Copilot Code Review for Azure DevOps

Automated pull request code reviews powered by the official GitHub Copilot CLI or Claude Code CLI. Get automated feedback on your PRs while leaving your code hosted in Azure DevOps repos.

Overview

This Azure DevOps extension provides a pipeline task that automatically reviews pull request code changes using GitHub Copilot or Claude Code. When triggered, the task:

1. Fetches pull request details, changed files, and linked work item details from Azure DevOps
2. Invokes the configured CLI agent (GitHub Copilot or Claude Code) to analyze the changes
3. Posts review comments directly to the pull request

This brings AI-powered code review capabilities to Azure DevOps, helping teams improve code quality through AI-assisted reviews.

Prerequisites

This extension supports Windows and Linux Azure DevOps agents. Compatible with MS-hosted and self-hosted agents. Before using, ensure you have:

• AI Agent (one of the following):
  • GitHub Copilot (default): An active GitHub Copilot subscription and a GitHub PAT with Copilot access permissions
  • Claude Code: An Anthropic API key with access to Claude Code
• Azure DevOps Authentication (one of the following):
  • System Access Token (Recommended): Use the pipeline's built-in OAuth token for Azure DevOps Services. Must grant permissions to Build Service Identity (see below).
  • Personal Access Token: Required for Azure DevOps Server (on-prem) or if you prefer explicit token management. Needs permissions to read pull requests, write comments, and read code.
• PowerShell 7+: This extension requires PowerShell 7 or later (pwsh) to be installed on the agent. PowerShell 7 is pre-installed on Microsoft-hosted agents.

Installation

1. Install the extension from the Azure DevOps Marketplace
2. Navigate to your Azure DevOps organization settings
3. Go to Extensions and verify the extension is installed

Usage

Using System Access Token

The recommended approach for Azure DevOps Services uses the pipeline's built-in System Access Token and a personal access token for a GitHub account with Copilot access:

trigger: none

pool:
  vmImage: 'ubuntu-latest'  # or 'windows-latest'

steps:
- checkout: self
  fetchDepth: 0

- task: CopilotCodeReview@1
  displayName: 'Copilot Code Review'
  inputs:
    githubPat: '$(GITHUB_PAT)'
    useSystemAccessToken: true

IMPORTANT: When using useSystemAccessToken, ensure the Build Service identity has "Contribute to pull requests" permission on your repository. See Granting Build Service Permissions below.

Using Personal Access Token

For Azure DevOps Server (on-prem) or if you prefer explicit token management:

trigger: none

pool:
  vmImage: 'ubuntu-latest'  # or 'windows-latest'

steps:
- checkout: self
  fetchDepth: 0

- task: CopilotCodeReview@1
  displayName: 'Copilot Code Review'
  inputs:
    githubPat: '$(GITHUB_PAT)'
    azureDevOpsPat: '$(AZURE_DEVOPS_PAT)'

Using Claude Code CLI

To use Claude Code instead of GitHub Copilot, enable useClaudeCode and provide an Anthropic API key:

trigger: none

pool:
  vmImage: 'ubuntu-latest'  # or 'windows-latest'

steps:
- checkout: self
  fetchDepth: 0

- task: CopilotCodeReview@1
  displayName: 'Claude Code Review'
  inputs:
    useClaudeCode: true
    anthropicApiKey: '$(ANTHROPIC_API_KEY)'
    useSystemAccessToken: true
    model: 'claude-sonnet-4-6'
    maxTurns: '50'
    maxBudget: '5.00'

NOTE: Claude Code CLI is installed automatically via npm install -g @anthropic-ai/claude-code. Node.js is available on all Azure DevOps agents. Output is streamed to the pipeline logs in real time.

Set Trigger

Use branch policies on your protected branches to specify the pipeline as a build validation that must finish before the PR can be completed:

With Custom Prompt

You can customize the review prompt to focus on aspects tailored to your needs:

- task: CopilotCodeReview@1
  displayName: 'Copilot Code Review'
  inputs:
    githubPat: '$(GITHUB_PAT)'
    useSystemAccessToken: true
    prompt: |
      Review this code focusing only on:
      - Security vulnerabilities
      - Performance bottlenecks
      - Code simplification
      Avoid lengthy explanations, keep comments concise and direct.

