Introduction
This article will cover 12 Best Extensions for Azure DevOps. Extensions covered here focus on security aspects and extending the Azure DevOps with some useful features related to the Agile Delivery Process. Some of the extensions are a must-have when it comes to moving from DevOps to DevSecOps. System’s Security is equally important and a critical process and DevSecOps shifted security to the left in the software development lifecycle rather than taking it as a reactive step during or after product release. Also, there are extensions that make the life of agile teams better and help them with better control over the process and delivery.
If you are looking to have better understanding on some of the core features in Azure DevOps, then please visit this blog.
We will cover a set of 12 best Extensions for Azure DevOps in this article. We will also be covering their integration steps in Azure Pipelines along with some most important details. Below is the list covered here.
- 1. SonarCloud – for static code analysis.
- 2. SonarQube – for static code analysis.
- 3. CredScan – for credentials and secrets check in source code.
- 4. WhiteSource Bolt – to check open source client-side dependencies for known vulnerabilities.
- 5. OwaspZap – for scanning for Owasp Top 10 vulnerabilities in web applications.
- 6. Fortify – for scanning source code for Owasp Top 10, PCI Compliance and other Industry Security Standards.
- 7. Nexus IQ Server – to check open source client and server side package dependencies for known vulnerabilities.
- 8. AzSK (Secured Azure DevOps Toolkit) – to find all security gaps in Azure Subscriptions.
- 9. Delivery Plan – to plan sprints and delivery dates according to cross team dependencies.
- 10. Estimate – helps with estimation of user stories and to play planning poker.
- 11. Contribution Graph – to help see each team member’s contribution in agile teams.
- 12. ReportGenerator – to generate a user friendly code coverage report in Azure DevOps.
1. SonarCloud
SonarCloud is one of the best extensions available in Azure DevOps and it is a cloud-hosted version of SonarQube from SonarSource and is used for static code analysis. It scans the source code for Design, architecture, security, code smells, and a few other quality issues. Post scan it provides a detailed project report in SonarCloud website with details of every file that needs improvement. This is a great way to maintain code quality and keep technical debt at rest and at the same time keeping code compliant with the industry standards and specifications. Before using the SonarCloud task we need to set up and configure project and quality gates in the SonarCloud website and connect it to Azure DevOps Project using a Service Connection (***This is generally applicable to most DevOps Extensions, but not all).
Steps To Integrate in Azure DevOps
- Create an account with the SonarCloud and Configure an Organization and Project in it. The project will have a unique Project Key in SonarCloud. All details are available in Visual Studio Market Place with the Extension.
- Configure SonarCloud project with Quality Gate rules, Issues, and Quality Rules we want to check.
- Install SonarCloud Extension in Azure DevOps Organization.
- Connect SonarCloud to Azure DevOps Project using Service Connection. Here we will need the Authentication Token generated earlier in the SonarCloud website.
- Use SonarCloud tasks in Azure Pipelines. First, we need to configure the Analysis task followed by actual Analysis, hence two tasks are the minimum required.
- Add tasks and configure Additional parameters as per project needs. Some of the key details will be shown below.
- Post execution, a detailed report is published with code issues and Quality Gate Results in the SonarCloud portal.
- With this extension, a dashboard widget is also added in Azure DevOps Dashboard which shows Quality Gate Results ie Pass or Fails. Users can click this widget which navigates the user to the SonarCloud portal and display the detailed report.
We need to configure two tasks where first is to Prepare for Analysis. Here we connect to SonarCloud using pre-configured Service Connection and adding correct SonarCloud organization and project key details. Under additional parameters, we also tell SonarCloud as what source code projects or folders we want to exclude from scan. This is very important step if we want to avoid certain projects from quality check and testing code coverage like Test Projects or some POC folders etc. Below is the detail of this task.

Under additional parameters, we can setup more specific details and are explained below.
- Sonar.source – is to tell sonarcloud task the details of the source code folder. If not specified it will use default Build.SourceDirectory.
- Sonar.log.level – it logs the details according to the log level in pipeline logs while scan happens.
- Sonar.verbose – it set to true, logs added will be verbose so that DevOps teams can analyse logs better.
- Sonar.exclusions – using this we can define what folders from source code we want to exclude from SonarCloud analysis
- Sonar.coverage.exclusions – this is used to tell SonarCloud what folder to ignore and exclude while pushing unit test code coverage details to sonarcloud server.
After adding the tasks, YAML for SonarCloud tasks will look something below. First we prepare followed by running SonarCloud scan on our repository or source code.

