Skip to main content

Installation

Before using CodeAnt CI Scan in your Azure Pipelines, you need to install the CodeAnt extension from the Azure DevOps Marketplace:
  1. Go to the CodeAnt AI Extension on the Azure DevOps Marketplace
  2. Click Get it free
  3. Select your Azure DevOps organization
  4. Click Install
Once installed, the CodeAntCIScan@1 task will be available in all pipelines across your organization.

Repository Scenarios

CodeAnt CI Scan supports multiple repository configurations in Azure DevOps:

Video Tutorial

Watch this video to learn how to integrate CodeAnt AI into your CI/CD pipelines:

Azure Pipelines Workflow

ScenarioRepository LocationPipeline LocationConfiguration
Scenario 1Azure ReposAzure DevOpsAuto-detected (default)
Scenario 2Azure Repos (TFS / Azure DevOps Server – on-prem)Azure DevOps Server (TFS)Requires explicit service, repo, commitId, and baseUrl inputs
Scenario 3GitHubAzure DevOpsRequires service and repo inputs. commitId auto-detected from BUILD_SOURCEVERSION if available.
Scenario 4GitLabAzure DevOpsRequires service and repo inputs. commitId auto-detected from BUILD_SOURCEVERSION if available.
Scenario 5BitbucketAzure DevOpsRequires service and repo inputs. commitId auto-detected from BUILD_SOURCEVERSION if available.

Scenario 1: Azure Repos + Azure DevOps Pipeline

When your repository is hosted in Azure Repos, the task automatically detects all required information from Azure DevOps environment variables. 
trigger:
  branches:
    include:
      - main

pool:
  vmImage: 'ubuntu-latest'

steps:
  - checkout: self

  - task: CodeAntCIScan@1
    inputs:
      accessToken: $(CODEANT_TOKEN)
    displayName: 'CodeAnt CI Scan'
Note: No additional configuration needed. The task automatically extracts information from these Azure DevOps built-in variables:
  • SYSTEM_TEAMPROJECT - Project name
  • BUILD_REPOSITORY_NAME - Repository name
  • BUILD_SOURCEVERSION - Commit SHA

Scenario 2: Azure Repos (TFS / Azure DevOps Server – on-prem) + Azure DevOps Server (TFS) Pipeline

When your repository is hosted in an on-premise Azure DevOps Server (formerly known as Team Foundation Server / TFS), you need to explicitly pass all required parameters including the base URL. 
trigger:
  branches:
    include:
      - main

pool:
  vmImage: 'ubuntu-latest'

steps:
  - checkout: self

  - task: CodeAntCIScan@1
    inputs:
      accessToken: $(CODEANT_TOKEN)
      service: 'azuredevops'
      repo: 'MyCollection/MyProject/MyRepository'
      commitId: '$(Build.SourceVersion)'
      baseUrl: 'https://tfs.example.com:8443/tfs'
    displayName: 'CodeAnt CI Scan'

Parameters for Azure DevOps Server (TFS)

ParameterValueDescription
serviceazuredevopsSpecifies Azure DevOps as the repository provider
repocollection/project/repoRepository in collection/project/repository-name format
commitId$(Build.SourceVersion)Commit SHA to analyze
baseUrlhttps://tfs.example.com:8443/tfsBase URL of your on-premise Azure DevOps Server / TFS instance
Note: For on-premise Azure DevOps Server / TFS deployments, all parameters must be explicitly provided as environment variables may differ from Azure DevOps Cloud.

Scenario 3: GitHub Repository + Azure DevOps Pipeline

When your repository is hosted on GitHub but your pipeline runs in Azure DevOps, you need to specify the service, repo, and commitId parameters. 
trigger:
  branches:
    include:
      - main

pool:
  vmImage: 'ubuntu-latest'

steps:
  - checkout: self

  - task: CodeAntCIScan@1
    inputs:
      accessToken: $(CODEANT_TOKEN)
      service: 'github'
      repo: 'myorg/my-repo'
      commitId: '$(Build.SourceVersion)'
    displayName: 'CodeAnt CI Scan'

Parameters for GitHub

ParameterValueDescription
servicegithubSpecifies GitHub as the repository provider
repoowner/repoRepository in owner/repository-name format
commitId$(Build.SourceVersion)Commit SHA to analyze. Auto-detected from BUILD_SOURCEVERSION if available, otherwise required.

