Skip to main content

Installation

Before using CodeAnt Quality Gates in your Azure Pipelines, you need to install the CodeAnt extension from the Azure DevOps Marketplace:
  1. Go to the Azure DevOps Marketplace and search for “CodeAnt AI” or directly download from here
  2. Click Get it free
  3. Select your Azure DevOps organization
  4. Click Install
Once installed, the codeant-quality-gate task will be available in all pipelines across your organization.

Azure Pipelines Workflow

Add the following to your azure-pipelines.yml. It will trigger on every push to your repository and run quality gate checks to detect secrets and other security issues: 
trigger:
  branches:
    include:
      - '*'

pool:
  vmImage: 'ubuntu-latest'

steps:
  - checkout: self

  - task: codeant-quality-gate@1
    inputs:
      accessToken: $(ACCESS_TOKEN)
      baseUrl: 'https://api.codeant.ai'
    displayName: 'CodeAnt Quality Gate'

With Optional Parameters

You can customize the timeout and polling interval: 
steps:
  - checkout: self

  - task: codeant-quality-gate@1
    inputs:
      accessToken: $(ACCESS_TOKEN)
      baseUrl: 'https://api.codeant.ai'
      timeout: '300'
      pollInterval: '15'
    displayName: 'CodeAnt Quality Gate'
Important:
  • In Project → Pipelines → Library, add a secret variable named ACCESS_TOKEN with your personal access token or repo token.

How it works

  1. Setup environment
    Extract organization, project, and repository information from Azure DevOps built-in variables.
  2. Download script
    We fetch the quality gates script (quality_gates.sh) from the CodeAnt API endpoint.
  3. Start scan
    The script initiates a quality gate scan for your commit using the -o start operation.
  4. Poll for results
    The script polls for scan results using the -o results operation with:
    • Timeout: 300 seconds (5 minutes)
    • Poll interval: 15 seconds
  5. Pipeline feedback
    • Success: Quality gate passes if no secrets are detected
    • Failure: Quality gate fails if secrets are found, blocking the build

Script Parameters

The quality_gates.sh script accepts the following parameters:
ParameterDescriptionRequiredExample
-a, --access-tokenAzure DevOps Personal Access TokenYes$(ACCESS_TOKEN)
-r, --repoRepository in format org/project/repositoryYes${ORG}/${PROJECT}/${REPO}
-c, --commit-idCommit SHA to scanYes$(Build.SourceVersion)
-s, --serviceVCS providerYesazuredevops
-o, --operationOperation to perform (start or results)Yesstart or results
-t, --timeoutTimeout in seconds for polling (default: 300)No300
-p, --poll-intervalPoll interval in seconds (default: 15)No15
-u, --base-urlBase URL for VCS service (optional)Nohttps://dev.azure.com

Quality Gate Checks

The quality gate performs comprehensive checks including:

Secret Detection

  • Scans for hardcoded secrets, API keys, passwords, and tokens
  • Analyzes only the changed lines since your merge base commit
  • Uses high-confidence detection to minimize false positives
  • Blocks the build if any secrets are found

Best Practices

  1. Run on all branches: Quality gates should run on every push to catch issues early
  2. Block builds: Configure branch policies to require quality gate pipeline success before merging
  3. Review failures: When quality gates fail, review the detected issues immediately
  4. Keep tokens secure: Never commit access tokens directly - always use Azure DevOps Variable Groups or Pipeline Variables
  5. Use variable groups: Store your ACCESS_TOKEN in a Variable Group for reuse across pipelines
  6. Set appropriate timeouts: Adjust timeout values based on your repository size and complexity
  7. Monitor performance: Track how long quality gate checks take and optimize if needed

Troubleshooting

Task not found

If you see “Task ‘codeant-quality-gate’ not found”:
  • Ensure the CodeAnt extension is installed in your Azure DevOps organization
  • Go to Organization Settings → Extensions to verify installation
  • Check that the extension is enabled for your project

Quality gate times out

If the scan takes longer than expected:
  • Increase the timeout using timeout: '600' (10 minutes)
  • Check if the CodeAnt service is operational
  • Consider optimizing your repository size
  • Review your network connectivity to the CodeAnt API

Authentication failures

If you see “Access token invalid” or “ACCESS_TOKEN is required”:
  • Verify your ACCESS_TOKEN variable is correctly configured in Pipeline Variables or Variable Groups
  • Ensure the token has appropriate repository permissions
  • Check that the variable is marked as secret
  • Verify the token hasn’t expired

No results returned

If the scan completes but returns no results:
  • Check that quality gates are enabled for your repository in CodeAnt
  • Verify the commit SHA is correct
  • Ensure your Azure DevOps organization has proper integration with CodeAnt
  • Check the CodeAnt dashboard to see if the scan was registered

Repository format issues

If you see “Invalid repository format” or “Required Azure DevOps variables not found”:
  • Verify that environment variables are being set correctly
  • Check that BUILD_REPOSITORY_NAME, BUILD_SOURCEVERSION, and SYSTEM_TEAMPROJECT are available
  • The task expects repository format: organization/project/repository
  • Add debugging by checking the task logs for environment variable values

Pipeline fails silently

If the pipeline exits without clear error:
  • Add set -e at the beginning of your script to fail on any error
  • Add error handling: 
    ./quality_gates.sh ... || { echo "Quality gate failed!"; exit 1; }

Extended Timeout for Large Repositories

For larger repositories that take longer to scan: 
- task: codeant-quality-gate@1
  inputs:
    accessToken: $(ACCESS_TOKEN)
    baseUrl: 'https://api.codeant.ai'
    timeout: '900'  # 15 minutes
    pollInterval: '30'  # Check every 30 seconds
With quality gates in place, every push will automatically be scanned for security issues, helping you maintain code security and compliance standards in your Azure DevOps repositories.