Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019 | TFS 2018
Extensions get published at the Visual Studio Marketplace, where they can be kept private for you and your team or shared publicly with the millions of developers currently using Azure DevOps.
Extensions use our RESTful API Library to easily interact with Azure DevOps and applications/services.
Understand parts of an extension
The following items make up an extension:
- JSON manifest file: Contains basic info about the extension.
- Discovery assets: Markdown and images that make up the extension's overview and aesthetics in the Marketplace.
- Static files: Contain the logic of the extension, including HTML, JS, and CSS files. Static files are only applicable to contribution-based extensions.
These files and assets get bundled up to make a VSIX file that's published to the Marketplace.
From the Marketplace, users can install extensions directly into their organization. If you don't have permissions to install an extension, but you're a project member, you can request an extension instead.
Use an extension
There are dozens of ways you can use an extension and places where you can add to the user interface, and we're adding more every sprint. Learn about all of the places where you can add a hub in the Extensibility points.
- Provide new Azure Pipelines tasks that teams can use in their builds.
- Use dashboard widgets to get custom views within Azure DevOps.
- Extend the work item form with new tabs, sections, and actions.
- Create your own hub to embed new capabilities within our Agile, code, build, and test experiences.
- Develop actions that can be run on hubs, whether they're ours or ones you've created.
Evaluate a Marketplace extension
To evaluate a Marketplace extension, review the information and resources described in the following table. You can find this information in the extension information
Top Publisher badge
The publisher has demonstrated commitment to its customers and the Marketplace through excellent policies, quality, reliability, and support. For more information, go to Top Publisher.
Q & A
The Q & A section of published extensions may answer questions you may have. Also, they're a good mechanism to engage with the extension’s publisher(s) to have a meaningful dialogue to make yourself comfortable. Use the Q & A information to understand the development, testing, and security practices the publisher follows. It also gives you a sense of the publisher's responsiveness.
Ratings & reviews
Ratings and reviews indicate how others perceive the offering.
Privacy, license, and support policies
See if the publisher has provided them and if they meet your needs or concerns. For more information, go to Safety information.
Malware scan: The Marketplace runs a virus scan on each new and updated extension package that's published to ensure its safety. Until the scan is all clear, we don't publish the extension for public usage. If a concern surfaces, the Marketplace team has the means to disable an extension immediately and notify its existing customers.
Content scan: The Marketplace scans content for every new and updated extension to avoid surfacing inappropriate or offensive content on the Marketplace pages.
Access to approved scopes only: An extension can only operate within the granted scopes. For example, an extension that has only read permissions on work items can't modify your features and bugs. Azure DevOps web extensions run in a sandboxed browser IFrame. They're only able to access Azure DevOps data and APIs approved for the extension. During installation, admins are prompted to approve permissions and scopes. One way to protect yourself is to carefully review the scopes being requested by the extension.
If the scopes change for an extension, the you must approve the update before it can become applicable on your organization or collection.
Third-party build and release tasks: Tasks are implemented as code that executes on an agent machine. Tasks are only able to access secrets explicitly provided to them (see variable secrets), but tasks generally have full access to the agent machine itself. To reduce risk, run builds on Microsoft-hosted agents, which are VMs isolated from other jobs and recycled after each job. Or, limit file and network access on private hosted agent machines. Learn more about build and release agents.
Third-party code execution on the server: There's no way for an extension to install or execute any code on Azure DevOps Server.
The Top Publisher program in the Marketplace is designed to help you evaluate or acquire Azure DevOps extensions and integrations with confidence. The Top Publisher badge implies that the publisher has shown commitment to their customers and the Marketplace through exemplary policies, quality, reliability, and support. It's for publishers with one or more global Azure DevOps extensions or integrations and isn't applicable for Visual Studio IDE and Visual Studio Code extension publishers.
Marketplace assigns the badge to a publisher after carefully reviewing the publisher across the following parameters:
- Licensing policy
- Support policy
- Q & A responsiveness
- Ratings & review for their offerings
- Active uptake and the install count for their offerings
You can expect timely support and a good overall experience when you get an extension from a Top Publisher. Check out the offerings from the Top Publishers. For more information on the Top Publisher program, see the publisher facing requirements.
Through this program, it is the publisher that is being certified. This doesn't cover the software or security of their extensions and integrations. We recommend you read the previous section when you're evaluating the offerings from a publisher.
If you got an extension from a Top Publisher and aren't satisfied with your experience, consider engaging with the publisher first. Afterward, if you're still unsatisfied, contact the Marketplace team.
Build an extension
Before you build an extension, familiarize yourself with the extension types already available within the Marketplace, Extensions for Azure DevOps. Learn how to build your first extension and check out our full set samples.
For more information about building extensions, see the following articles:
- REST APIs
- Service Hooks
- Package, publish, and install your extension
- Package and publish your integration with an external app or service
- Share your work publicly with the entire community
Submit and view feedback for