Scenario 4: GitLab Repository + Azure DevOps Pipeline

When your repository is hosted on GitLab but your pipeline runs in Azure DevOps: 
trigger:
  branches:
    include:
      - main

pool:
  vmImage: 'ubuntu-latest'

steps:
  - checkout: self

  - task: CodeAntCIScan@1
    inputs:
      accessToken: $(CODEANT_TOKEN)
      service: 'gitlab'
      repo: 'mygroup/my-project'
      commitId: '$(Build.SourceVersion)'
    displayName: 'CodeAnt CI Scan'

Parameters for GitLab

ParameterValueDescription
servicegitlabSpecifies GitLab as the repository provider
repogroup/projectRepository in group/project-name or user/project-name format
commitId$(Build.SourceVersion)Commit SHA to analyze. Auto-detected from BUILD_SOURCEVERSION if available, otherwise required.

Scenario 5: Bitbucket Repository + Azure DevOps Pipeline

When your repository is hosted on Bitbucket but your pipeline runs in Azure DevOps: 
trigger:
  branches:
    include:
      - main

pool:
  vmImage: 'ubuntu-latest'

steps:
  - checkout: self

  - task: CodeAntCIScan@1
    inputs:
      accessToken: $(CODEANT_TOKEN)
      service: 'bitbucket'
      repo: 'myworkspace/my-repo'
      commitId: '$(Build.SourceVersion)'
    displayName: 'CodeAnt CI Scan'

Parameters for Bitbucket

ParameterValueDescription
servicebitbucketSpecifies Bitbucket as the repository provider
repoworkspace/repoRepository in workspace/repository-name format
commitId$(Build.SourceVersion)Commit SHA to analyze. Auto-detected from BUILD_SOURCEVERSION if available, otherwise required.

Task Parameters Reference

Required Parameters

ParameterDescription
accessTokenCodeAnt API token (cdt_…) used to authenticate the scan — see API Tokens. The token must belong to the same provider and organization/workspace as the repository being scanned.

Optional Parameters

ParameterDefaultDescription
serviceazuredevopsService type: github, gitlab, bitbucket, azuredevops
repo(auto-detected)Repository name in owner/repo format
commitId(auto-detected)Commit SHA to analyze
scannerssast,scaComma-separated list of scanners to run
includePaths(empty)Comma-separated paths to include in scan
excludePaths(empty)Comma-separated paths to exclude from scan
timeout300Maximum time to wait for scan results (seconds)
pollInterval15Time between polling attempts (seconds)
noWaitfalseSkip waiting for results and return immediately
qualityGatefalseFail the pipeline if the whole-repo quality gate does not pass. Writes results.json, codeant.sarif, codeant-qg.xml

Quality Gate Enforcement

🚦 Block the pipeline on the whole-repository posture: Set qualityGate: true to turn the scan into an enforced gate. After the scan completes, CodeAnt evaluates the entire repository against your thresholds and the task fails if the gate does not pass. This is the Checkmarx / SonarQube-style whole-repo gate, independent of the new-code/PR quality gate. Configure thresholds in Settings → Code Analysis → Quality Gates using the “(Full Code / CI Pipeline)” metrics (these run only in the pipeline, never on pull requests):
  • (Full Code / CI Pipeline) SAST Security Rating C
  • (Full Code / CI Pipeline) SCA Security Rating C
  • (Full Code / CI Pipeline) IaC Security Rating C
  • (Full Code / CI Pipeline) Duplicate Code Percentage > 30
Results group into three status checks: SAST (app security + IaC), SCA (dependencies), and SCR (duplicate code). 
- task: CodeAntCIScan@1
  inputs:
    accessToken: $(CODEANT_TOKEN)
    scanners: 'all'
    qualityGate: true
  displayName: 'CodeAnt Quality Gate'
- task: PublishTestResults@2
  condition: always()
  inputs:
    testResultsFiles: 'codeant-qg.xml'

