Building an AI Pull Request Agent for Azure DevOps using GitHub Copilot SDK
Many of my customers are still using Azure DevOps. We’ve talked about moving their code to GitHub to take advantage of newer agentic capabilities, but for a lot of teams that move just isn’t possible right now. What does this mean for them? They’re missing out on the excellent GitHub Copilot code review experience. That didn’t sit right with me. Teams on Azure DevOps deserve the same level of innovation and care. So I built an Azure DevOps Pull Request Agent: an AI-powered agent that automatically reviews pull requests in Azure DevOps. The goal is simple: bring high-quality, AI-driven PR reviews to all customers, wherever they are in their DevOps journey.
I’ve been spending some time experimenting with the GitHub Copilot SDK, and it’s been a great experience so far. Under the hood, it relies on the GitHub Copilot CLI to handle task execution. If you haven’t explored the CLI yet, it’s well worth a look. Communication with the CLI happens over JSON-RPC, and thanks to its headless mode, it’s particularly well suited for server-side and automated scenarios.
What Does It Do?
The ADO Pull Request Agent is a fully automated code reviewer. Point it at any pull request in Azure DevOps, and it will:
- Fetch the PR diff: it connects to Azure DevOps to grab all the changes in a pull request.
- Analyze the code: an AI model (like Claude Sonnet) reviews the code with the mindset of a senior staff/principal engineer.
- Produce a structured Markdown report: the output covers security vulnerabilities, performance bottlenecks, maintainability concerns, and even suggests concrete patches.
How does it work?
Here is a high level flow of the architecture:
┌──────────────┐ ┌─────────────────────┐ ┌──────────────────┐
│ ADO Pull │─────▶│ GitHub Copilot SDK │─────▶│ AI Model │
│ Request │ │ (Copilot CLI) │ │ (e.g. Claude) │
│ Agent │ └─────────────────────┘ └──────────────────┘
│ │ │
│ │ ┌────────┴────────┐
│ │ │ MCP Servers │
│ │ ├─────────────────┤
│ │ │ Azure DevOps │──▶ PR diffs, work items
│ │ │ Microsoft Learn │──▶ Best practices docs
└──────────────┘ └─────────────────┘
- You provide the pull request ID and Azure DevOps parameters (organization, project, repository) via CLI arguments.
- The agent starts a GitHub Copilot CLI session and has access to two MCP (Model Context Protocol) servers:
- Azure DevOps MCP: retrieves PR details, diffs, and related work items directly from your Azure DevOps instance.
- Microsoft Learn MCP: looks up relevant best practices documentation to ground the review in official guidance.
- A detailed system prompt (
pullreview.prompt) instructs the AI model to act as a rigorous, adversarial code reviewer with a security-first mindset. - The model streams back its review, which is captured and saved as a Markdown report.
The solution is packaged as containers. This makes it easy to distribute and run across multiple teams and pipelines without depending on direct access to the source code. In this implementation, Azure Container Registry (ACR) is used to host the images so they are accessible from Azure DevOps. This keeps the images private, close to your Azure DevOps build agents, and benefits from ACR’s built-in security features like image signing and vulnerability scanning. Access to ACR is handled through a Docker service connection backed by a Managed Identity using federated credentials, with the required AcrPull RBAC permissions.
The GitHub Copilot SDK Container.
This container packages the GitHub Copilot CLI running in headless (server) mode. It also includes all the tools the CLI is expected to use during execution. In this case, Node.js is installed to support the Azure DevOps MCP server, along with Git. The container is intentionally extensible. If you fork the project, you can add or remove tools depending on what you want the agent to be able to do during pull request reviews.
The Agent Container
The Agent container is responsible for orchestrating everything. It uses the GitHub Copilot SDK to create a client and pass instructions and tool definitions to the Copilot CLI. This is where MCP tools are defined and wired up, and where the agent’s setup occurs.
Azure DevOps Pipeline Integration
This is where things get really exciting. The agent be setup to run as a build validation policy on pull requests. The included Azure DevOps pipeline definition does the following:
- Spins up the Copilot CLI as a background sidecar container (pulled from ACR).
- Runs the PR Agent container (also pulled from ACR) against the triggering pull request, using
$(System.PullRequest.PullRequestId)and$(System.AccessToken)so no extra tokens are needed. - Posts the review as a PR comment thread via the Azure DevOps REST API, so the review shows up right in the PR conversation.
- Publishes the review as a pipeline artifact for archival.
- Cleans up the sidecar container.
To enable this, you simply add the pipeline as a Build Validation policy on your branch (Repos > Branches > Branch Policies > Build Validation). From that point on, every pull request automatically gets an AI-powered code review. No manual intervention required!
The Review Prompt: Where the Magic Happens
The heart of the review quality lives in pullreview.prompt. This carefully crafted system prompt tells the AI to:
- Act as a senior staff/principal engineer performing adversarial code review.
- Follow a mandatory review checklist covering security (injection vectors, auth/authz, secrets, crypto, deserialization), performance (hot paths, I/O, memory, concurrency), and maintainability (APIs, naming, configuration, testability).
- Produce structured output with a summary, severity-tagged findings, evidence, risk explanations, and concrete fix proposals.
- Think in multiple passes, first understanding intent, then mapping trust boundaries, then checking correctness, and finally ensuring coherence.
The result is a review that’s thorough, actionable, and consistently high-quality.
Why This Matters
Code reviews are one of the most valuable practices in software engineering, but they’re also one of the biggest bottlenecks. Senior engineers spend hours reviewing PRs, and even the best reviewers can miss subtle security issues or performance pitfalls when they’re tired or context-switching (yes it happens to the best of us, including myself).
The ADO Pull Request Agent doesn’t replace human reviewers. It augments them. It catches the things humans might miss, provides a consistent baseline of review quality, and frees up senior engineers to focus on the architectural and design-level feedback that truly requires human judgment. And because it runs automatically as a build validation policy, every single PR gets reviewed, no exceptions, no delays.
In conclusion
The ADO Pull Request Agent is a great example of how the GitHub Copilot SDK, MCP servers, and Azure DevOps can work together to bring AI-powered automation to your development workflow. With the pieces contained in container images and a ready-to-go Azure DevOps pipeline, you can go from zero to automated AI code reviews hero in a matter of minutes.
