Azure Pipelines

Azure Pipelines Workflow

Add the following to your azure-pipelines.yml. It will trigger on every push to your target branch and kick off a CodeAnt analysis scan:

trigger:
  branches:
    include:
      - main

pool:
  vmImage: 'ubuntu-latest'

steps:
  - checkout: self
  
  - task: Bash@3
    displayName: 'Fetch CodeAnt scan script'
    inputs:
      targetType: 'inline'
      script: |
        export API_BASE="https://api.codeant.ai"
        curl -sS -X GET "${API_BASE}/analysis/ci/scan/script/get" \
          --output start_scan.sh.b64
  
  - task: Bash@3
    displayName: 'Make script executable'
    inputs:
      targetType: 'inline'
      script: |
        base64 -d start_scan.sh.b64 > start_scan.sh
        chmod +x start_scan.sh
  
  - task: Bash@3
    displayName: 'Trigger CodeAnt analysis'
    inputs:
      targetType: 'inline'
      script: |
        ORG=$(echo "$SYSTEM_COLLECTIONURI" | sed -E 's|https://dev.azure.com/([^/]+)/|\1|')
        PROJECT="$SYSTEM_TEAMPROJECT"
        REPO="$BUILD_REPOSITORY_NAME"
        FULL_REPO="${ORG}/${PROJECT}/${REPO}"
        
        bash start_scan.sh \
          -a "$ACCESS_TOKEN" \
          -r "$FULL_REPO" \
          -c "$(Build.SourceVersion)" \
          -b "$(Build.SourceBranchName)" \
          -s azuredevops \
          -i "" \
          -e ""
    env:
      ACCESS_TOKEN: $(ACCESS_TOKEN)

Script Parameters

The start_scan.sh script accepts the following parameters:

Required Parameters

Parameter	Flag	Description	Example
Access Token	`-a, --access-token`	Authentication token for CodeAnt API. Can be a Personal Access Token (PAT) or repository token	`$(ACCESS_TOKEN)`
Repository	`-r, --repo`	Repository name in `organization/project/repository` format	`myorg/myproject/myrepo`
Commit ID	`-c, --commit-id`	Git commit SHA to analyze	`$(Build.SourceVersion)`
Service	`-s, --service`	Git service provider	`azuredevops`, `github`, `gitlab`

Optional Parameters

Parameter	Flag	Default	Description
Branch	`-b, --branch`	(empty)	Branch name for the analysis	`main`, `develop`
Include Files	`-i, --include-files`	(empty)	Glob patterns for files to include in analysis	`"src/*/.js"`
Exclude Files	`-e, --exclude-files`	(empty)	Glob patterns for files to exclude from analysis	`"/test/"`
Polling Interval	`-p, --polling-interval`	`30`	Seconds between result polling attempts	`20`
Timeout	`-t, --timeout`	`300`	Maximum seconds to wait for results	`600`
No Wait	`-n, --no-wait`	`false`	Skip waiting for results, only trigger the scan	(flag only)

Execution Time Considerations

⏱️ Performance Options:

With result waiting (default): ~7 minutes
- Triggers scan and waits for complete analysis results
- Includes both security and SCA (Software Composition Analysis) results
- Best for comprehensive CI/CD pipelines where you need immediate feedback
With --no-wait flag: ~2 minutes
- Only triggers the scan and returns immediately
- Results can be fetched later or viewed in the CodeAnt dashboard
- Ideal for faster CI runs or when results can be processed asynchronously

Example Configurations

Fast CI Mode (No Wait)

- task: Bash@3
  displayName: 'Trigger CodeAnt analysis (Fast Mode)'
  inputs:
    targetType: 'inline'
    script: |
      export API_BASE="https://api.codeant.ai"
      curl -sS -X GET "${API_BASE}/analysis/ci/scan/script/get" \
        --output start_scan.sh.b64
      base64 -d start_scan.sh.b64 > start_scan.sh
      chmod +x start_scan.sh
      
      ORG=$(echo "$SYSTEM_COLLECTIONURI" | sed -E 's|https://dev.azure.com/([^/]+)/|\1|')
      PROJECT="$SYSTEM_TEAMPROJECT"
      REPO="$BUILD_REPOSITORY_NAME"
      FULL_REPO="${ORG}/${PROJECT}/${REPO}"
      
      bash start_scan.sh \
        -a "$ACCESS_TOKEN" \
        -r "$FULL_REPO" \
        -c "$(Build.SourceVersion)" \
        -s azuredevops \
        -n  # Returns in ~2 minutes
  env:
    ACCESS_TOKEN: $(ACCESS_TOKEN)

