> ## Documentation Index
> Fetch the complete documentation index at: https://docs.codeant.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Azure Pipelines

> Set up Azure Pipelines workflow for CodeAnt CI scan.

## Installation

Before using CodeAnt CI Scan in your Azure Pipelines, you need to install the CodeAnt extension from the Azure DevOps Marketplace:

1. Go to the [CodeAnt AI Extension](https://marketplace.visualstudio.com/items?itemName=codeantai.codeant-azure-devops-extension) on the Azure DevOps Marketplace
2. Click **Get it free**
3. Select your Azure DevOps organization
4. Click **Install**

Once installed, the `CodeAntCIScan@1` task will be available in all pipelines across your organization.

***

## Repository Scenarios

CodeAnt CI Scan supports multiple repository configurations in Azure DevOps:

## Video Tutorial

Watch this video to learn how to integrate CodeAnt AI into your CI/CD pipelines:

<iframe src="https://www.tella.tv/video/integrate-code-ai-into-ci-cd-pipelines-1rev/embed" width="100%" height="400" frameBorder="0" allowFullScreen />

***

## Azure Pipelines Workflow

| Scenario       | Repository Location                               | Pipeline Location         | Configuration                                                                                           |
| -------------- | ------------------------------------------------- | ------------------------- | ------------------------------------------------------------------------------------------------------- |
| **Scenario 1** | Azure Repos                                       | Azure DevOps              | Auto-detected (default)                                                                                 |
| **Scenario 2** | Azure Repos (TFS / Azure DevOps Server – on-prem) | Azure DevOps Server (TFS) | Requires explicit `service`, `repo`, `commitId`, and `baseUrl` inputs                                   |
| **Scenario 3** | GitHub                                            | Azure DevOps              | Requires `service` and `repo` inputs. `commitId` auto-detected from `BUILD_SOURCEVERSION` if available. |
| **Scenario 4** | GitLab                                            | Azure DevOps              | Requires `service` and `repo` inputs. `commitId` auto-detected from `BUILD_SOURCEVERSION` if available. |
| **Scenario 5** | Bitbucket                                         | Azure DevOps              | Requires `service` and `repo` inputs. `commitId` auto-detected from `BUILD_SOURCEVERSION` if available. |

***

## Scenario 1: Azure Repos + Azure DevOps Pipeline

When your repository is hosted in Azure Repos, the task automatically detects all required information from Azure DevOps environment variables.

```yaml theme={null}
trigger:
  branches:
    include:
      - main

pool:
  vmImage: 'ubuntu-latest'

steps:
  - checkout: self

  - task: CodeAntCIScan@1
    inputs:
      accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
    displayName: 'CodeAnt CI Scan'
```

> **Note:** No additional configuration needed. The task automatically extracts information from these Azure DevOps built-in variables:
>
> * `SYSTEM_TEAMPROJECT` - Project name
> * `BUILD_REPOSITORY_NAME` - Repository name
> * `BUILD_SOURCEVERSION` - Commit SHA

***

## Scenario 2: Azure Repos (TFS / Azure DevOps Server – on-prem) + Azure DevOps Server (TFS) Pipeline

When your repository is hosted in an on-premise Azure DevOps Server (formerly known as Team Foundation Server / TFS), you need to explicitly pass all required parameters including the base URL.

```yaml theme={null}
trigger:
  branches:
    include:
      - main

pool:
  vmImage: 'ubuntu-latest'

steps:
  - checkout: self

  - task: CodeAntCIScan@1
    inputs:
      accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
      service: 'azuredevops'
      repo: 'MyCollection/MyProject/MyRepository'
      commitId: '$(Build.SourceVersion)'
      baseUrl: 'https://tfs.example.com:8443/tfs'
    displayName: 'CodeAnt CI Scan'
```

### Parameters for Azure DevOps Server (TFS)

| Parameter  | Value                              | Description                                                    |
| ---------- | ---------------------------------- | -------------------------------------------------------------- |
| `service`  | `azuredevops`                      | Specifies Azure DevOps as the repository provider              |
| `repo`     | `collection/project/repo`          | Repository in `collection/project/repository-name` format      |
| `commitId` | `$(Build.SourceVersion)`           | Commit SHA to analyze                                          |
| `baseUrl`  | `https://tfs.example.com:8443/tfs` | Base URL of your on-premise Azure DevOps Server / TFS instance |

> **Note:** For on-premise Azure DevOps Server / TFS deployments, all parameters must be explicitly provided as environment variables may differ from Azure DevOps Cloud.

