Documentation Index
Fetch the complete documentation index at: https://docs.codeant.ai/llms.txt
Use this file to discover all available pages before exploring further.
Installation
Before using CodeAnt CI Scan in your Azure Pipelines, you need to install the CodeAnt extension from the Azure DevOps Marketplace:
- Go to the CodeAnt AI Extension on the Azure DevOps Marketplace
- Click Get it free
- Select your Azure DevOps organization
- Click Install
Once installed, the CodeAntCIScan@1 task will be available in all pipelines across your organization.
Repository Scenarios
CodeAnt CI Scan supports multiple repository configurations in Azure DevOps:
Video Tutorial
Watch this video to learn how to integrate CodeAnt AI into your CI/CD pipelines:
Azure Pipelines Workflow
| Scenario | Repository Location | Pipeline Location | Configuration |
|---|
| Scenario 1 | Azure Repos | Azure DevOps | Auto-detected (default) |
| Scenario 2 | Azure Repos (TFS / Azure DevOps Server – on-prem) | Azure DevOps Server (TFS) | Requires explicit service, repo, commitId, and baseUrl inputs |
| Scenario 3 | GitHub | Azure DevOps | Requires service and repo inputs. commitId auto-detected from BUILD_SOURCEVERSION if available. |
| Scenario 4 | GitLab | Azure DevOps | Requires service and repo inputs. commitId auto-detected from BUILD_SOURCEVERSION if available. |
| Scenario 5 | Bitbucket | Azure DevOps | Requires service and repo inputs. commitId auto-detected from BUILD_SOURCEVERSION if available. |
Scenario 1: Azure Repos + Azure DevOps Pipeline
When your repository is hosted in Azure Repos, the task automatically detects all required information from Azure DevOps environment variables.
trigger:
branches:
include:
- main
pool:
vmImage: 'ubuntu-latest'
steps:
- checkout: self
- task: CodeAntCIScan@1
inputs:
accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
displayName: 'CodeAnt CI Scan'
Note: No additional configuration needed. The task automatically extracts information from these Azure DevOps built-in variables:
SYSTEM_TEAMPROJECT - Project nameBUILD_REPOSITORY_NAME - Repository nameBUILD_SOURCEVERSION - Commit SHA
Scenario 2: Azure Repos (TFS / Azure DevOps Server – on-prem) + Azure DevOps Server (TFS) Pipeline
When your repository is hosted in an on-premise Azure DevOps Server (formerly known as Team Foundation Server / TFS), you need to explicitly pass all required parameters including the base URL.
trigger:
branches:
include:
- main
pool:
vmImage: 'ubuntu-latest'
steps:
- checkout: self
- task: CodeAntCIScan@1
inputs:
accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
service: 'azuredevops'
repo: 'MyCollection/MyProject/MyRepository'
commitId: '$(Build.SourceVersion)'
baseUrl: 'https://tfs.example.com:8443/tfs'
displayName: 'CodeAnt CI Scan'
Parameters for Azure DevOps Server (TFS)
| Parameter | Value | Description |
|---|
service | azuredevops | Specifies Azure DevOps as the repository provider |
repo | collection/project/repo | Repository in collection/project/repository-name format |
commitId | $(Build.SourceVersion) | Commit SHA to analyze |
baseUrl | https://tfs.example.com:8443/tfs | Base URL of your on-premise Azure DevOps Server / TFS instance |
Note: For on-premise Azure DevOps Server / TFS deployments, all parameters must be explicitly provided as environment variables may differ from Azure DevOps Cloud.
Scenario 3: GitHub Repository + Azure DevOps Pipeline
When your repository is hosted on GitHub but your pipeline runs in Azure DevOps, you need to specify the service, repo, and commitId parameters.
