Azure Repos
Azure Repos can currently be scanned using a personal access token (PAT). To create a PAT, follow these steps:
- Go to your Azure DevOps account and click on the “User Settings” icon in the top right corner next to your profile picture.
- Click on “Personal access tokens”.
- Click on “New Token”.
- Enter a name for the token, select an organization and select the “Custom defined” option. Then, select the “Code (read)” scope.
- Click on “Create”.
When providing organizations, projects and repositories in the config, please take note of the following:
- At least one organization is required.
- Hierarchy: organizations > projects > repositories. Ensure projects are from specified organizations, and repositories are from specified projects.
- Specifying only “organizations” will result in scanning all their projects. Specifying only “projects” will scan all their repositories.
- The “ignore” filter always overrides the “include” filter, applicable to both “projects” and “repositories”.
Key | Description | Required |
|---|---|---|
endpoint | Endpoint URL for the Azure Repos | No |
repositories | List of repositories in Azure Repos. Omit to enumerate instead. | No |
organizations | List of organizations in Azure Repos. Omit to enumerate instead. | No |
projects | List of projects in Azure Repos | No |
includeForks | Flag to include/exclude repos | No |
ignoreRepos | List of repositories to exclude from search | No |
includeRepos | List of repositories to include in search | No |
includeProjects | List of projects to include | No |
ignoreProjects | List of projects to ignore | No |
skipBinaries | Flag to skip binaries from scanning | No |
skipArchives | Flag to skip archives from scanning | No |
Feature | Supported |
|---|---|
Scan archive files | ✅ |
Scan archive repo | ✅ |
Scan base64 encoded data | ✅ |
Scan binaries | ✅ |
History | ✅ |
Include filter | ✅ |
Exclude filter | ✅ |
Pre-commit | ✅ |
Auto resume | ✅ |
Notes:
- TruffleHog doesn't scan diffs larger than 1 GB
- Only cloud-hosted Azure Repos are scannable. TruffleHog cannot scan self-hosted Azure Devops servers.