***

## Scenario 3: GitHub Repository + Azure DevOps Pipeline

When your repository is hosted on GitHub but your pipeline runs in Azure DevOps, you need to specify the `service`, `repo`, and `commitId` parameters.

```yaml theme={null}
trigger:
  branches:
    include:
      - main

pool:
  vmImage: 'ubuntu-latest'

steps:
  - checkout: self

  - task: CodeAntCIScan@1
    inputs:
      accessToken: $(ACCESS_TOKEN_GITHUB)
      service: 'github'
      repo: 'myorg/my-repo'
      commitId: '$(Build.SourceVersion)'
    displayName: 'CodeAnt CI Scan'
```

### Parameters for GitHub

| Parameter  | Value                    | Description                                                                                       |
| ---------- | ------------------------ | ------------------------------------------------------------------------------------------------- |
| `service`  | `github`                 | Specifies GitHub as the repository provider                                                       |
| `repo`     | `owner/repo`             | Repository in `owner/repository-name` format                                                      |
| `commitId` | `$(Build.SourceVersion)` | Commit SHA to analyze. Auto-detected from `BUILD_SOURCEVERSION` if available, otherwise required. |

***

## Scenario 4: GitLab Repository + Azure DevOps Pipeline

When your repository is hosted on GitLab but your pipeline runs in Azure DevOps:

```yaml theme={null}
trigger:
  branches:
    include:
      - main

pool:
  vmImage: 'ubuntu-latest'

steps:
  - checkout: self

  - task: CodeAntCIScan@1
    inputs:
      accessToken: $(ACCESS_TOKEN_GITLAB)
      service: 'gitlab'
      repo: 'mygroup/my-project'
      commitId: '$(Build.SourceVersion)'
    displayName: 'CodeAnt CI Scan'
```

### Parameters for GitLab

| Parameter  | Value                    | Description                                                                                       |
| ---------- | ------------------------ | ------------------------------------------------------------------------------------------------- |
| `service`  | `gitlab`                 | Specifies GitLab as the repository provider                                                       |
| `repo`     | `group/project`          | Repository in `group/project-name` or `user/project-name` format                                  |
| `commitId` | `$(Build.SourceVersion)` | Commit SHA to analyze. Auto-detected from `BUILD_SOURCEVERSION` if available, otherwise required. |

***

## Scenario 5: Bitbucket Repository + Azure DevOps Pipeline

When your repository is hosted on Bitbucket but your pipeline runs in Azure DevOps:

```yaml theme={null}
trigger:
  branches:
    include:
      - main

pool:
  vmImage: 'ubuntu-latest'

steps:
  - checkout: self

  - task: CodeAntCIScan@1
    inputs:
      accessToken: $(BITBUCKET_ACCESS_TOKEN)
      service: 'bitbucket'
      repo: 'myworkspace/my-repo'
      commitId: '$(Build.SourceVersion)'
    displayName: 'CodeAnt CI Scan'
```

### Parameters for Bitbucket

| Parameter  | Value                    | Description                                                                                       |
| ---------- | ------------------------ | ------------------------------------------------------------------------------------------------- |
| `service`  | `bitbucket`              | Specifies Bitbucket as the repository provider                                                    |
| `repo`     | `workspace/repo`         | Repository in `workspace/repository-name` format                                                  |
| `commitId` | `$(Build.SourceVersion)` | Commit SHA to analyze. Auto-detected from `BUILD_SOURCEVERSION` if available, otherwise required. |

***

## Task Parameters Reference

### Required Parameters

| Parameter     | Description                                                                                                                                                                       |
| ------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `accessToken` | Azure DevOps Personal Access Token (PAT): `AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN`, GitHub: `ACCESS_TOKEN_GITHUB`, GitLab: `ACCESS_TOKEN_GITLAB`, Bitbucket: `BITBUCKET_ACCESS_TOKEN` |

### Optional Parameters

| Parameter      | Default           | Description                                                  |
| -------------- | ----------------- | ------------------------------------------------------------ |
| `service`      | `azuredevops`     | Service type: `github`, `gitlab`, `bitbucket`, `azuredevops` |
| `repo`         | *(auto-detected)* | Repository name in `owner/repo` format                       |
| `commitId`     | *(auto-detected)* | Commit SHA to analyze                                        |
| `scanners`     | `sast,sca`        | Comma-separated list of scanners to run                      |
| `includePaths` | *(empty)*         | Comma-separated paths to include in scan                     |
| `excludePaths` | *(empty)*         | Comma-separated paths to exclude from scan                   |
| `timeout`      | `300`             | Maximum time to wait for scan results (seconds)              |
| `pollInterval` | `15`              | Time between polling attempts (seconds)                      |
| `noWait`       | `false`           | Skip waiting for results and return immediately              |

