Azure Pipelines - CodeAnt AI

Installation

Before using CodeAnt CI Scan in your Azure Pipelines, you need to install the CodeAnt extension from the Azure DevOps Marketplace:

Go to the CodeAnt AI Extension on the Azure DevOps Marketplace
Click Get it free
Select your Azure DevOps organization
Click Install

Once installed, the CodeAntCIScan@1 task will be available in all pipelines across your organization.

Repository Scenarios

CodeAnt CI Scan supports multiple repository configurations in Azure DevOps:

Video Tutorial

Watch this video to learn how to integrate CodeAnt AI into your CI/CD pipelines:

Azure Pipelines Workflow

Scenario	Repository Location	Pipeline Location	Configuration
Scenario 1	Azure Repos	Azure DevOps	Auto-detected (default)
Scenario 2	GitHub	Azure DevOps	Requires `service` and `repo` inputs. `commitId` auto-detected from `BUILD_SOURCEVERSION` if available.
Scenario 3	GitLab	Azure DevOps	Requires `service` and `repo` inputs. `commitId` auto-detected from `BUILD_SOURCEVERSION` if available.
Scenario 4	Bitbucket	Azure DevOps	Requires `service` and `repo` inputs. `commitId` auto-detected from `BUILD_SOURCEVERSION` if available.

Scenario 1: Azure Repos + Azure DevOps Pipeline

When your repository is hosted in Azure Repos, the task automatically detects all required information from Azure DevOps environment variables.

trigger:
  branches:
    include:
      - main

pool:
  vmImage: 'ubuntu-latest'

steps:
  - checkout: self

  - task: CodeAntCIScan@1
    inputs:
      accessToken: $(ACCESS_TOKEN)
    displayName: 'CodeAnt CI Scan'

Note: No additional configuration needed. The task automatically extracts information from these Azure DevOps built-in variables:

SYSTEM_TEAMPROJECT - Project name

BUILD_REPOSITORY_NAME - Repository name

BUILD_SOURCEVERSION - Commit SHA

Scenario 2: GitHub Repository + Azure DevOps Pipeline

When your repository is hosted on GitHub but your pipeline runs in Azure DevOps, you need to specify the service, repo, and commitId parameters.

trigger:
  branches:
    include:
      - main

pool:
  vmImage: 'ubuntu-latest'

steps:
  - checkout: self

  - task: CodeAntCIScan@1
    inputs:
      accessToken: $(ACCESS_TOKEN)
      service: 'github'
      repo: 'myorg/my-repo'
      commitId: '$(Build.SourceVersion)'
    displayName: 'CodeAnt CI Scan'

Parameters for GitHub

Parameter	Value	Description
`service`	`github`	Specifies GitHub as the repository provider
`repo`	`owner/repo`	Repository in `owner/repository-name` format
`commitId`	`$(Build.SourceVersion)`	Commit SHA to analyze. Auto-detected from `BUILD_SOURCEVERSION` if available, otherwise required.

Scenario 3: GitLab Repository + Azure DevOps Pipeline

When your repository is hosted on GitLab but your pipeline runs in Azure DevOps:

trigger:
  branches:
    include:
      - main

pool:
  vmImage: 'ubuntu-latest'

steps:
  - checkout: self

  - task: CodeAntCIScan@1
    inputs:
      accessToken: $(ACCESS_TOKEN)
      service: 'gitlab'
      repo: 'mygroup/my-project'
      commitId: '$(Build.SourceVersion)'
    displayName: 'CodeAnt CI Scan'

Parameters for GitLab

Parameter	Value	Description
`service`	`gitlab`	Specifies GitLab as the repository provider
`repo`	`group/project`	Repository in `group/project-name` or `user/project-name` format
`commitId`	`$(Build.SourceVersion)`	Commit SHA to analyze. Auto-detected from `BUILD_SOURCEVERSION` if available, otherwise required.

Scenario 4: Bitbucket Repository + Azure DevOps Pipeline

When your repository is hosted on Bitbucket but your pipeline runs in Azure DevOps:

trigger:
  branches:
    include:
      - main

pool:
  vmImage: 'ubuntu-latest'

steps:
  - checkout: self

  - task: CodeAntCIScan@1
    inputs:
      accessToken: $(ACCESS_TOKEN)
      service: 'bitbucket'
      repo: 'myworkspace/my-repo'
      commitId: '$(Build.SourceVersion)'
    displayName: 'CodeAnt CI Scan'

Parameters for Bitbucket

Parameter	Value	Description
`service`	`bitbucket`	Specifies Bitbucket as the repository provider
`repo`	`workspace/repo`	Repository in `workspace/repository-name` format
`commitId`	`$(Build.SourceVersion)`	Commit SHA to analyze. Auto-detected from `BUILD_SOURCEVERSION` if available, otherwise required.

