Extensions overview

Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019 | TFS 2018

Extensions are add-ons, which you can use to customize and extend your experience with Azure DevOps. They're written with standard technologies - HTML, JavaScript, CSS - and developed using your preferred development tools.

Extensions get published at the Visual Studio Marketplace, where they can be kept private for you and your team or shared publicly with the millions of developers currently using Azure DevOps.

Extensions use our RESTful API Library to easily interact with Azure DevOps and applications/services.

Understand parts of an extension

Screenshot of components of an extension.

The following items make up an extension:

  • JSON manifest file: Contains basic info about the extension.
  • Discovery assets: Markdown and images that make up the extension's overview and aesthetics in the Marketplace.
  • Static files: Contain the logic of the extension, including HTML, JS, and CSS files. Static files are only applicable to contribution-based extensions.

These files and assets get bundled up to make a VSIX file that gets published to the Marketplace.

From the Marketplace, users can install extensions directly into their organization. If you don't have permissions to install an extension, but you're a project member, you can request an extension instead.

Use an extension

There are dozens of ways you can use an extension and places where you can add to the user interface, and we're adding more every sprint. Learn about all of the places where you can add a hub in the Extensibility points.

Evaluate a Marketplace extension

To evaluate a Marketplace extension, review the information and resources described in the following table. You can find this information in the extension information

Information

Usage


Top Publisher badge Screenshot showing Top Publisher badge and label.

The publisher demonstrates commitment to its customers and the Marketplace through excellent policies, quality, reliability, and support. For more information, see Top Publisher.


Q & A

The Q & A section of published extensions might answer questions you have. Also, they're a good mechanism to engage with the extension’s publisher(s) to have a meaningful dialogue to make yourself comfortable. Use the Q & A information to understand the development, testing, and security practices the publisher follows. It also gives you a sense of the publisher's responsiveness.


Ratings & reviews

Ratings and reviews indicate how others perceive the offering. For more information, see Respond to customer feedback.


Privacy, license, and support policies

See if the publisher provided them and if they meet your needs or concerns. For more information, go to Safety information.


Safety information

  • Malware scan: The Marketplace runs a virus scan on each new and updated extension package that publishes to ensure its safety. Until the scan is all clear, we don't publish the extension for public usage. If a concern surfaces, the Marketplace team has the means to disable an extension immediately and notify its existing customers.

  • Content scan: The Marketplace scans content for every new and updated extension to avoid surfacing inappropriate or offensive content on the Marketplace pages.

  • Access to approved scopes only: An extension can only operate within the granted scopes. For example, an extension that has only read permissions on work items can't modify your features and bugs. Azure DevOps web extensions run in a sandboxed browser IFrame. They're only able to access Azure DevOps data and APIs approved for the extension. During installation, admins are prompted to approve permissions and scopes. One way to protect yourself is to carefully review the scopes the extension requests.

    Note

    If the scopes change for an extension, the you must approve the update before it can become applicable on your organization or collection.

  • Third-party build and release tasks: Tasks are implemented as code that executes on an agent machine. Tasks are only able to access secrets explicitly provided to them (see variable secrets), but tasks generally have full access to the agent machine itself. To reduce risk, run builds on Microsoft-hosted agents, which are VMs isolated from other jobs and recycled after each job. Or, limit file and network access on private hosted agent machines. Learn more about build and release agents.

  • Third-party code execution on the server: There's no way for an extension to install or execute any code on Azure DevOps Server.

Build an extension

Before you build an extension, familiarize yourself with the extension types already available within the Marketplace, Extensions for Azure DevOps. Learn how to build your first extension and check out our full set samples.

For more information about building extensions, see the following articles:

Next steps