Report in SonarCloud looks like below where it shows Quality Gate for the Project and issues in code under each quality category like Reliability , Security etc.

2. SonarQube
Sonarqube is again similar to SonarCloud and is one of the top extensions used in Azure DevOps. It has the same functionality as SonarCloud and is from the same Company ‘SonarSource’. SonarQube is a self-hosted version of SonarCloud.It is hosted either in a physical server or a VM either in an on-premise or cloud environment. This is followed by connecting it to Azure DevOps Project by configuring a Service Connection. Steps followed are similar to SonarCloud and mentioned below.
Steps To Integrate in Azure DevOps
- Setup SonarQube server in an organization.
- Configure Project in SonarQube.
- Configure SonarQube project with Quality Gate rules, Issues and Quality Rules we want to check.
- Install SonarQube Extension in Azure DevOps Organization.
- Connect SonarQube to Azure DevOps Project using Service Connection.
- Use SonarQube tasks in Azure Pipelines.
- Configure the tasks with Additional parameters as applicable and as shown below.
- Post execution, a report is published with Quality Gate status and code issues in SonarQube server. Report is made available online for users to look into.
- Users having access to SonarQube Project should be able to Login and analyse the report and details using Sonarqube server URL.
Additional Parameters that can be passed to the tasks are same as in SonarCloud. Please check above section to have a look at them.
Below shows the YAML pipeline sample containing SonarQube tasks in order. Steps to be followed are as below
- Prepare SonarQube for Projects analysis. We pass all details including Service Connection, SonarQube Project key and additional parameters as needed.
- Build the Project in action by using standard build tasks or using custom scripts.
- Run Unit Tests available in the source repository. This can be done using custom script or standard Test tasks if available.
- Run Sonarqube analysis by calling SonarAnalysis task.
- Publish the results back to SonarQube server by calling Publish task.
- Finally Report will be available in SonarQube server and can be viewed online as well.

SonarQube also exposes REST APIs which can be used to retrieve Project Quality Details within Azure DevOps pipelines. This is great for automation and can also be used to break the build based on Quality Gate Results or other checks. Below is the example to call SonarQube to retrieve Quality Gate Results
http://sonarqubeserver:port/api/qualitygates/project_status?projectKey=ProjectKeyInSonarQube
Report generated will be similar as we have with SonarCloud. Please check in SonarCloud section to have a look.
3 . CredScan
CredScan is an extension from Microsoft and is used for scanning the code for any hidden and hard coded secrets, certificates information or passwords. Post scan it provides details in the Pipeline logs with the file details having these hard coded secrets and we have an option to break the build if we want to. For CredScan to install, we need Microsoft Premier Support subscription and it is not available without the Premier support.
Steps To Integrate in Azure DevOps
- Get Microsoft Premier Support for the Organization.
- Install CredScan Extension in Azure DevOps Organization.
- We should be able to look and integrate Credential Scanner task in Pipelines. There is no need of any Service Connection here and it directly works with Azure DevOps.
Due to unavailability of Premier support, addition of task is not shown but YAML task for credscan should look like below. We run the CredScan on source repository and then post analysis results back to Pipeline logs. Pipeline logs will show any Secrets/Passwords/Certificates hardcoded in the code. Task will fail if it finds issues.

4. WhiteSource Bolt
It is used to scan for any vulnerable in third party open source client side packages and dependencies we are using in our projects. WhiteSource Bolt doesn’t need a service connection to work. This Product keep its databases updated with list of open source libraries and packages and their known vulnerabilities and use it to scan the repositories and report issues.
Steps to Integrate in Azure DevOps
- Install Extension
- Task will be made available for pipelines to consume. Task looks like below

- Post execution , we should see a tab added for WhiteSource Bolt under pipeline run details window as below. We should be able to see detailed report in there.