For longer custom prompts, create a .txt file in your repository and pass the file path as a task input:

- task: CopilotCodeReview@1
  displayName: 'Copilot Code Review'
  inputs:
    githubPat: '$(GITHUB_PAT)'
    useSystemAccessToken: true
    promptFile: '$(Build.SourcesDirectory)/.copilot/review-prompt.txt'

Manual Trigger for Specific PR

If you don't want to setup an automatic trigger, you can instead set up a pipeline with a Pull Request ID parameter to run reviews on demand:

parameters:
  - name: pullRequestId
    displayName: 'Pull Request ID'
    type: string
    default: ''

trigger: none

pool:
  vmImage: 'ubuntu-latest'

steps:
  - checkout: self
    fetchDepth: 0

  - task: CopilotCodeReview@1
    displayName: 'Copilot Code Review'
    inputs:
      githubPat: '$(GITHUB_PAT)'
      useSystemAccessToken: true
      pullRequestId: '${{ parameters.pullRequestId }}'

Input Reference

Input	Required	Default	Description
githubPat	Conditional	-	GitHub Personal Access Token with Copilot access. Required when using GitHub Copilot CLI (default).
useClaudeCode	No	false	Use Claude Code CLI (Anthropic) instead of GitHub Copilot CLI
anthropicApiKey	Conditional	-	Anthropic API key. Required when useClaudeCode is true.
maxTurns	No	-	Maximum agentic turns for Claude Code CLI
maxBudget	No	-	Maximum cost in USD for a Claude Code session
useSystemAccessToken	No	false	Use pipeline's System.AccessToken instead of a PAT (recommended for Azure DevOps Services)
azureDevOpsPat	Conditional	-	Azure DevOps PAT for API access. Required if useSystemAccessToken is false.
organization	No	$(System.CollectionUri) (inferred)	Azure DevOps organization name for cloud-hosted teams
collectionUri	No	$(System.CollectionUri)	Azure DevOps collection URI for on-prem instances
project	No	$(System.TeamProject)	Azure DevOps project name
repository	No	$(Build.Repository.Name)	Repository name
pullRequestId	No	$(System.PullRequest.PullRequestId)	PR ID (auto-detected in PR builds)
timeout	No	15	Timeout in minutes
model	No	-	Preferred model to use (see valid options below)
promptFile	No	-	Path to custom prompt file
prompt	No	-	Inline custom prompt (overrides promptFile)
promptFileRaw	No	-	(Advanced) Path to custom prompt file that will be passed as-is with no supportive direction.
promptRaw	No	-	(Advanced) Inline custom prompt that will be passed as-is with no supportive direction.
authors	No	-	Comma-separated list of email addresses to filter reviews (see below)
includeWorkItems	No	true	Fetch and include linked work item details as review context
diffOnlyReview	No	false	Restrict the review to only the PR diff (see Diff-Only Review Mode)
publishPromptArtifacts	No	false	Publish context files and the final prompt as pipeline artifacts for debugging

Copilot Models

As of May 2026, here are the model options supported by the GitHub Copilot CLI:

• claude-sonnet-4.6 (default)
• claude-sonnet-4.5
• claude-haiku-4.5
• claude-opus-4.5
• gpt-5.4
• gpt-5.4-mini
• gpt-5.3-codex
• gpt-5.2-codex
• gpt-5.2
• gpt-5-mini
• gpt-4.1
• gemini-3-pro-preview

Claude Code Models

As of April 2026, here are the model options supported by the Claude Code CLI:

Alias	Description
default	Recommended model setting, depending on your account type
sonnet	Uses the latest Sonnet model (currently Sonnet 4.6) for daily coding tasks
opus	Uses the latest Opus model (currently Opus 4.6) for complex reasoning tasks
haiku	Uses the fast and efficient Haiku model for simple tasks
sonnet[1m]	Uses Sonnet with a 1 million token context window for long sessions
opus[1m]	Uses Opus with a 1 million token context window for long sessions
opusplan	Special mode that uses opus during plan mode, then switches to sonnet for execution

Aliases always point to the latest version. To pin to a specific version, use the full model name (for example, claude-opus-4-6).