Comprehensive Analysis (Wait for Results)

- task: Bash@3
  displayName: 'Trigger CodeAnt analysis (Full Results)'
  inputs:
    targetType: 'inline'
    script: |
      export API_BASE="https://api.codeant.ai"
      curl -sS -X GET "${API_BASE}/analysis/ci/scan/script/get" \
        --output start_scan.sh.b64
      base64 -d start_scan.sh.b64 > start_scan.sh
      chmod +x start_scan.sh
      
      ORG=$(echo "$SYSTEM_COLLECTIONURI" | sed -E 's|https://dev.azure.com/([^/]+)/|\1|')
      PROJECT="$SYSTEM_TEAMPROJECT"
      REPO="$BUILD_REPOSITORY_NAME"
      FULL_REPO="${ORG}/${PROJECT}/${REPO}"
      
      bash start_scan.sh \
        -a "$ACCESS_TOKEN" \
        -r "$FULL_REPO" \
        -c "$(Build.SourceVersion)" \
        -s azuredevops \
        -b "$(Build.SourceBranchName)" \
        -p 20 \
        -t 600  # Wait up to 10 minutes
  env:
    ACCESS_TOKEN: $(ACCESS_TOKEN)

Custom File Filtering

- task: Bash@3
  displayName: 'Trigger CodeAnt analysis (Custom Files)'
  inputs:
    targetType: 'inline'
    script: |
      export API_BASE="https://api.codeant.ai"
      curl -sS -X GET "${API_BASE}/analysis/ci/scan/script/get" \
        --output start_scan.sh.b64
      base64 -d start_scan.sh.b64 > start_scan.sh
      chmod +x start_scan.sh
      
      ORG=$(echo "$SYSTEM_COLLECTIONURI" | sed -E 's|https://dev.azure.com/([^/]+)/|\1|')
      PROJECT="$SYSTEM_TEAMPROJECT"
      REPO="$BUILD_REPOSITORY_NAME"
      FULL_REPO="${ORG}/${PROJECT}/${REPO}"
      
      bash start_scan.sh \
        -a "$ACCESS_TOKEN" \
        -r "$FULL_REPO" \
        -c "$(Build.SourceVersion)" \
        -s azuredevops \
        -i "src/**/*.{js,ts}" \
        -e "**/node_modules/**,**/dist/**" \
        -n
  env:
    ACCESS_TOKEN: $(ACCESS_TOKEN)

Tips:

Add an ACCESS_TOKEN secret variable in your Project → Pipelines → Library

Use --no-wait for PR checks to keep them fast, and full analysis for main branch merges

Adjust timeout based on your repository size - larger repos may need more time

File patterns support standard glob syntax for precise control over what gets analyzed

How it works

Download script We fetch a small Bash helper (start_scan.sh) from the CodeAnt CI endpoint.
Make it runnable Mark the script executable so you can invoke it directly.
Invoke the scan The script POSTs your repo, commit, and file-globs to /analysis/ci/scan, using your token for auth.
Pipeline feedback
- On success, you’ll see a parsed JSON response in the job log.
- On failure (non-2xx HTTP), the script exits non-zero, failing your pipeline immediately.

With this in place, every push will automatically kick off a CodeAnt analysis run—and your CI status will reflect whether any HIGH-severity issues were detected.

Start Here

Setup

Pull Request Review

Scan center

Integrations

IDE

Rule Reference

Resources

Azure Pipelines Workflow

Script Parameters

Required Parameters

Optional Parameters

Execution Time Considerations

Example Configurations

Fast CI Mode (No Wait)

Comprehensive Analysis (Wait for Results)

Custom File Filtering

How it works

Start Here

Setup

Pull Request Review

Scan center

Integrations

IDE

Rule Reference

Resources

​Azure Pipelines Workflow

​Script Parameters

​Required Parameters

​Optional Parameters

​Execution Time Considerations

​Example Configurations

​Fast CI Mode (No Wait)

​Comprehensive Analysis (Wait for Results)

​Custom File Filtering

​How it works

Azure Pipelines Workflow

Script Parameters

Required Parameters

Optional Parameters

Execution Time Considerations

Example Configurations

Fast CI Mode (No Wait)

Comprehensive Analysis (Wait for Results)

Custom File Filtering

How it works