Skip to main content

Installation

Before using CodeAnt Quality Gates in your Azure Pipelines, you need to install the CodeAnt extension from the Azure DevOps Marketplace:
  1. Go to the Azure DevOps Marketplace and search for “CodeAnt AI” or directly download from here
  2. Click Get it free
  3. Select your Azure DevOps organization
  4. Click Install
Once installed, the CodeAntQualityGate@1 task will be available in all pipelines across your organization.

Repository Scenarios

CodeAnt Quality Gate supports multiple repository configurations in Azure DevOps:
ScenarioRepository LocationPipeline LocationConfiguration
Scenario 1Azure ReposAzure DevOpsAuto-detected (default)
Scenario 2GitHubAzure DevOpsRequires service and repo inputs. commitId auto-detected from BUILD_SOURCEVERSION if available.
Scenario 3GitLabAzure DevOpsRequires service and repo inputs. commitId auto-detected from BUILD_SOURCEVERSION if available.
Scenario 4BitbucketAzure DevOpsRequires service and repo inputs. commitId auto-detected from BUILD_SOURCEVERSION if available.

Scenario 1: Azure Repos + Azure DevOps Pipeline

When your repository is hosted in Azure Repos: 
- task: CodeAntQualityGate@1
  inputs:
    accessToken: $(ACCESS_TOKEN)
  displayName: 'CodeAnt Quality Gate'
Note: No additional configuration needed. The task automatically extracts information from these Azure DevOps built-in variables:
  • SYSTEM_TEAMPROJECT - Project name
  • BUILD_REPOSITORY_NAME - Repository name
  • BUILD_SOURCEVERSION - Commit SHA

Scenario 2: GitHub Repository + Azure DevOps Pipeline

- task: CodeAntQualityGate@1
  inputs:
    accessToken: $(ACCESS_TOKEN)
    service: 'github'
    repo: 'myorg/my-repo'
    commitId: '$(Build.SourceVersion)'
  displayName: 'CodeAnt Quality Gate'

Parameters for GitHub

ParameterValueDescription
servicegithubSpecifies GitHub as the repository provider
repoowner/repoRepository in owner/repository-name format
commitId$(Build.SourceVersion)Commit SHA to analyze. Auto-detected from BUILD_SOURCEVERSION if available, otherwise required.

Scenario 3: GitLab Repository + Azure DevOps Pipeline

- task: CodeAntQualityGate@1
  inputs:
    accessToken: $(ACCESS_TOKEN)
    service: 'gitlab'
    repo: 'mygroup/my-project'
    commitId: '$(Build.SourceVersion)'
  displayName: 'CodeAnt Quality Gate'

Parameters for GitLab

ParameterValueDescription
servicegitlabSpecifies GitLab as the repository provider
repogroup/projectRepository in group/project-name or user/project-name format
commitId$(Build.SourceVersion)Commit SHA to analyze. Auto-detected from BUILD_SOURCEVERSION if available, otherwise required.

Scenario 4: Bitbucket Repository + Azure DevOps Pipeline

- task: CodeAntQualityGate@1
  inputs:
    accessToken: $(ACCESS_TOKEN)
    service: 'bitbucket'
    repo: 'myworkspace/my-repo'
    commitId: '$(Build.SourceVersion)'
  displayName: 'CodeAnt Quality Gate'

Parameters for Bitbucket

ParameterValueDescription
servicebitbucketSpecifies Bitbucket as the repository provider
repoworkspace/repoRepository in workspace/repository-name format
commitId$(Build.SourceVersion)Commit SHA to analyze. Auto-detected from BUILD_SOURCEVERSION if available, otherwise required.

Video Tutorial

Watch this video to learn how to integrate CodeAnt AI into your CI/CD pipelines:

Azure Pipelines Workflow

Add the following to your azure-pipelines.yml. It will trigger on every push to your repository and run quality gate checks to detect secrets and other security issues: 
trigger:
  branches:
    include:
      - '*'

pool:
  vmImage: 'ubuntu-latest'

steps:
  - checkout: self

  - task: CodeAntQualityGate@1
    inputs:
      accessToken: $(ACCESS_TOKEN)
    displayName: 'CodeAnt Quality Gate'

With Optional Parameters

You can customize the timeout and polling interval: 
steps:
  - checkout: self

  - task: CodeAntQualityGate@1
    inputs:
      accessToken: $(ACCESS_TOKEN)
      timeout: '300'
      pollInterval: '15'
    displayName: 'CodeAnt Quality Gate'
Important:
  • In Project → Pipelines → Library, add a secret variable named ACCESS_TOKEN with your personal access token or repo token.

