Connect APVISO with Azure DevOps

How APVISO Will Integrate with Azure DevOps

The planned APVISO Azure DevOps integration will provide end-to-end security testing within Microsoft's DevOps platform. From pipeline-integrated scanning in Azure Pipelines to automatic work item creation in Azure Boards, APVISO will fit naturally into the Azure DevOps workflows that enterprise teams depend on.

Azure Pipelines Task

The APVISO pipeline task will be available for both YAML and classic pipeline definitions. Add the task to your build or release pipeline to trigger a penetration test against your deployed application. The task supports all APVISO scan profiles: quick (for PR validation), standard (for staging deployments), and comprehensive (for pre-production or scheduled scans).

During execution, the task reports real-time progress in the pipeline log — agent activity, finding discoveries, and scan milestones. When the scan completes, the task evaluates the results against your configured severity threshold and sets the pipeline result accordingly: succeeded, succeeded with issues, or failed.

Release Gates for Staged Deployments

Azure DevOps release pipelines support gates — automated checks that must pass before a release can proceed to the next stage. APVISO will integrate as a release gate that scans the environment deployed in the current stage before allowing promotion to the next stage.

A typical workflow uses three deployment stages: Dev, Staging, and Production. After deploying to Staging, the APVISO release gate triggers a scan. If the scan finds no Critical or High vulnerabilities, the release proceeds to Production automatically. If critical issues are found, the release is held and the team is notified to remediate before the production deployment can proceed.

This staged approach catches vulnerabilities in pre-production environments where they can be fixed without impacting users, while providing a hard security gate before production releases.

Azure Boards Work Items

APVISO findings will be automatically created as Azure Boards work items with full context:

• Work item type: Configurable as Bug, Task, or Issue based on your team's conventions
• Priority: Mapped from APVISO severity (Critical = Priority 1, High = Priority 2, Medium = Priority 3, Low = Priority 4)
• Area path: Routed to the correct team based on the target domain or vulnerability category
• Iteration path: Assigned to the current or next iteration based on severity (Critical findings go to the current sprint, Low findings to the backlog)
• Description: Rich HTML content with reproduction steps, affected endpoints, and remediation guidance
• Tags: Applied for vulnerability type, severity, and APVISO scan reference

Work items are deduplicated across scans — if the same vulnerability is found again, APVISO updates the existing work item rather than creating a duplicate.

Pull Request Policies

Azure DevOps pull request policies can require specific build validations before a PR can be completed. By adding the APVISO scan as a required build policy, every pull request is security-tested before merge. The scan can target a PR preview deployment or the branch deployment environment.

When the scan completes with findings above the threshold, the PR build fails and the developer sees the security issues in the PR's build status. The findings are also published as test results, visible in the PR's Tests tab, making it easy to understand what needs to be fixed.

Test Results Integration

APVISO will publish scan results in a format compatible with Azure Test Plans. Findings appear in the pipeline's Tests tab, where they are displayed alongside unit tests, integration tests, and other automated test results. Each finding is a test case with pass/fail status, making it easy to track security test results using Azure DevOps' built-in test analytics.

Over multiple pipeline runs, Azure DevOps tracks the test trend — showing whether security findings are increasing or decreasing over time. This data is available in Azure DevOps analytics dashboards and can be exported for reporting.

Organization-Level Configuration

For enterprises with multiple Azure DevOps projects, APVISO supports organization-level configuration. Define APVISO service connections, default scan profiles, and work item templates at the organization or collection level. Individual projects inherit these defaults, reducing setup effort and ensuring consistent security testing across the organization.

Extension settings can also define allowed scan profiles and severity thresholds per project, giving security teams centralized governance over how APVISO is used across development teams.