Connect your Azure DevOps environment to your Cobalt Organization in order to use the integration to sync pentest findings as work items.
Integrate Azure DevOps with Cobalt
Integrate with Azure DevOps to create work items for your Cobalt findings and streamline your remediation workflows. The availability of this feature depends on your PtaaS tier.
How it Works
- Connect your Azure DevOps system to Cobalt and push pentest findings as work items to your team boards.
- Configure Azure DevOps for each pentest, selecting the Team Project, Work Item Type, and other field mappings for tickets created from findings.
- When a new finding in the Pending Fix state is reported, a new work item is automatically created in Azure DevOps.
Please be aware of the following considerations when using this integration. We are working to improve the integration and address these limitations.
- Work items will automatically be created when a finding is moved to Pending Fix state. It is not possible to manually create a work item for a finding.
- Only one Azure DevOps instance can be connected to a Cobalt Organization at a time.
- Work items created will not appear in the External Issue References section of the Cobalt findings page.
Frequently Asked Questions
Click to view answers.
In Azure DevOps, a work item is any item that needs to be investigated within a project. Work items may also be referred to as tickets.
In the context of Cobalt integrations, a work item is a finding that was synchronized with Azure DevOps.
The following fields are required to create a work item:
- Work item type
Depending on your Azure DevOps process template, additional fields in your work item form may be required. Make sure to provide a value for all required (*) fields. See: How to set work item field values.
Yes. When configuring the integration for a pentest, you can set values for all standard and custom fields in the work item type template for the Project and Work Item Type selected. See: How to set work item field values.
No, only auto-push is currently supported.
Currently, the Work Item ID is not displayed in the Cobalt platform (this will be addressed in a future release).
In Azure DevOps, the Finding ID will be included in the work item Title, and a link to the Cobalt finding is available in the Description field.
Findings are pushed to Azure DevOps when they are published and set to Pending Fix status. This occurs virtually in real-time, and should be reflected in your Azure DevOps environment within a minute or so.
No, only Azure DevOps Cloud is currently supported. If you use an on-prem version, please reach out to us at firstname.lastname@example.org.
No. After enabling the integration for a pentest, a finding (either new or existing) must be moved to Pending Fix state, which will trigger the creation of a work item.
No. We are working to enable bi-directional syncs for an upcoming release. Currently, the integration is 1-way only.
After a work item is created for a new finding, there is no further association between the work item and the finding.
Yes. You can use a Service Principal or Managed Identity to authenticate your Azure DevOps environment with Cobalt. Follow Microsoft’s guide to configure your managed account. Then when setting up the connection in Cobalt, select the Authorization Code method of authentication.
No. We are working to support this in a future release. Currently, the integration will create a new work item for each unique pentest finding.
Yes. Work items will be created in the project you selected in the pentest configuration. Once created, you can move the work item to another project, or even change the work item type, without impacting the integration.
Once you’ve connected your Azure DevOps instance, you can configure pentests to push findings to an ADO Team Project.
Troubleshoot common issues with the Azure DevOps integration.
Last modified October.10.2023