How it works

  1. Setup environment
    Extract organization, project, and repository information from Azure DevOps built-in variables.
  2. Download script
    We fetch the quality gates script (quality_gates.sh) from the CodeAnt API endpoint.
  3. Start scan
    The script initiates a quality gate scan for your commit using the -o start operation.
  4. Poll for results
    The script polls for scan results using the -o results operation with:
    • Timeout: 300 seconds (5 minutes)
    • Poll interval: 15 seconds
  5. Pipeline feedback
    • Success: Quality gate passes if no secrets are detected
    • Failure: Quality gate fails if secrets are found, blocking the build

Quality Gate Checks

The quality gate performs comprehensive checks including:

Security and Code Quality Checks

  • Secret Detection: Scans for hardcoded secrets, API keys, passwords, and tokens
  • SAST (Static Application Security Testing): Detects security vulnerabilities in source code
  • SCA (Software Composition Analysis): Identifies vulnerabilities in third-party dependencies
  • IaC (Infrastructure as Code): Scans infrastructure configuration files for security issues
  • Duplicate Code Detection: Identifies code duplication to improve maintainability
  • Analyzes only the changed lines since your merge base commit
  • Uses high-confidence detection to minimize false positives
  • Blocks the build if any issues are found

Best Practices

  1. Run on all branches: Quality gates should run on every push to catch issues early
  2. Block builds: Configure branch policies to require quality gate pipeline success before merging
  3. Review failures: When quality gates fail, review the detected issues immediately
  4. Keep tokens secure: Never commit access tokens directly - always use Azure DevOps Variable Groups or Pipeline Variables
  5. Use variable groups: Store your ACCESS_TOKEN in a Variable Group for reuse across pipelines
  6. Set appropriate timeouts: Adjust timeout values based on your repository size and complexity
  7. Monitor performance: Track how long quality gate checks take and optimize if needed

Troubleshooting

Task not found

If you see “Task ‘codeant-quality-gate’ not found”:
  • Ensure the CodeAnt extension is installed in your Azure DevOps organization
  • Go to Organization Settings → Extensions to verify installation
  • Check that the extension is enabled for your project

Quality gate times out

If the scan takes longer than expected:
  • Increase the timeout using timeout: '600' (10 minutes)
  • Check if the CodeAnt service is operational
  • Consider optimizing your repository size
  • Review your network connectivity to the CodeAnt API

Authentication failures

If you see “Access token invalid” or “ACCESS_TOKEN is required”:
  • Verify your ACCESS_TOKEN variable is correctly configured in Pipeline Variables or Variable Groups
  • Ensure the token has appropriate repository permissions
  • Check that the variable is marked as secret
  • Verify the token hasn’t expired

No results returned

If the scan completes but returns no results:
  • Check that quality gates are enabled for your repository in CodeAnt
  • Verify the commit SHA is correct
  • Ensure your Azure DevOps organization has proper integration with CodeAnt
  • Check the CodeAnt dashboard to see if the scan was registered

Repository format issues

If you see “Invalid repository format” or “Required Azure DevOps variables not found”:
  • Verify that environment variables are being set correctly
  • Check that BUILD_REPOSITORY_NAME, BUILD_SOURCEVERSION, and SYSTEM_TEAMPROJECT are available
  • The task expects repository format: organization/project/repository
  • Add debugging by checking the task logs for environment variable values

Pipeline fails silently

If the pipeline exits without clear error:
  • Add set -e at the beginning of your script to fail on any error
  • Add error handling: 
    ./quality_gates.sh ... || { echo "Quality gate failed!"; exit 1; }

Extended Timeout for Large Repositories

For larger repositories that take longer to scan: 
- task: CodeAntQualityGate@1
  inputs:
    accessToken: $(ACCESS_TOKEN)
    timeout: '900'  # 15 minutes
    pollInterval: '30'  # Check every 30 seconds

On-Premise Deployment

If you are using a self-hosted CodeAnt instance, you can specify a custom API endpoint using the apiBase parameter: 
- task: CodeAntQualityGate@1
  inputs:
    accessToken: $(ACCESS_TOKEN)
    apiBase: 'https://your-codeant-instance.example.com'
  displayName: 'CodeAnt Quality Gate (On-Premise)'
Note: The apiBase parameter is only required for on-premise deployments. Cloud users do not need to configure this.
With quality gates in place, every push will automatically be scanned for security issues, helping you maintain code security and compliance standards in your Azure DevOps repositories.