5. OwaspZap
This extension is available to scan the code for OWASP web application standards and post scan provides a report in the Azure DevOps Dashboard widget with the list of issues in the web applications like XSS issues, Framing issues of websites, Missing HTTP headers and many more. This extensions doesn’t need any service connection and data is made available directly in the Azure DevOps dashboard.
Steps to Integrate in Azure DevOps
- Install Extension
- Service connection is not needed for this.
- Add task in pipelines and we should see results in Dashboard widget added by the extension.
** Images are not added for this product since its simple extension to add and use.
6. Fortify
Fortify is a third party product from Microfocus and provided systems security scan capabilities. It can be used for both static as well as dynamic security scans. It covers many industry security standards like OWASP Top 10, PCI compliance and many more. This is one of the most used products and extensions when it comes to security testing of applications and systems. In case of static scans it checks each individual code file and components in the repository and provide online report with details of all issues. Fortify need to be first installed in a server or a VM followed by connecting it to Azure DevOps Project before using this task in our pipelines.
Steps to Integrate in Azure DevOps
- Install Fortify in a server or a VM. Its a paid and licensed product from Microfocus.
- Login to Fortify and Configure Project.
- Install Fortify Extension in Azure DevOps Organization.
- Create Service Connection in Azure DevOps Project.
- Add Fortify task in YAML pipelines to scan source code for security issues.
Fortify extension adds a lot of tasks for static and dynamic analysis of code. Here we are explaining ‘Fortify Static Code Analyzer Assessment’ task. Other tasks and options will follow similar approach and more details can be found with the Extensions page in VS market place.

YAML for this task post configuration will look something like below. We can pass additional scan and build parameters like setting the scan targets to only a specific set of files or folders, setting up logging levels etc. fortifyApplicationName will be the application name in Fortify server. We will also have to pass a Service Connection to Fortify server but its not shown here since this is just a demonstration of this task.

7. Nexus IQ Server
This product can be used to scan for any vulnerable in third party open source client and server side dependencies we are using in our projects. It can be used to keep a check on open source libraries like JavaScript libraries or NuGet packages. While WhiteSource Bolt doesn’t need a service connection to work but Nexus IQ server is more advanced product and needs installation on a server followed by connecting it to the Azure DevOps Project. Both of these products keep their databases updated with list of open source libraries and packages and their known vulnerabilities and use it to scan the repositories and report issues.
Steps to Integrate in Azure DevOps
- Install Nexus IQ server in a physical or virtual server. This is a licensed product and need to be bought from vendor.
- Set up Nexus IQ Organization and Project with a unique name under it.
- Set up Policies and Rules for Threats and Violations, Component Labels ie are Components Proprietary or from third parties. Also setup what all packages and files we want to ignore for scan. Please follow Nexus IQ detailed documentation for more details.
- Install Nexus IQ Extension in Azure DevOps Organization.
- Configure Service Connection to connect to Nexus IQ Server in Azure DevOps Project.
- Add Nexus IQ task in Pipeline and use it to scan the Projects for open source vulnerabilities.
- Task will show as fail if it finds any critical/severe/moderate violations and also add details in Pipeline logs.
- Detailed report will be made available in Nexus IQ server and can be viewed online.
- Nexus IQ also add a tab in Pipeline run details window (just like WhiteSource Bolt)
Report in Nexus IQ server looks something like below where it shows Threat level and file details having issues. We have option to either waive off the violations if we are sure or to upgrade the component to mitigate this risk. Clicking on each issue will show details of the issue and recommendations on the upgrade process.

Nexus task in YAML looks something like below

8. AzSK – Secured Azure DevOps Toolkit
AzSK is a toolkit developed by Microsoft Devlabs and made available as an extension in the Market place. It is one of the best extensions in Azure DevOps that can be used to scan our cloud resources under Azure subscription to check for any missing or lacking security configurations. After scanning the Resource, it generated an excel report with a list of all security gaps. It also provides recommendations and remediation steps ie what to do to mitigate those gaps. AzSK also has the capability to automatically remediate the security issues under the Azure subscription. It consists of PowerShell modules which are first installed on the build agent and then used to scan through our azure subscriptions. AzSK can be used independently through its PowerShell modules as well as from within the pipelines using its extension.
Steps To Integrate in Azure DevOps
- Install AzSK Extension in Azure DevOps Organization.
- Create service connection for Azure ARM , since it works on Azure resources after connecting to an Azure Subscriptions.
- Add task in the pipeline. There are options to either select a Resource Group or select all resources based on the Tags filter. Scan will be done according to the selected option.
- Post execution, it creates am excel report in the build agent (build server) with list of all Azure Resources with their security violations and recommendations. This report can be downloaded from Build Server by using a download tasks in the pipeline to download it as part of the build process.
Below is an example of AzSK build task under its own stage in YAML pipeline. Adding it in another stage is not necessary but Security Scans with all above mentioned tools can also be added into its own separate stage to have a group and isolation from other tasks. Also with this we can control if we want to run this stage as part of CICD or may be a schedule.
AzSK only runs with Windows agents for now. Also under ‘steps’ , there is ConnectedServiceNameARM property which points to Azure ARM Service Connection. Here we are passing ResourceGroupName to scan but there is an option to add Tag filter as well.

