We actively support the following versions of Azure DevOps MCP with security updates:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take security vulnerabilities seriously. If you discover a security vulnerability in Azure DevOps MCP, please report it to us as follows:
- DO NOT create a public GitHub issue for security vulnerabilities
- Use GitHub's private vulnerability reporting feature
- Use GitHub's security advisory feature: Go to the Security tab → Report a vulnerability
Please include the following information in your report:
- Description of the vulnerability
- Steps to reproduce the vulnerability
- Potential impact of the vulnerability
- Any suggested fixes or mitigations
- Your contact information for follow-up questions
- Initial Response: We will acknowledge receipt of your vulnerability report within 48 hours
- Assessment: We will assess the vulnerability within 5 business days
- Resolution: We aim to resolve critical vulnerabilities within 30 days
- Disclosure: We will coordinate with you on the disclosure timeline
This project implements several security measures:
- Azure DevOps Personal Access Token (PAT) authentication
- Configurable authorization levels per operation
- IP whitelisting support for production deployments
- API key authentication for additional security layers
- Sensitive data filtering in logs
- Azure Key Vault integration for secrets management
- No storage of credentials in application memory beyond necessary caching
- Automatic secret rotation support
- HTTPS enforcement in production
- CORS configuration for web access
- Request rate limiting to prevent abuse
- Circuit breaker pattern for resilience
- Comprehensive audit logging for all operations
- Security event monitoring with Sentry integration
- Performance monitoring to detect anomalies
- Health checks for security components
- Regular dependency updates via Dependabot
- Static code analysis with CodeQL
- Container vulnerability scanning with Trivy
- Secret scanning to prevent credential exposure
{
"Security": {
"EnableKeyVault": true,
"KeyVaultUrl": "https://your-keyvault.vault.azure.net/",
"EnableApiKeyAuth": true,
"EnableIpWhitelist": true,
"AllowedIpRanges": ["10.0.0.0/8", "192.168.0.0/16"],
"EnableRequestSigning": true
},
"Logging": {
"EnableSensitiveDataFiltering": true,
"SensitiveDataPatterns": [
"pat_[a-zA-Z0-9]{52}",
"Authorization:\\s*Bearer\\s+[a-zA-Z0-9\\-._~+/]+=*"
]
},
"RateLimiting": {
"EnableRateLimiting": true,
"RequestsPerMinute": 60,
"RequestsPerHour": 1000
}
}Ensure these environment variables are securely configured:
AZDO_ORGANIZATIONURL: Azure DevOps organization URLAZDO_PERSONALACCESSTOKEN: Azure DevOps PAT (store in secrets)AZURE_KEY_VAULT_URL: Azure Key Vault URL for secretsAPI_KEY_HASH: Hashed API keys for authentication
- Never commit secrets or credentials to the repository
- Use the provided secret management system
- Follow secure coding practices for authentication flows
- Validate all inputs and sanitize outputs
- Use HTTPS for all external communications
- Regularly rotate Azure DevOps PATs
- Monitor access logs for suspicious activity
- Keep the application and dependencies updated
- Use Azure Key Vault for production secrets
- Configure IP whitelisting for production deployments
- Enable comprehensive logging and monitoring
- Use least-privilege Azure DevOps PATs
- Regularly review and rotate access tokens
- Monitor Azure DevOps audit logs for unexpected activity
- Report any suspicious behavior immediately
This project adheres to:
- OWASP Top 10 security guidelines
- Microsoft Security Development Lifecycle (SDL)
- Azure security best practices
- Industry standard authentication protocols
Security updates will be:
- Released as soon as possible for critical vulnerabilities
- Clearly marked in release notes
- Backward compatible when possible
- Documented with migration guides when breaking changes are necessary
For security-related questions or concerns:
- GitHub Security Advisories: Use the Security tab → Report a vulnerability
- General questions: Create a GitHub issue (non-security related only)
Thank you for helping keep Azure DevOps MCP secure!