Task Parameters Reference

Required Parameters

Parameter	Description
`accessToken`	CodeAnt access token (PAT or repository token)

Optional Parameters

Parameter	Default	Description
`service`	`azuredevops`	Service type: `github`, `gitlab`, `bitbucket`, `azuredevops`
`repo`	(auto-detected)	Repository name in `owner/repo` format
`commitId`	(auto-detected)	Commit SHA to analyze
`scanners`	`sast,sca`	Comma-separated list of scanners to run
`includePaths`	(empty)	Comma-separated paths to include in scan
`excludePaths`	(empty)	Comma-separated paths to exclude from scan
`timeout`	`300`	Maximum time to wait for scan results (seconds)
`pollInterval`	`15`	Time between polling attempts (seconds)
`noWait`	`false`	Skip waiting for results and return immediately

Available Scanners

Scanner	Description
`sast`	Static Application Security Testing - identifies code vulnerabilities
`sca`	Software Composition Analysis - detects dependency vulnerabilities
`secrets`	Secret detection for API keys, passwords, and tokens
`antipatterns`	Code quality and duplicate code detection
`iac`	Infrastructure as Code security scanning (Terraform, CloudFormation, etc.)
`all`	Runs all available scanners

Examples:

scanners: 'all' - Run all scanners for comprehensive analysis
scanners: 'sast,secrets' - Run only SAST and secrets detection
scanners: 'sast,sca,secrets,iac' - Run a complete security suite

How it works

Setup environment The task extracts repository information either from user-provided inputs or Azure DevOps built-in variables.
Download script The task fetches the CI scan script from the CodeAnt API endpoint.
Trigger scan The script initiates a CI scan for your commit, optionally waiting for results based on the noWait parameter.
Pipeline feedback
- Success: Scan completes successfully (or is triggered in no-wait mode)
- Failure: Scan fails or detects critical issues, blocking the build

Execution Time Considerations

⏱️ Performance Options:

With result waiting (default): ~7 minutes
- Triggers scan and waits for complete analysis results
- Includes both security and SCA (Software Composition Analysis) results
- Best for comprehensive CI/CD pipelines where you need immediate feedback
With noWait: 'true': ~2 minutes
- Only triggers the scan and returns immediately
- Results can be fetched later or viewed in the CodeAnt dashboard
- Ideal for faster CI runs or when results can be processed asynchronously

Example Configurations

Fast CI Mode (No Wait)

For quick pipeline runs where you don’t need immediate results:

steps:
  - checkout: self

  - task: CodeAntCIScan@1
    inputs:
      accessToken: $(ACCESS_TOKEN)
      noWait: 'true'
    displayName: 'CodeAnt CI Scan (Fast Mode)'

Comprehensive Analysis (Wait for Results)

For thorough analysis with all scanner types:

steps:
  - checkout: self

  - task: CodeAntCIScan@1
    inputs:
      accessToken: $(ACCESS_TOKEN)
      timeout: '600'
      pollInterval: '20'
      noWait: 'false'
    displayName: 'CodeAnt CI Scan (Full Results)'

Custom File Filtering with Security Focus

To scan only specific files with targeted security checks:

steps:
  - checkout: self

  - task: CodeAntCIScan@1
    inputs:
      accessToken: $(ACCESS_TOKEN)
      includePaths: 'src/**/*.{js,ts}'
      excludePaths: '**/node_modules/**,**/dist/**,**/test/**'
      noWait: 'true'
    displayName: 'CodeAnt CI Scan (Security Focused)'

External Repository with Custom Commit

When you need to specify a particular commit for an external repository:

steps:
  - checkout: self

  - task: CodeAntCIScan@1
    inputs:
      accessToken: $(ACCESS_TOKEN)
      service: 'github'
      repo: 'myorg/my-repo'
      commitId: '$(Build.SourceVersion)'
    displayName: 'CodeAnt CI Scan (GitHub)'

Branch-Specific Configuration

Run different scan modes and scanners based on the branch:

steps:
  - checkout: self

  # Fast mode for feature branches
  - task: CodeAntCIScan@1
    condition: ne(variables['Build.SourceBranch'], 'refs/heads/main')
    inputs:
      accessToken: $(ACCESS_TOKEN)
      noWait: 'true'
    displayName: 'CodeAnt CI Scan (Feature Branch - Fast)'

  # Full analysis for main branch
  - task: CodeAntCIScan@1
    condition: eq(variables['Build.SourceBranch'], 'refs/heads/main')
    inputs:
      accessToken: $(ACCESS_TOKEN)
      timeout: '600'
      noWait: 'false'
    displayName: 'CodeAnt CI Scan (Main Branch - Full)'