Author Filtering

Use the authors input to limit code reviews to PRs created by specific users. This is useful when you want to:

• Only review code from certain team members (e.g. junior developers)
• Exclude automated bot PRs from review
• Limit Copilot usage to a subset of contributors
• Use separate prompts/models for certain team members

- task: CopilotCodeReview@1
  displayName: 'Copilot Code Review'
  inputs:
    githubPat: '$(GITHUB_PAT)'
    useSystemAccessToken: true
    authors: 'alice@example.com, bob@example.com, charlie@example.com'

When configured:

• The task compares $(Build.RequestedForEmail) against the provided email list
• If the PR author's email matches any in the list, the review proceeds normally
• If no match is found, the task completes successfully without running the code review
• Email comparison is case-insensitive

Diff-Only Review Mode

By default, the CLI agent has full access to the repository and can explore files beyond the PR diff. This equips the agent with more contextual awareness, leading to more relevant feedback. However, for large codebases this can result in excessive token consumption as the agent reads unrelated files for context.

Enable diffOnlyReview to restrict the review to only the code changes in the PR:

- task: CopilotCodeReview@1
  displayName: 'Copilot Code Review'
  inputs:
    githubPat: '$(GITHUB_PAT)'
    useSystemAccessToken: true
    diffOnlyReview: true

When enabled:

• The PR diff is pre-computed via git diff (using merge-base / three-dot syntax to match the ADO PR UI) and embedded directly in the prompt along with all PR context (details, iteration info, work items)
• Built-in file-browsing tools (Read, Glob, Grep) are removed from the agent's tool set; the agent is restricted to PowerShell shell commands only
• The prompt explicitly directs the agent to use only the embedded diff and to refrain from reading files or running git commands to explore the repository
• Token usage becomes proportional to the size of the actual code changes, not the size of the repository

Limitations: The agent retains shell access to pwsh because it needs to invoke the comment-posting scripts (Add-CopilotComment.ps1, Update-CopilotComment.ps1). Because pwsh is a general-purpose shell, this technically permits arbitrary command execution; the diff-only behavior is enforced by the combination of removed file-browsing tools, embedded context, and explicit prompt instructions rather than by hard tool-level constraints alone.

Requirements:

• The pipeline must use fetchDepth: 0 (full clone) so that both source and target commits are available for diff computation
• When using raw prompt modes (promptRaw or promptFileRaw), prompts should be constructed assuming that all diff context will be appended to the end

Trade-off: The agent loses the ability to check broader codebase patterns and conventions. This is the intended trade-off for users prioritizing token efficiency over deep contextual review.

If the diff cannot be computed (e.g., missing commits due to a shallow clone), the task will fail with a descriptive error rather than silently consuming excessive tokens.

Publishing Prompt Artifacts

Enable publishPromptArtifacts to publish all generated context files and the final assembled prompt as pipeline artifacts. This is useful for debugging prompt construction, verifying what context the CLI agent received, or inspecting the diff content in diff-only mode.

- task: CopilotCodeReview@1
  displayName: 'Copilot Code Review'
  inputs:
    githubPat: '$(GITHUB_PAT)'
    useSystemAccessToken: true
    publishPromptArtifacts: true

The published artifact (CopilotCodeReview) will contain files such as PR_Details.txt, Iteration_Details.txt, commit SHA files, work item details (if enabled), and the final prompt file sent to the CLI agent.

Setting Up Authentication

Option 1: System Access Token (Recommended)

The system access token is the Microsoft-recommended authentication method for Azure DevOps Services. It uses OAuth and requires no PAT management.

Granting Build Service Permissions

The Build Service identity needs permission to contribute to pull requests:

1. Navigate to Repos
2. From the repository dropdown, go to Manage repositories
3. Go to the Security tab
4. Find the [Project Name] Build Service ([Org Name]) identity
5. Set Read to Allow
6. Set Contribute to pull requests to Allow

TIP: If you don't see the Build Service identity, run a pipeline first to ensure it's been created.

Option 2: Personal Access Token

Create a personal access token:

1. Navigate to User settings > Personal access tokens
2. Click New token
3. Click Show all scopes
4. Create a new token with the following scopes:
   • Code: Read
   • Pull Request Threads: Read & Write
   • Work Item: Read (Optional)
5. Store the token as a secret variable in your Azure DevOps pipeline

NOTE: When using a PAT, PR comments will be attributed to the account that created the PAT. For large teams, consider using a dedicated service account.

GitHub Personal Access Token (for Copilot CLI)

1. Go to GitHub Settings > Developer Settings > Personal Access Tokens
2. Generate a new Fine-grained token with the following options:
   • Repository access: Public
   • Permission: Copilot Requests
3. Store the token as a secret variable in your Azure DevOps pipeline

IMPORTANT: If your user account is part of a GitHub organization, ensure the organization admin goes to GitHub Policies > Copilot > Copilot CLI and sets the policy to Enabled everywhere

Anthropic API Key (for Claude Code CLI)

1. Go to Anthropic Console
2. Create an API key
3. Store the key as a secret variable in your Azure DevOps pipeline (e.g., ANTHROPIC_API_KEY)

Storing Tokens in Azure DevOps

1. Navigate to Pipelines > Library
2. Create a new Variable Group or edit an existing one
3. Add the relevant variables:
   • GITHUB_PAT (mark as secret) — for Copilot CLI
   • ANTHROPIC_API_KEY (mark as secret) — for Claude Code CLI
   • AZURE_DEVOPS_PAT (mark as secret) — if not using System Access Token
4. Link the variable group to your pipeline

Alternatively, you can create the pipeline first and then configure the pipeline-specific variables.

How It Works

1. Install CLI Agent: The task ensures the configured CLI agent is installed on the build agent. GitHub Copilot CLI is installed via winget (Windows) or the official install script (Linux). Claude Code CLI is installed via npm install -g @anthropic-ai/claude-code.
2. Fetch PR Context: The task retrieves pull request metadata, existing comments, iteration details, and linked work item details via the Azure DevOps API
3. Run Code Review: Using the PR context and local Git commands, the CLI agent analyzes the changes using the configured or default prompt
4. Post Comments: Review findings are posted as comments on the pull request via the Azure DevOps API

Default Review Focus Areas

The default prompt instructs Copilot to focus on:

• Performance: Identifying inefficient code patterns
• Best Practices: Adherence to coding standards
• Reusability: Opportunities for code reuse
• Maintainability: Code clarity and documentation
• Simplification: Reducing complexity
• Security: Potential vulnerabilities
• Code Consistency: Style and pattern consistency

Limitations

• GitHub Copilot CLI: On Windows, requires winget to be available. On Linux, requires curl and bash (standard on most systems). If using MS-hosted agents, these should be available by default.
• Claude Code CLI: Requires npm to be available (pre-installed on all Azure DevOps agents). Requires an Anthropic API key.
• General Comments Only: Posts general PR comments (file-level inline comments not yet supported)
• Context Window: Very large PRs may exceed the agent's context limits

Troubleshooting

Task fails with "GitHub Copilot CLI not found"

• Windows: Ensure your agent can access winget and has internet connectivity to install the Copilot CLI.
• Linux: Ensure curl and bash are available, and the agent has internet connectivity to download from https://gh.io/copilot-install.

Task fails with "Claude Code CLI not found"

• Ensure npm is available on the agent and the agent has internet connectivity to install @anthropic-ai/claude-code from npm.
• On self-hosted agents, ensure the agent user has permission to install global npm packages.

Authentication errors

Verify that:

• Your GitHub PAT has Copilot access
  • If your user account is part of a GitHub organization, ensure the organization admin goes to GitHub Policies > Copilot > Copilot CLI and sets the policy to Enabled everywhere
• If using azureDevOpsPat:
  • Your Azure DevOps PAT has Code (Read) and Pull Request Threads (Read & Write) permissions
  • The token is not expired
• If using useSystemAccessToken:
  • The Build Service identity has "Contribute to pull requests" permission on the repository
  • Try explicitly mapping the SYSTEM_ACCESSTOKEN environment variable:

- task: CopilotCodeReview@1
  displayName: 'Copilot Code Review'
  inputs:
    githubPat: '$(GITHUB_PAT)'
    useSystemAccessToken: true
  env:
    SYSTEM_ACCESSTOKEN: $(System.AccessToken)

Timeout errors

For large PRs, increase the timeout input value. The default is 15 minutes.

No comments posted

Check the pipeline logs for Copilot's analysis output and determine if the agent experienced connectivity issues when posting comments. Even if Copilot finds no issues, it should still post a single comment indicating the PR looks good when using the default prompt.

Contributing

Contributions are welcome! Please feel free to submit issues or pull requests on GitHub.

License

This project is licensed under GNU General Public License v3 - see the LICENSE file for details.

Support

For issues and feature requests, please use the GitHub Issues page.

Acknowledgments

• Built with Azure Pipelines Task SDK
• Powered by GitHub Copilot and Claude Code

Disclaimers

• This project is not affiliated with or endorsed by Azure, GitHub, Anthropic, or the Microsoft Corporation.
• All responses and interactions generated by GitHub Copilot or Claude Code remain subject to the probabilistic nature of the underlying LLM. As with all LLM-based interactions, there is a non-zero chance of unpredictable results. Use at your own discretion.