9. Delivery Plan
This is an extension for Azure Boards and adds a hub in the Azure Boards. It is used to keep a check on the overall delivery plan spanning multiple teams and plan sprints and work based on cross team dependencies. We can see the start and end dates of sprint deliveries of each team and use these insights to plan work better.
Steps to Integrate in Azure DevOps Organization
- Install Extension in Azure DevOps Organization.
- We should be able to use it directly under Azure Boards. It doesn’t have any need of a service connection.
Below shows the hub added under Azure Boards.

Below shows the delivery plan of multiple teams. All teams will be able to view sprint plans of each other and keep a check on the delivery dates. This helps with better sprint and story planning according to the dependencies on each other. In this example, there are two teams WebDevelopment Team and BackEnd Team and the start and end dates of each team’s sprints are part of the data shown. As an example, Sprint 1 of the BackEnd team is planned only after first team is done with the first sprint.

10. Estimate – Planning Poker Extension
Estimate is a great small and fun extension which can be used to estimate story points for agile/scrum user stories. It adds a hub in Azure Boards and provides a voting system where each team member can vote for story points independently and later data is revealed to entire team to derive the conclusion based on discussion and majority. Below shows the hub added by the extension.

Steps to Integrate in Azure DevOps Organization and way to use it
- Install the extension in the Azure DevOps organization.
- It will add a hub under Azure Boards. There is no need for Service Connection in this case.
- Open Estimate under Azure Boards and it should show a screen to create a session for planning poker.
- Select team, sprint, and story point approach (as shown below).
- We should see each User story and its tasks. Clicking on the user story will ask each team member to vote for story points.
- Once done, votes from everyone can be revealed and story points can be finalized based on discussion and majority.

Open Session and everyone should be able to vote as explained above. In this case there is only one member in team 🙂

11. Contribution Graph
This is a great small Azure Boards Extension. It adds a hub under Azure boards. Using this, every team member can keep a check on their contribution to the delivery process. It provides a great way to check and visually see the value added by each team member. We can visually see the number of code commits, resolved stories for single or multiple repositories under a project. Below it shows the hub added under Azure Boards.

Steps to Integrate in Azure DevOps and way to use it
- Install the extension in Azure DevOps Organization.
- It directly gets added as a hub under all Projects in Azure Boards. There is no need of a service connection for this extension.
- Open Contribution Graph from Boards and it will show a report with all details of current user as explained above. See below for more details.

12. ReportGenerator
ReportGenerator is one of the top extensions in Azure DevOps related to Unit Tests Code Coverage. There are various test runners tools and products available in the market including Visual Studio Test Projects (MSTest/MSTestV2), dot cover, and many more. Each of them generates code coverage report differently with some generating XML files and others using other formats. DevOps teams would need a way to parse this coverage data and generate a report that can be easily understood and provide detailed insights. ReportGenerator solves the purpose and it is able to read most of the code coverage formats and data from various products and generate a human-readable report. The coverage report is made available under the Azure Pipeline run details window as shown below.

Steps to Integrate in Azure DevOps and way to use it
- Install ReportGenerator extension in Azure DevOps Organization. This should directly provide task to integrate in Azure pipelines.
- After calling build and unit test tasks for our project, add the report generator task and this will read the coverage file generated by unit test task (and test runner).
- ReportGenerator will add a detailed human readable coverage report under pipeline run details window as shown above.
YAML task used should look like below

Conclusion
I hope you like the article and that it would help in deciding with the right set of Azure DevOps Extensions and add value. Do provide your comments and connect. If you want more information on any other extension or feel something is not right, do share in comments. I will try to make necessary changes , add more information and do best possible as soon as possible.
Hi,
How do I get (download maybe?) and install these extensions? How much do they cost?
Thank you,
Julius.
you should be able to go to your Azure DevOps instance and then go to market place from there and install these plugins. They are made available under here https://marketplace.visualstudio.com/azuredevops