Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019 | TFS 2018
Extensions use our RESTful API Library to easily interact with Azure DevOps and applications/services.
Understand parts of an extension
The following items make up an extension:
- JSON manifest file: Contains basic info about the extension.
- Discovery assets: Markdown and images that make up the extension's overview and aesthetics in the Marketplace.
- Static files: Contain the logic of the extension, including HTML, JS, and CSS files. Static files are only applicable to contribution-based extensions.
These files and assets get bundled up to make a VSIX file that gets published to the Marketplace.
From the Marketplace, users can install extensions directly into their organization. If you don't have permissions to install an extension, but you're a project member, you can request an extension instead.
Use an extension
There are dozens of ways you can use an extension and places where you can add to the user interface, and we're adding more every sprint. Learn about all of the places where you can add a hub in the Extensibility points.
- Provide new Azure Pipelines tasks that teams can use in their builds.
- Use dashboard widgets to get custom views within Azure DevOps.
- Extend the work item form with new tabs, sections, and actions.
- Create your own hub to embed new capabilities within our Agile, code, build, and test experiences.
- Develop actions that can be run on hubs, whether they're ours or ones you created.
Evaluate a Marketplace extension
To evaluate a Marketplace extension, review the information and resources described in the following table. You can find this information in the extension information
Top Publisher badge
The publisher demonstrates commitment to its customers and the Marketplace through excellent policies, quality, reliability, and support. For more information, see Top Publisher.
Q & A
The Q & A section of published extensions might answer questions you have. Also, they're a good mechanism to engage with the extension’s publisher(s) to have a meaningful dialogue to make yourself comfortable. Use the Q & A information to understand the development, testing, and security practices the publisher follows. It also gives you a sense of the publisher's responsiveness.
Ratings & reviews
Ratings and reviews indicate how others perceive the offering. For more information, see Respond to customer feedback.
Privacy, license, and support policies
See if the publisher provided them and if they meet your needs or concerns. For more information, go to Safety information.
Malware scan: The Marketplace runs a virus scan on each new and updated extension package that publishes to ensure its safety. Until the scan is all clear, we don't publish the extension for public usage. If a concern surfaces, the Marketplace team has the means to disable an extension immediately and notify its existing customers.
Content scan: The Marketplace scans content for every new and updated extension to avoid surfacing inappropriate or offensive content on the Marketplace pages.
Access to approved scopes only: An extension can only operate within the granted scopes. For example, an extension that has only read permissions on work items can't modify your features and bugs. Azure DevOps web extensions run in a sandboxed browser IFrame. They're only able to access Azure DevOps data and APIs approved for the extension. During installation, admins are prompted to approve permissions and scopes. One way to protect yourself is to carefully review the scopes the extension requests.
If the scopes change for an extension, the you must approve the update before it can become applicable on your organization or collection.
Third-party build and release tasks: Tasks are implemented as code that executes on an agent machine. Tasks are only able to access secrets explicitly provided to them (see variable secrets), but tasks generally have full access to the agent machine itself. To reduce risk, run builds on Microsoft-hosted agents, which are VMs isolated from other jobs and recycled after each job. Or, limit file and network access on private hosted agent machines. Learn more about build and release agents.
Third-party code execution on the server: There's no way for an extension to install or execute any code on Azure DevOps Server.
Build an extension
Before you build an extension, familiarize yourself with the extension types already available within the Marketplace, Extensions for Azure DevOps. Learn how to build your first extension and check out our full set samples.
For more information about building extensions, see the following articles:
- REST APIs
- Service Hooks
- Package, publish, and install your extension
- Package and publish your integration with an external app or service
- Share your work publicly with the entire community