Best Practices

Use fast mode for PRs: Set noWait: 'true' for pull request pipelines to keep them fast
Full analysis for main: Use complete analysis (wait for results) on main/master branch merges
Customize scanners: Use scanners: 'all' for comprehensive coverage or specific combinations like scanners: 'sast,secrets' for targeted checks
Default scanners: The default configuration (sast,sca) provides a good balance between coverage and execution time
Adjust timeouts: Increase timeout for larger repositories that take longer to analyze
File filtering: Use include/exclude patterns to focus analysis on relevant code
Keep tokens secure: Always use Azure DevOps Variable Groups or Pipeline Variables for tokens
Monitor performance: Track scan times and optimize based on your repository size

Troubleshooting

Task not found

If you see “Task ‘codeant-ci-scan’ not found”:

Ensure the CodeAnt extension is installed in your Azure DevOps organization
Go to Organization Settings → Extensions to verify installation
Check that the extension is enabled for your project

Scan times out

If the scan takes longer than expected:

Increase the timeout using timeout: '600' (10 minutes) or higher
Check if the CodeAnt service is operational
Consider using noWait: 'true' for faster pipeline execution
Review your network connectivity to the CodeAnt API

Authentication failures

If you see “Access token invalid” or “ACCESS_TOKEN is required”:

Verify your ACCESS_TOKEN variable is correctly configured in Pipeline Variables or Variable Groups
Ensure the token has appropriate repository permissions
Check that the variable is marked as secret
Verify the token hasn’t expired

No results returned

If the scan completes but returns no results:

Check that CI scanning is enabled for your repository in CodeAnt
Verify the commit SHA is correct
Ensure your Azure DevOps organization has proper integration with CodeAnt
Check the CodeAnt dashboard to see if the scan was registered

Repository format issues

If you see “Invalid repository format” or “Required Azure DevOps variables not found”:

For Azure Repos: Verify BUILD_REPOSITORY_NAME, BUILD_SOURCEVERSION, and SYSTEM_TEAMPROJECT are available
For external repos: Ensure you’ve provided service and repo inputs
Check the expected format: owner/repo for GitHub/GitLab/Bitbucket

External repository not working

If scanning an external repository (GitHub, GitLab, Bitbucket) fails:

Ensure you’ve specified the correct service value (github, gitlab, or bitbucket)
Verify the repo format matches the expected pattern for your service
Check that your access token has permissions for the external repository

Windows compatibility issues

If running on Windows agents:

Ensure Git Bash or WSL is available on the agent
The task automatically detects Windows and uses bash for script execution
Consider using Linux agents (ubuntu-latest) for best compatibility

Advanced Configuration

Parallel Jobs

Run scans in parallel for different directories:

jobs:
  - job: ScanBackend
    steps:
      - task: CodeAntCIScan@1
        inputs:
          accessToken: $(ACCESS_TOKEN)
          includePaths: 'backend/**'
        displayName: 'Scan Backend'

  - job: ScanFrontend
    steps:
      - task: CodeAntCIScan@1
        inputs:
          accessToken: $(ACCESS_TOKEN)
          includePaths: 'frontend/**'
        displayName: 'Scan Frontend'

On-Premise Deployment

If you are using a self-hosted CodeAnt instance, you can specify a custom API endpoint using the apiBase parameter:

steps:
  - checkout: self

  - task: CodeAntCIScan@1
    inputs:
      accessToken: $(ACCESS_TOKEN)
      apiBase: 'https://your-codeant-instance.example.com'
    displayName: 'CodeAnt CI Scan (On-Premise)'

Note: The apiBase parameter is only required for on-premise deployments. Cloud users do not need to configure this.

With CodeAnt CI Scan in place, every push will automatically trigger a comprehensive code analysis, helping you maintain high code quality and security standards—whether your repository is hosted in Azure Repos, GitHub, GitLab, or Bitbucket.

Start Here

Setup

Pull Request Review

Scan center

Integrations

IDE

CLI

Rule Reference

Resources

​Installation

​Repository Scenarios

​Video Tutorial

​Azure Pipelines Workflow

​Scenario 1: Azure Repos + Azure DevOps Pipeline

​Scenario 2: GitHub Repository + Azure DevOps Pipeline

​Parameters for GitHub

​Scenario 3: GitLab Repository + Azure DevOps Pipeline

​Parameters for GitLab

​Scenario 4: Bitbucket Repository + Azure DevOps Pipeline

​Parameters for Bitbucket

​Task Parameters Reference

​Required Parameters

​Optional Parameters

​Available Scanners

​How it works

​Execution Time Considerations

​Example Configurations

​Fast CI Mode (No Wait)

​Comprehensive Analysis (Wait for Results)

​Custom File Filtering with Security Focus

​External Repository with Custom Commit

​Branch-Specific Configuration

​Best Practices

​Troubleshooting

​Task not found

​Scan times out

​Authentication failures

​No results returned

​Repository format issues

​External repository not working

​Windows compatibility issues

​Advanced Configuration

​Parallel Jobs

​On-Premise Deployment