ensures that HackerOne is enabled to communicate with Azure DevOps.
Choose the appropriate Azure DevOps account from the dropdown.
Choose the Azure DevOps Account, Project, and Work Item Type you want to use for escalating reports.
Click Next.
Choose which fields from the HackerOne report you want to map to the fields in Azure DevOps. For example, you can map the HackerOne vulnerability details to the Azure DevOps description.
Click Next.
Choose which Azure DevOps Priority levels you want to map to the HackerOne severity. You can choose the same numbers for multiple severity ratings.
Click Next.
Choose which events you want to sync from HackerOne to Azure DevOps. You can choose from:
Option | Details |
Comments | When someone comments on a report, an update will be posted on the associated Azure DevOps work item. |
State Changes | When someone changes the state of a report, an update will be posted on the associated Azure DevOps item. |
Work Item Closed State | You can choose from these options:
|
Rewards | When someone awards or suggests a bounty and/or bonus, an update will be posted on the associated Azure DevOps item. |
Disclosure | An update will be posted on the associated Azure DevOps item when disclosure is requested or approved. |
Synchronize Attachments | You can synchronize attachments linked with reports and comments to the associated Azure DevOps work item. |
Click Next.
Select the events you want to sync from Azure DevOps to HackerOne. You can choose from:
Option | Details |
Status changed | Post an internal comment when a work item changes status. |
When the status changes to done | You can choose from these options:
|
Priority changed | Post an internal comment when a work item changes status. |
Assignee changed | Post an internal comment when a work item changes the assignee. |
Comment added | Post an internal comment when someone comments on a work item. |
Click Next.
Copy the AzureDevOpsListener Public URL. (You’ll need this later to set up the outgoing requests from Azure DevOps to HackerOne.)
Click Finish.
Click Enable in the integrations overview to enable the integration.
Configure Outgoing Requests
After configuring the integration on HackerOne, you’ll need to configure outgoing requests in Azure DevOps. This will enable you to send the configured events from Azure DevOps to HackerOne. Keep in mind that you’ll need to use Service Hooks in the configuration process.
To configure synchronizing events from Azure DevOps to HackerOne:
Go to Project Settings > Service hooks in Azure DevOps.
Click on + Create subscription.
Choose Web Hooks from the services list.
Click Next.
Choose Work item updated from the dropdown for the Trigger on this type of event field.
(Optional) Apply any of the filters you'd like to use.
Click Next.
Fill out the URL field with your AzureDevOpsListener Public URL from Step 18 in Configure the Integration on HackerOne.
Click Finish.
Your webhook should appear in the Service Hooks list.