### Available Scanners

| Scanner        | Description                                                                |
| -------------- | -------------------------------------------------------------------------- |
| `sast`         | Static Application Security Testing - identifies code vulnerabilities      |
| `sca`          | Software Composition Analysis - detects dependency vulnerabilities         |
| `secrets`      | Secret detection for API keys, passwords, and tokens                       |
| `antipatterns` | Code quality and duplicate code detection                                  |
| `iac`          | Infrastructure as Code security scanning (Terraform, CloudFormation, etc.) |
| `all`          | Runs all available scanners                                                |

**Examples:**

* `scanners: 'all'` - Run all scanners for comprehensive analysis
* `scanners: 'sast,secrets'` - Run only SAST and secrets detection
* `scanners: 'sast,sca,secrets,iac'` - Run a complete security suite

***

## How it works

1. **Setup environment**
   The task extracts repository information either from user-provided inputs or Azure DevOps built-in variables.

2. **Download script**
   The task fetches the CI scan script from the CodeAnt API endpoint.

3. **Trigger scan**
   The script initiates a CI scan for your commit, optionally waiting for results based on the `noWait` parameter.

4. **Pipeline feedback**
   * **Success**: Scan completes successfully (or is triggered in no-wait mode)
   * **Failure**: Scan fails or detects critical issues, blocking the build

***

## Execution Time Considerations

⏱️ **Performance Options:**

* **With result waiting** (default): \~7 minutes
  * Triggers scan and waits for complete analysis results
  * Includes both security and SCA (Software Composition Analysis) results
  * Best for comprehensive CI/CD pipelines where you need immediate feedback

* **With `noWait: 'true'`**: \~2 minutes
  * Only triggers the scan and returns immediately
  * Results can be fetched later or viewed in the CodeAnt dashboard
  * Ideal for faster CI runs or when results can be processed asynchronously

***

## Example Configurations

### Fast CI Mode (No Wait)

For quick pipeline runs where you don't need immediate results:

```yaml theme={null}
steps:
  - checkout: self

  - task: CodeAntCIScan@1
    inputs:
      accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
      noWait: 'true'
    displayName: 'CodeAnt CI Scan (Fast Mode)'
```

### Comprehensive Analysis (Wait for Results)

For thorough analysis with all scanner types:

```yaml theme={null}
steps:
  - checkout: self

  - task: CodeAntCIScan@1
    inputs:
      accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
      timeout: '600'
      pollInterval: '20'
      noWait: 'false'
    displayName: 'CodeAnt CI Scan (Full Results)'
```

### Custom File Filtering with Security Focus

To scan only specific files with targeted security checks:

```yaml theme={null}
steps:
  - checkout: self

  - task: CodeAntCIScan@1
    inputs:
      accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
      includePaths: 'src/**/*.{js,ts}'
      excludePaths: '**/node_modules/**,**/dist/**,**/test/**'
      noWait: 'true'
    displayName: 'CodeAnt CI Scan (Security Focused)'
```

### External Repository with Custom Commit

When you need to specify a particular commit for an external repository:

```yaml theme={null}
steps:
  - checkout: self

  - task: CodeAntCIScan@1
    inputs:
      accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
      service: 'github'
      repo: 'myorg/my-repo'
      commitId: '$(Build.SourceVersion)'
    displayName: 'CodeAnt CI Scan (GitHub)'
```

### Branch-Specific Configuration

Run different scan modes and scanners based on the branch:

```yaml theme={null}
steps:
  - checkout: self

  # Fast mode for feature branches
  - task: CodeAntCIScan@1
    condition: ne(variables['Build.SourceBranch'], 'refs/heads/main')
    inputs:
      accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
      noWait: 'true'
    displayName: 'CodeAnt CI Scan (Feature Branch - Fast)'

  # Full analysis for main branch
  - task: CodeAntCIScan@1
    condition: eq(variables['Build.SourceBranch'], 'refs/heads/main')
    inputs:
      accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
      timeout: '600'
      noWait: 'false'
    displayName: 'CodeAnt CI Scan (Main Branch - Full)'
```

***

## Best Practices

1. **Use fast mode for PRs**: Set `noWait: 'true'` for pull request pipelines to keep them fast
2. **Full analysis for main**: Use complete analysis (wait for results) on main/master branch merges
3. **Customize scanners**: Use `scanners: 'all'` for comprehensive coverage or specific combinations like `scanners: 'sast,secrets'` for targeted checks
4. **Default scanners**: The default configuration (`sast,sca`) provides a good balance between coverage and execution time
5. **Adjust timeouts**: Increase timeout for larger repositories that take longer to analyze
6. **File filtering**: Use include/exclude patterns to focus analysis on relevant code
7. **Keep tokens secure**: Always use Azure DevOps Variable Groups or Pipeline Variables for tokens
8. **Monitor performance**: Track scan times and optimize based on your repository size

***

## Troubleshooting

### Task not found

If you see "Task 'codeant-ci-scan' not found":

* Ensure the CodeAnt extension is installed in your Azure DevOps organization
* Go to **Organization Settings → Extensions** to verify installation
* Check that the extension is enabled for your project

### Scan times out

If the scan takes longer than expected:

* Increase the timeout using `timeout: '600'` (10 minutes) or higher
* Check if the CodeAnt service is operational
* Consider using `noWait: 'true'` for faster pipeline execution
* Review your network connectivity to the CodeAnt API

### Authentication failures

If you see "Access token invalid" or "AZURE\_DEVOPS\_PERSONAL\_ACCESS\_TOKEN is required":

* Verify your `AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN` variable is correctly configured in Pipeline Variables or Variable Groups
* Ensure the token has appropriate repository permissions
* Check that the variable is marked as secret
* Verify the token hasn't expired

### No results returned

If the scan completes but returns no results:

* Check that CI scanning is enabled for your repository in CodeAnt
* Verify the commit SHA is correct
* Ensure your Azure DevOps organization has proper integration with CodeAnt
* Check the CodeAnt dashboard to see if the scan was registered

### Repository format issues

If you see "Invalid repository format" or "Required Azure DevOps variables not found":

* For Azure Repos: Verify `BUILD_REPOSITORY_NAME`, `BUILD_SOURCEVERSION`, and `SYSTEM_TEAMPROJECT` are available
* For external repos: Ensure you've provided `service` and `repo` inputs
* Check the expected format: `owner/repo` for GitHub/GitLab/Bitbucket

### External repository not working

If scanning an external repository (GitHub, GitLab, Bitbucket) fails:

* Ensure you've specified the correct `service` value (`github`, `gitlab`, or `bitbucket`)
* Verify the `repo` format matches the expected pattern for your service
* Check that your access token has permissions for the external repository

### Windows compatibility issues

If running on Windows agents:

* Ensure Git Bash or WSL is available on the agent
* The task automatically detects Windows and uses bash for script execution
* Consider using Linux agents (`ubuntu-latest`) for best compatibility

***

## Advanced Configuration

### Parallel Jobs

Run scans in parallel for different directories:

```yaml theme={null}
jobs:
  - job: ScanBackend
    steps:
      - task: CodeAntCIScan@1
        inputs:
          accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
          includePaths: 'backend/**'
        displayName: 'Scan Backend'

  - job: ScanFrontend
    steps:
      - task: CodeAntCIScan@1
        inputs:
          accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
          includePaths: 'frontend/**'
        displayName: 'Scan Frontend'
```

***

## Windows Runner Configuration

If you're using Windows runner (`windows-latest`) instead of Linux runner, make the following changes:

### Changes Required

1. **Update pool configuration:**

```yaml theme={null}
pool:
  vmImage: 'windows-latest'  # Change from 'ubuntu-latest'
```

2. **Add environment variable (recommended):**

```yaml theme={null}
- task: CodeAntCIScan@1
  displayName: 'CodeAnt CI Scan'
  inputs:
    accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
  env:
    PYTHONIOENCODING: 'utf-8'  # Add this for proper encoding
```

### Key Differences

| Configuration        | Linux Runner               | Windows Runner                       |
| -------------------- | -------------------------- | ------------------------------------ |
| Pool Image           | `vmImage: 'ubuntu-latest'` | `vmImage: 'windows-latest'`          |
| Environment Variable | Not required               | Add `env: PYTHONIOENCODING: 'utf-8'` |

***

## On-Premise Deployment

If you are using a self-hosted CodeAnt instance, you can specify a custom API endpoint using the `apiBase` parameter:

```yaml theme={null}
steps:
  - checkout: self

  - task: CodeAntCIScan@1
    inputs:
      accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
      apiBase: 'https://your-codeant-instance.example.com'
    displayName: 'CodeAnt CI Scan (On-Premise)'
```

> **Note:** The `apiBase` parameter is only required for on-premise deployments. Cloud users do not need to configure this.

***

With CodeAnt CI Scan in place, every push will automatically trigger a comprehensive code analysis, helping you maintain high code quality and security standards—whether your repository is hosted in Azure Repos, GitHub, GitLab, or Bitbucket.