Available Scanners

ScannerDescription
sastStatic Application Security Testing - identifies code vulnerabilities
scaSoftware Composition Analysis - detects dependency vulnerabilities
secretsSecret detection for API keys, passwords, and tokens
antipatternsCode quality and duplicate code detection
iacInfrastructure as Code security scanning (Terraform, CloudFormation, etc.)
allRuns all available scanners
Examples:
  • scanners: 'all' - Run all scanners for comprehensive analysis
  • scanners: 'sast,secrets' - Run only SAST and secrets detection
  • scanners: 'sast,sca,secrets,iac' - Run a complete security suite

How it works

  1. Setup environment The task extracts repository information either from user-provided inputs or Azure DevOps built-in variables.
  2. Download script The task fetches the CI scan script from the CodeAnt API endpoint.
  3. Trigger scan The script initiates a CI scan for your commit, optionally waiting for results based on the noWait parameter.
  4. Pipeline feedback
    • Success: Scan completes successfully (or is triggered in no-wait mode)
    • Failure: Scan fails or detects critical issues, blocking the build

Execution Time Considerations

⏱️ Performance Options:
  • With result waiting (default): ~7 minutes
    • Triggers scan and waits for complete analysis results
    • Includes both security and SCA (Software Composition Analysis) results
    • Best for comprehensive CI/CD pipelines where you need immediate feedback
  • With noWait: 'true': ~2 minutes
    • Only triggers the scan and returns immediately
    • Results can be fetched later or viewed in the CodeAnt dashboard
    • Ideal for faster CI runs or when results can be processed asynchronously

Example Configurations

Fast CI Mode (No Wait)

For quick pipeline runs where you don’t need immediate results: 
steps:
  - checkout: self

  - task: CodeAntCIScan@1
    inputs:
      accessToken: $(CODEANT_TOKEN)
      noWait: 'true'
    displayName: 'CodeAnt CI Scan (Fast Mode)'

Comprehensive Analysis (Wait for Results)

For thorough analysis with all scanner types: 
steps:
  - checkout: self

  - task: CodeAntCIScan@1
    inputs:
      accessToken: $(CODEANT_TOKEN)
      timeout: '600'
      pollInterval: '20'
      noWait: 'false'
    displayName: 'CodeAnt CI Scan (Full Results)'

Custom File Filtering with Security Focus

To scan only specific files with targeted security checks: 
steps:
  - checkout: self

  - task: CodeAntCIScan@1
    inputs:
      accessToken: $(CODEANT_TOKEN)
      includePaths: 'src/**/*.{js,ts}'
      excludePaths: '**/node_modules/**,**/dist/**,**/test/**'
      noWait: 'true'
    displayName: 'CodeAnt CI Scan (Security Focused)'

External Repository with Custom Commit

When you need to specify a particular commit for an external repository: 
steps:
  - checkout: self

  - task: CodeAntCIScan@1
    inputs:
      accessToken: $(CODEANT_TOKEN)
      service: 'github'
      repo: 'myorg/my-repo'
      commitId: '$(Build.SourceVersion)'
    displayName: 'CodeAnt CI Scan (GitHub)'

Branch-Specific Configuration

Run different scan modes and scanners based on the branch: 
steps:
  - checkout: self

  # Fast mode for feature branches
  - task: CodeAntCIScan@1
    condition: ne(variables['Build.SourceBranch'], 'refs/heads/main')
    inputs:
      accessToken: $(CODEANT_TOKEN)
      noWait: 'true'
    displayName: 'CodeAnt CI Scan (Feature Branch - Fast)'

  # Full analysis for main branch
  - task: CodeAntCIScan@1
    condition: eq(variables['Build.SourceBranch'], 'refs/heads/main')
    inputs:
      accessToken: $(CODEANT_TOKEN)
      timeout: '600'
      noWait: 'false'
    displayName: 'CodeAnt CI Scan (Main Branch - Full)'

Best Practices

  1. Use fast mode for PRs: Set noWait: 'true' for pull request pipelines to keep them fast
  2. Full analysis for main: Use complete analysis (wait for results) on main/master branch merges
  3. Customize scanners: Use scanners: 'all' for comprehensive coverage or specific combinations like scanners: 'sast,secrets' for targeted checks
  4. Default scanners: The default configuration (sast,sca) provides a good balance between coverage and execution time
  5. Adjust timeouts: Increase timeout for larger repositories that take longer to analyze
  6. File filtering: Use include/exclude patterns to focus analysis on relevant code
  7. Keep tokens secure: Always use Azure DevOps Variable Groups or Pipeline Variables for tokens
  8. Monitor performance: Track scan times and optimize based on your repository size

