Azure Pipelines Workflow
Add the following to yourazure-pipelines.yml
. It will trigger on every push to your repository and run quality gate checks to detect secrets and other security issues:
Important:
- In Project � Pipelines � Library, add a secret variable named
ACCESS_TOKEN
with your personal access token or repo token.- Azure DevOps automatically provides
$(Build.Repository.Name)
(your repo slug),$(Build.SourceVersion)
(the commit SHA), and other build variables.
How it works
-
Setup environment
Extract organization, project, and repository information from Azure DevOps built-in variables. -
Download script
We fetch the quality gates script (quality_gates.sh
) from the CodeAnt API endpoint. -
Start scan
The script initiates a quality gate scan for your commit using the-o start
operation. -
Poll for results
The script polls for scan results using the-o results
operation with:- Timeout: 300 seconds (5 minutes)
- Poll interval: 15 seconds
-
Pipeline feedback
- Success: Quality gate passes if no secrets are detected
- Failure: Quality gate fails if secrets are found, blocking the build
Script Parameters
Thequality_gates.sh
script accepts the following parameters:
Parameter | Description | Required | Example |
---|---|---|---|
-a, --access-token | Azure DevOps Personal Access Token | Yes | $(ACCESS_TOKEN) |
-r, --repo | Repository in format org/project/repository | Yes | ${ORG}/${PROJECT}/${REPO} |
-c, --commit-id | Commit SHA to scan | Yes | $(Build.SourceVersion) |
-s, --service | VCS provider | Yes | azuredevops |
-o, --operation | Operation to perform (start or results ) | Yes | start or results |
-t, --timeout | Timeout in seconds for polling (default: 300) | No | 300 |
-p, --poll-interval | Poll interval in seconds (default: 15) | No | 15 |
-u, --base-url | Base URL for VCS service (optional) | No | https://dev.azure.com |
Quality Gate Checks
Currently, the quality gate performs the following checks:Secret Detection
- Scans for hardcoded secrets, API keys, passwords, and tokens
- Analyzes only the changed lines since your merge base commit
- Uses high-confidence detection to minimize false positives
- Blocks the build if any secrets are found
Best Practices
- Run on all branches: Quality gates should run on every push to catch issues early
- Block builds: Configure branch policies to require quality gate pipeline success before merging
- Review failures: When quality gates fail, review the detected issues immediately
- Keep tokens secure: Never commit access tokens directly - always use Azure DevOps Variable Groups or Pipeline Variables
- Use variable groups: Store your
ACCESS_TOKEN
in a Variable Group for reuse across pipelines
Azure DevOps Built-in Variables
The following Azure DevOps built-in variables are automatically available and used:Variable | Description | Example |
---|---|---|
$(Build.Repository.Name) | Repository name | MyRepo |
$(Build.SourceVersion) | Current commit SHA | abc123def456 |
$(Build.SourceBranchName) | Current branch name | main |
$(System.TeamProject) | Project name | MyProject |
$(System.CollectionUri) | Collection URI | https://dev.azure.com/myorg/ |
$(System.PullRequest.PullRequestId) | Pull request ID (if applicable) | 123 |
Troubleshooting
Quality gate times out
If the scan takes longer than expected:- Increase the timeout using
-t 600
(10 minutes) - Check if the CodeAnt service is operational
- Consider optimizing your repository size
Authentication failures
If you see “Access token invalid”:- Verify your
ACCESS_TOKEN
variable is correctly configured in Pipeline Variables or Variable Groups - Ensure the token has appropriate repository permissions
- Check that the variable is marked as secret
No results returned
If the scan completes but returns no results:- Check that quality gates are enabled for your repository in CodeAnt
- Verify the commit SHA is correct
- Ensure your Azure DevOps organization has proper integration with CodeAnt
Repository format issues
If you see “Invalid repository format”:- Verify the repository format is
organization/project/repository
- Check that organization, project, and repository names are extracted correctly
- Debug the environment variables by adding echo statements
Pipeline fails silently
If the pipeline exits without clear error:- Add
set -e
at the beginning of your script to fail on any error - Add error handling:
Variable Groups Setup
To set up a Variable Group for reusable access tokens:- Go to Pipelines � Library
- Click + Variable group
- Name it
CodeAnt-Variables
- Add variable
ACCESS_TOKEN
with your personal access token - Mark it as Secret
- Reference in your pipeline: