Azure Pipelines Workflow

Add the following to your azure-pipelines.yml. It will trigger on every push to your repository and run quality gate checks to detect secrets and other security issues: 
trigger:
  branches:
    include:
      - '*'

pool:
  vmImage: 'ubuntu-latest'

steps:
  - checkout: self
  
  - bash: |
      echo " Setting up environment variables"
      ORG=$(echo "$SYSTEM_COLLECTIONURI" | sed -E 's|https://dev.azure.com/([^/]+)/|\1|')
      PROJECT="$SYSTEM_TEAMPROJECT"
      REPO="$BUILD_REPOSITORY_NAME"
      FULL_REPO="${ORG}/${PROJECT}/${REPO}"
      
      echo "=� Debug Info:"
      echo "  Organization: $ORG"
      echo "  Project: $PROJECT"
      echo "  Repository: $REPO"
      echo "  Full Repo: $FULL_REPO"
      echo "  Commit: $(Build.SourceVersion)"
      echo "  Branch: $(Build.SourceBranchName)"
      
      if [ -z "$ACCESS_TOKEN" ]; then
        echo "L ERROR: ACCESS_TOKEN is not set!"
        exit 1
      fi
      
      echo "Downloading CodeAnt quality gates script&"
      curl -sS -X GET "https://api.codeant.ai/analysis/ci/quality-gates/script/get" \
        --output quality_gates.sh.b64
      
      echo "Decoding and making script executable"
      base64 -d quality_gates.sh.b64 > quality_gates.sh
      chmod +x quality_gates.sh
      
      echo " Starting quality gate scan..."
      ./quality_gates.sh \
        -a "$ACCESS_TOKEN" \
        -r "$FULL_REPO" \
        -c "$(Build.SourceVersion)" \
        -s azuredevops \
        -o start
      echo "Quality gate scan initiated successfully"
      
      echo " Polling for quality gate results..."
      ./quality_gates.sh \
        -a "$ACCESS_TOKEN" \
        -r "$FULL_REPO" \
        -c "$(Build.SourceVersion)" \
        -s azuredevops \
        -o results \
        -t 300 \
        -p 15
      
      echo " Quality Gate PASSED "
    displayName: 'Quality Gate Scan'
    env:
      ACCESS_TOKEN: $(ACCESS_TOKEN)
Important:
  • In Project � Pipelines � Library, add a secret variable named ACCESS_TOKEN with your personal access token or repo token.
  • Azure DevOps automatically provides $(Build.Repository.Name) (your repo slug), $(Build.SourceVersion) (the commit SHA), and other build variables.

How it works

  1. Setup environment
    Extract organization, project, and repository information from Azure DevOps built-in variables.
  2. Download script
    We fetch the quality gates script (quality_gates.sh) from the CodeAnt API endpoint.
  3. Start scan
    The script initiates a quality gate scan for your commit using the -o start operation.
  4. Poll for results
    The script polls for scan results using the -o results operation with:
    • Timeout: 300 seconds (5 minutes)
    • Poll interval: 15 seconds
  5. Pipeline feedback
    • Success: Quality gate passes if no secrets are detected
    • Failure: Quality gate fails if secrets are found, blocking the build

Script Parameters

The quality_gates.sh script accepts the following parameters:
ParameterDescriptionRequiredExample
-a, --access-tokenAzure DevOps Personal Access TokenYes$(ACCESS_TOKEN)
-r, --repoRepository in format org/project/repositoryYes${ORG}/${PROJECT}/${REPO}
-c, --commit-idCommit SHA to scanYes$(Build.SourceVersion)
-s, --serviceVCS providerYesazuredevops
-o, --operationOperation to perform (start or results)Yesstart or results
-t, --timeoutTimeout in seconds for polling (default: 300)No300
-p, --poll-intervalPoll interval in seconds (default: 15)No15
-u, --base-urlBase URL for VCS service (optional)Nohttps://dev.azure.com

Quality Gate Checks

Currently, the quality gate performs the following checks:

Secret Detection

  • Scans for hardcoded secrets, API keys, passwords, and tokens
  • Analyzes only the changed lines since your merge base commit
  • Uses high-confidence detection to minimize false positives
  • Blocks the build if any secrets are found

Best Practices

  1. Run on all branches: Quality gates should run on every push to catch issues early
  2. Block builds: Configure branch policies to require quality gate pipeline success before merging
  3. Review failures: When quality gates fail, review the detected issues immediately
  4. Keep tokens secure: Never commit access tokens directly - always use Azure DevOps Variable Groups or Pipeline Variables
  5. Use variable groups: Store your ACCESS_TOKEN in a Variable Group for reuse across pipelines

Azure DevOps Built-in Variables

The following Azure DevOps built-in variables are automatically available and used:
VariableDescriptionExample
$(Build.Repository.Name)Repository nameMyRepo
$(Build.SourceVersion)Current commit SHAabc123def456
$(Build.SourceBranchName)Current branch namemain
$(System.TeamProject)Project nameMyProject
$(System.CollectionUri)Collection URIhttps://dev.azure.com/myorg/
$(System.PullRequest.PullRequestId)Pull request ID (if applicable)123

Troubleshooting

Quality gate times out

If the scan takes longer than expected:
  • Increase the timeout using -t 600 (10 minutes)
  • Check if the CodeAnt service is operational
  • Consider optimizing your repository size

Authentication failures

If you see “Access token invalid”:
  • Verify your ACCESS_TOKEN variable is correctly configured in Pipeline Variables or Variable Groups
  • Ensure the token has appropriate repository permissions
  • Check that the variable is marked as secret

No results returned

If the scan completes but returns no results:
  • Check that quality gates are enabled for your repository in CodeAnt
  • Verify the commit SHA is correct
  • Ensure your Azure DevOps organization has proper integration with CodeAnt

Repository format issues

If you see “Invalid repository format”:
  • Verify the repository format is organization/project/repository
  • Check that organization, project, and repository names are extracted correctly
  • Debug the environment variables by adding echo statements

Pipeline fails silently

If the pipeline exits without clear error:
  • Add set -e at the beginning of your script to fail on any error
  • Add error handling: 
    ./quality_gates.sh ... || { echo "Quality gate failed!"; exit 1; }

Variable Groups Setup

To set up a Variable Group for reusable access tokens:
  1. Go to Pipelines � Library
  2. Click + Variable group
  3. Name it CodeAnt-Variables
  4. Add variable ACCESS_TOKEN with your personal access token
  5. Mark it as Secret
  6. Reference in your pipeline:
variables:
  - group: CodeAnt-Variables

steps:
  - bash: |
      # Your quality gate script here
    env:
      ACCESS_TOKEN: $(ACCESS_TOKEN)
With quality gates in place, every push will automatically be scanned for security issues, helping you maintain code security and compliance standards in your Azure DevOps repositories.