Troubleshooting

Task not found

If you see “Task ‘codeant-ci-scan’ not found”:
  • Ensure the CodeAnt extension is installed in your Azure DevOps organization
  • Go to Organization Settings → Extensions to verify installation
  • Check that the extension is enabled for your project

Scan times out

If the scan takes longer than expected:
  • Increase the timeout using timeout: '600' (10 minutes) or higher
  • Check if the CodeAnt service is operational
  • Consider using noWait: 'true' for faster pipeline execution
  • Review your network connectivity to the CodeAnt API

Authentication failures

If you see “Access token invalid” or “CODEANT_TOKEN is required”:
  • Verify your CODEANT_TOKEN variable holds a valid CodeAnt token (cdt_…) that hasn’t been revoked
  • Ensure the token belongs to the same organization as the repository
  • Check that the variable is marked as secret

No results returned

If the scan completes but returns no results:
  • Check that CI scanning is enabled for your repository in CodeAnt
  • Verify the commit SHA is correct
  • Ensure your Azure DevOps organization has proper integration with CodeAnt
  • Check the CodeAnt dashboard to see if the scan was registered

Repository format issues

If you see “Invalid repository format” or “Required Azure DevOps variables not found”:
  • For Azure Repos: Verify BUILD_REPOSITORY_NAME, BUILD_SOURCEVERSION, and SYSTEM_TEAMPROJECT are available
  • For external repos: Ensure you’ve provided service and repo inputs
  • Check the expected format: owner/repo for GitHub/GitLab/Bitbucket

External repository not working

If scanning an external repository (GitHub, GitLab, Bitbucket) fails:
  • Ensure you’ve specified the correct service value (github, gitlab, or bitbucket)
  • Verify the repo format matches the expected pattern for your service
  • Check that your CodeAnt token belongs to the organization the external repository is connected to in CodeAnt

Windows compatibility issues

If running on Windows agents:
  • Ensure Git Bash or WSL is available on the agent
  • The task automatically detects Windows and uses bash for script execution
  • Consider using Linux agents (ubuntu-latest) for best compatibility

Advanced Configuration

Parallel Jobs

Run scans in parallel for different directories: 
jobs:
  - job: ScanBackend
    steps:
      - task: CodeAntCIScan@1
        inputs:
          accessToken: $(CODEANT_TOKEN)
          includePaths: 'backend/**'
        displayName: 'Scan Backend'

  - job: ScanFrontend
    steps:
      - task: CodeAntCIScan@1
        inputs:
          accessToken: $(CODEANT_TOKEN)
          includePaths: 'frontend/**'
        displayName: 'Scan Frontend'

Windows Runner Configuration

If you’re using Windows runner (windows-latest) instead of Linux runner, make the following changes:

Changes Required

  1. Update pool configuration:
pool:
  vmImage: 'windows-latest'  # Change from 'ubuntu-latest'
  1. Add environment variable (recommended):
- task: CodeAntCIScan@1
  displayName: 'CodeAnt CI Scan'
  inputs:
    accessToken: $(CODEANT_TOKEN)
  env:
    PYTHONIOENCODING: 'utf-8'  # Add this for proper encoding

Key Differences

ConfigurationLinux RunnerWindows Runner
Pool ImagevmImage: 'ubuntu-latest'vmImage: 'windows-latest'
Environment VariableNot requiredAdd env: PYTHONIOENCODING: 'utf-8'

On-Premise Deployment

If you are using a self-hosted CodeAnt instance, you can specify a custom API endpoint using the apiBase parameter: 
steps:
  - checkout: self

  - task: CodeAntCIScan@1
    inputs:
      accessToken: $(CODEANT_TOKEN)
      apiBase: 'https://your-codeant-instance.example.com'
    displayName: 'CodeAnt CI Scan (On-Premise)'
Note: The apiBase parameter is only required for on-premise deployments. Cloud users do not need to configure this.
With CodeAnt CI Scan in place, every push will automatically trigger a comprehensive code analysis, helping you maintain high code quality and security standards—whether your repository is hosted in Azure Repos, GitHub, GitLab, or Bitbucket.