trigger:
branches:
include:
- main
pool:
vmImage: 'ubuntu-latest'
steps:
- checkout: self
- task: CodeAntCIScan@1
inputs:
accessToken: $(ACCESS_TOKEN_GITHUB)
service: 'github'
repo: 'myorg/my-repo'
commitId: '$(Build.SourceVersion)'
displayName: 'CodeAnt CI Scan'
Parameters for GitHub
| Parameter | Value | Description |
|---|
service | github | Specifies GitHub as the repository provider |
repo | owner/repo | Repository in owner/repository-name format |
commitId | $(Build.SourceVersion) | Commit SHA to analyze. Auto-detected from BUILD_SOURCEVERSION if available, otherwise required. |
Scenario 4: GitLab Repository + Azure DevOps Pipeline
When your repository is hosted on GitLab but your pipeline runs in Azure DevOps:
trigger:
branches:
include:
- main
pool:
vmImage: 'ubuntu-latest'
steps:
- checkout: self
- task: CodeAntCIScan@1
inputs:
accessToken: $(ACCESS_TOKEN_GITLAB)
service: 'gitlab'
repo: 'mygroup/my-project'
commitId: '$(Build.SourceVersion)'
displayName: 'CodeAnt CI Scan'
Parameters for GitLab
| Parameter | Value | Description |
|---|
service | gitlab | Specifies GitLab as the repository provider |
repo | group/project | Repository in group/project-name or user/project-name format |
commitId | $(Build.SourceVersion) | Commit SHA to analyze. Auto-detected from BUILD_SOURCEVERSION if available, otherwise required. |
Scenario 5: Bitbucket Repository + Azure DevOps Pipeline
When your repository is hosted on Bitbucket but your pipeline runs in Azure DevOps:
trigger:
branches:
include:
- main
pool:
vmImage: 'ubuntu-latest'
steps:
- checkout: self
- task: CodeAntCIScan@1
inputs:
accessToken: $(BITBUCKET_ACCESS_TOKEN)
service: 'bitbucket'
repo: 'myworkspace/my-repo'
commitId: '$(Build.SourceVersion)'
displayName: 'CodeAnt CI Scan'
Parameters for Bitbucket
| Parameter | Value | Description |
|---|
service | bitbucket | Specifies Bitbucket as the repository provider |
repo | workspace/repo | Repository in workspace/repository-name format |
commitId | $(Build.SourceVersion) | Commit SHA to analyze. Auto-detected from BUILD_SOURCEVERSION if available, otherwise required. |
Task Parameters Reference
Required Parameters
| Parameter | Description |
|---|
accessToken | Azure DevOps Personal Access Token (PAT): AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN, GitHub: ACCESS_TOKEN_GITHUB, GitLab: ACCESS_TOKEN_GITLAB, Bitbucket: BITBUCKET_ACCESS_TOKEN |
Optional Parameters
| Parameter | Default | Description |
|---|
service | azuredevops | Service type: github, gitlab, bitbucket, azuredevops |
repo | (auto-detected) | Repository name in owner/repo format |
commitId | (auto-detected) | Commit SHA to analyze |
scanners | sast,sca | Comma-separated list of scanners to run |
includePaths | (empty) | Comma-separated paths to include in scan |
excludePaths | (empty) | Comma-separated paths to exclude from scan |
timeout | 300 | Maximum time to wait for scan results (seconds) |
pollInterval | 15 | Time between polling attempts (seconds) |
noWait | false | Skip waiting for results and return immediately |
Available Scanners
| Scanner | Description |
|---|
sast | Static Application Security Testing - identifies code vulnerabilities |
sca | Software Composition Analysis - detects dependency vulnerabilities |
secrets | Secret detection for API keys, passwords, and tokens |
antipatterns | Code quality and duplicate code detection |
iac | Infrastructure as Code security scanning (Terraform, CloudFormation, etc.) |
all | Runs all available scanners |
scanners: 'all' - Run all scanners for comprehensive analysisscanners: 'sast,secrets' - Run only SAST and secrets detectionscanners: 'sast,sca,secrets,iac' - Run a complete security suite
How it works
-
Setup environment
The task extracts repository information either from user-provided inputs or Azure DevOps built-in variables.
-
Download script
The task fetches the CI scan script from the CodeAnt API endpoint.
-
Trigger scan
The script initiates a CI scan for your commit, optionally waiting for results based on the
noWait parameter.
-
Pipeline feedback
- Success: Scan completes successfully (or is triggered in no-wait mode)
- Failure: Scan fails or detects critical issues, blocking the build
Execution Time Considerations
⏱️ Performance Options:
-
With result waiting (default): ~7 minutes
- Triggers scan and waits for complete analysis results
- Includes both security and SCA (Software Composition Analysis) results
- Best for comprehensive CI/CD pipelines where you need immediate feedback
-
With
noWait: 'true': ~2 minutes
- Only triggers the scan and returns immediately
- Results can be fetched later or viewed in the CodeAnt dashboard
- Ideal for faster CI runs or when results can be processed asynchronously
Example Configurations
Fast CI Mode (No Wait)
For quick pipeline runs where you don’t need immediate results:
steps:
- checkout: self
- task: CodeAntCIScan@1
inputs:
accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
noWait: 'true'
displayName: 'CodeAnt CI Scan (Fast Mode)'
Comprehensive Analysis (Wait for Results)
For thorough analysis with all scanner types:
steps:
- checkout: self
- task: CodeAntCIScan@1
inputs:
accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
timeout: '600'
pollInterval: '20'
noWait: 'false'
displayName: 'CodeAnt CI Scan (Full Results)'
Custom File Filtering with Security Focus
To scan only specific files with targeted security checks:
steps:
- checkout: self
- task: CodeAntCIScan@1
inputs:
accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
includePaths: 'src/**/*.{js,ts}'
excludePaths: '**/node_modules/**,**/dist/**,**/test/**'
noWait: 'true'
displayName: 'CodeAnt CI Scan (Security Focused)'
External Repository with Custom Commit
When you need to specify a particular commit for an external repository:
steps:
- checkout: self
- task: CodeAntCIScan@1
inputs:
accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
service: 'github'
repo: 'myorg/my-repo'
commitId: '$(Build.SourceVersion)'
displayName: 'CodeAnt CI Scan (GitHub)'
Branch-Specific Configuration
Run different scan modes and scanners based on the branch:
steps:
- checkout: self
# Fast mode for feature branches
- task: CodeAntCIScan@1
condition: ne(variables['Build.SourceBranch'], 'refs/heads/main')
inputs:
accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
noWait: 'true'
displayName: 'CodeAnt CI Scan (Feature Branch - Fast)'
# Full analysis for main branch
- task: CodeAntCIScan@1
condition: eq(variables['Build.SourceBranch'], 'refs/heads/main')
inputs:
accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
timeout: '600'
noWait: 'false'
displayName: 'CodeAnt CI Scan (Main Branch - Full)'
Best Practices
- Use fast mode for PRs: Set
noWait: 'true' for pull request pipelines to keep them fast
- Full analysis for main: Use complete analysis (wait for results) on main/master branch merges
- Customize scanners: Use
scanners: 'all' for comprehensive coverage or specific combinations like scanners: 'sast,secrets' for targeted checks
- Default scanners: The default configuration (
sast,sca) provides a good balance between coverage and execution time
- Adjust timeouts: Increase timeout for larger repositories that take longer to analyze
- File filtering: Use include/exclude patterns to focus analysis on relevant code
- Keep tokens secure: Always use Azure DevOps Variable Groups or Pipeline Variables for tokens
- Monitor performance: Track scan times and optimize based on your repository size
Troubleshooting
Task not found
If you see “Task ‘codeant-ci-scan’ not found”:
- Ensure the CodeAnt extension is installed in your Azure DevOps organization
- Go to Organization Settings → Extensions to verify installation
- Check that the extension is enabled for your project
Scan times out
If the scan takes longer than expected:
- Increase the timeout using
timeout: '600' (10 minutes) or higher
- Check if the CodeAnt service is operational
- Consider using
noWait: 'true' for faster pipeline execution
- Review your network connectivity to the CodeAnt API
Authentication failures
If you see “Access token invalid” or “AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN is required”:
- Verify your
AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN variable is correctly configured in Pipeline Variables or Variable Groups
- Ensure the token has appropriate repository permissions
- Check that the variable is marked as secret
- Verify the token hasn’t expired
No results returned
If the scan completes but returns no results:
- Check that CI scanning is enabled for your repository in CodeAnt
- Verify the commit SHA is correct
- Ensure your Azure DevOps organization has proper integration with CodeAnt
- Check the CodeAnt dashboard to see if the scan was registered
If you see “Invalid repository format” or “Required Azure DevOps variables not found”:
- For Azure Repos: Verify
BUILD_REPOSITORY_NAME, BUILD_SOURCEVERSION, and SYSTEM_TEAMPROJECT are available
- For external repos: Ensure you’ve provided
service and repo inputs
- Check the expected format:
owner/repo for GitHub/GitLab/Bitbucket
External repository not working
If scanning an external repository (GitHub, GitLab, Bitbucket) fails:
- Ensure you’ve specified the correct
service value (github, gitlab, or bitbucket)
- Verify the
repo format matches the expected pattern for your service
- Check that your access token has permissions for the external repository
Windows compatibility issues
If running on Windows agents:
- Ensure Git Bash or WSL is available on the agent
- The task automatically detects Windows and uses bash for script execution
- Consider using Linux agents (
ubuntu-latest) for best compatibility
Advanced Configuration
Parallel Jobs
Run scans in parallel for different directories:
jobs:
- job: ScanBackend
steps:
- task: CodeAntCIScan@1
inputs:
accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
includePaths: 'backend/**'
displayName: 'Scan Backend'
- job: ScanFrontend
steps:
- task: CodeAntCIScan@1
inputs:
accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
includePaths: 'frontend/**'
displayName: 'Scan Frontend'
Windows Runner Configuration
If you’re using Windows runner (windows-latest) instead of Linux runner, make the following changes:
Changes Required
- Update pool configuration:
pool:
vmImage: 'windows-latest' # Change from 'ubuntu-latest'
- Add environment variable (recommended):
- task: CodeAntCIScan@1
displayName: 'CodeAnt CI Scan'
inputs:
accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
env:
PYTHONIOENCODING: 'utf-8' # Add this for proper encoding
Key Differences
| Configuration | Linux Runner | Windows Runner |
|---|
| Pool Image | vmImage: 'ubuntu-latest' | vmImage: 'windows-latest' |
| Environment Variable | Not required | Add env: PYTHONIOENCODING: 'utf-8' |
On-Premise Deployment
If you are using a self-hosted CodeAnt instance, you can specify a custom API endpoint using the apiBase parameter:
steps:
- checkout: self
- task: CodeAntCIScan@1
inputs:
accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
apiBase: 'https://your-codeant-instance.example.com'
displayName: 'CodeAnt CI Scan (On-Premise)'
Note: The apiBase parameter is only required for on-premise deployments. Cloud users do not need to configure this.
With CodeAnt CI Scan in place, every push will automatically trigger a comprehensive code analysis, helping you maintain high code quality and security standards—whether your repository is hosted in Azure Repos, GitHub, GitLab, or Bitbucket.
