> ## Documentation Index
> Fetch the complete documentation index at: https://docs.codeant.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Azure Pipelines

> Set up CodeAnt Quality Gates in your Azure DevOps CI Pipeline.

## Installation

Before using CodeAnt Quality Gates in your Azure Pipelines, you need to install the CodeAnt extension from the Azure DevOps Marketplace:

1. Go to the [Azure DevOps Marketplace](https://marketplace.visualstudio.com/) and search for "CodeAnt AI" or directly download from [here](https://marketplace.visualstudio.com/items?itemName=codeantai.codeant-azure-devops-extension)
2. Click **Get it free**
3. Select your Azure DevOps organization
4. Click **Install**

Once installed, the `CodeAntQualityGate@1` task will be available in all pipelines across your organization.

***

## Repository Scenarios

CodeAnt Quality Gate supports multiple repository configurations in Azure DevOps:

| Scenario       | Repository Location                               | Pipeline Location         | Configuration                                                                                           |
| -------------- | ------------------------------------------------- | ------------------------- | ------------------------------------------------------------------------------------------------------- |
| **Scenario 1** | Azure Repos                                       | Azure DevOps              | Auto-detected (default)                                                                                 |
| **Scenario 2** | Azure Repos (TFS / Azure DevOps Server – on-prem) | Azure DevOps Server (TFS) | Requires explicit `service`, `repo`, `commitId`, and `baseUrl` inputs                                   |
| **Scenario 3** | GitHub                                            | Azure DevOps              | Requires `service` and `repo` inputs. `commitId` auto-detected from `BUILD_SOURCEVERSION` if available. |
| **Scenario 4** | GitLab                                            | Azure DevOps              | Requires `service` and `repo` inputs. `commitId` auto-detected from `BUILD_SOURCEVERSION` if available. |
| **Scenario 5** | Bitbucket                                         | Azure DevOps              | Requires `service` and `repo` inputs. `commitId` auto-detected from `BUILD_SOURCEVERSION` if available. |

***

## Scenario 1: Azure Repos + Azure DevOps Pipeline

When your repository is hosted in Azure Repos:

```yaml theme={null}
- task: CodeAntQualityGate@1
  inputs:
    accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
  displayName: 'CodeAnt Quality Gate'
```

> **Note:** No additional configuration needed. The task automatically extracts information from these Azure DevOps built-in variables:
>
> * `SYSTEM_TEAMPROJECT` - Project name
> * `BUILD_REPOSITORY_NAME` - Repository name
> * `BUILD_SOURCEVERSION` - Commit SHA

***

## Scenario 2: Azure Repos (TFS / Azure DevOps Server – on-prem) + Azure DevOps Server (TFS) Pipeline

When your repository is hosted in an on-premise Azure DevOps Server (formerly known as Team Foundation Server / TFS), you need to explicitly pass all required parameters including the base URL.

```yaml theme={null}
- task: CodeAntQualityGate@1
  inputs:
    accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
    service: 'azuredevops'
    repo: 'MyCollection/MyProject/MyRepository'
    commitId: '$(Build.SourceVersion)'
    baseUrl: 'https://tfs.example.com:8443/tfs'
  displayName: 'CodeAnt Quality Gate'
```

### Parameters for Azure DevOps Server (TFS)

| Parameter  | Value                              | Description                                                    |
| ---------- | ---------------------------------- | -------------------------------------------------------------- |
| `service`  | `azuredevops`                      | Specifies Azure DevOps as the repository provider              |
| `repo`     | `collection/project/repo`          | Repository in `collection/project/repository-name` format      |
| `commitId` | `$(Build.SourceVersion)`           | Commit SHA to analyze                                          |
| `baseUrl`  | `https://tfs.example.com:8443/tfs` | Base URL of your on-premise Azure DevOps Server / TFS instance |

> **Note:** For on-premise Azure DevOps Server / TFS deployments, all parameters must be explicitly provided as environment variables may differ from Azure DevOps Cloud.

***

## Scenario 3: GitHub Repository + Azure DevOps Pipeline

```yaml theme={null}
- task: CodeAntQualityGate@1
  inputs:
    accessToken: $(ACCESS_TOKEN_GITHUB)
    service: 'github'
    repo: 'myorg/my-repo'
    commitId: '$(Build.SourceVersion)'
  displayName: 'CodeAnt Quality Gate'
```

### Parameters for GitHub

| Parameter  | Value                    | Description                                                                                       |
| ---------- | ------------------------ | ------------------------------------------------------------------------------------------------- |
| `service`  | `github`                 | Specifies GitHub as the repository provider                                                       |
| `repo`     | `owner/repo`             | Repository in `owner/repository-name` format                                                      |
| `commitId` | `$(Build.SourceVersion)` | Commit SHA to analyze. Auto-detected from `BUILD_SOURCEVERSION` if available, otherwise required. |

***

## Scenario 4: GitLab Repository + Azure DevOps Pipeline

```yaml theme={null}
- task: CodeAntQualityGate@1
  inputs:
    accessToken: $(ACCESS_TOKEN_GITLAB)
    service: 'gitlab'
    repo: 'mygroup/my-project'
    commitId: '$(Build.SourceVersion)'
  displayName: 'CodeAnt Quality Gate'
```

### Parameters for GitLab

| Parameter  | Value                    | Description                                                                                       |
| ---------- | ------------------------ | ------------------------------------------------------------------------------------------------- |
| `service`  | `gitlab`                 | Specifies GitLab as the repository provider                                                       |
| `repo`     | `group/project`          | Repository in `group/project-name` or `user/project-name` format                                  |
| `commitId` | `$(Build.SourceVersion)` | Commit SHA to analyze. Auto-detected from `BUILD_SOURCEVERSION` if available, otherwise required. |

***

## Scenario 5: Bitbucket Repository + Azure DevOps Pipeline

```yaml theme={null}
- task: CodeAntQualityGate@1
  inputs:
    accessToken: $(BITBUCKET_ACCESS_TOKEN)
    service: 'bitbucket'
    repo: 'myworkspace/my-repo'
    commitId: '$(Build.SourceVersion)'
  displayName: 'CodeAnt Quality Gate'
```

### Parameters for Bitbucket

| Parameter  | Value                    | Description                                                                                       |
| ---------- | ------------------------ | ------------------------------------------------------------------------------------------------- |
| `service`  | `bitbucket`              | Specifies Bitbucket as the repository provider                                                    |
| `repo`     | `workspace/repo`         | Repository in `workspace/repository-name` format                                                  |
| `commitId` | `$(Build.SourceVersion)` | Commit SHA to analyze. Auto-detected from `BUILD_SOURCEVERSION` if available, otherwise required. |

***

## Video Tutorial

Watch this video to learn how to integrate CodeAnt AI into your CI/CD pipelines:

<iframe src="https://www.tella.tv/video/integrate-code-ai-into-ci-cd-pipelines-1rev/embed" width="100%" height="400" frameBorder="0" allowFullScreen />

***

## Azure Pipelines Workflow

Add the following to your `azure-pipelines.yml`. It will trigger on every push to your repository and run quality gate checks to detect secrets and other security issues:

```yaml theme={null}
trigger:
  branches:
    include:
      - '*'

pool:
  vmImage: 'ubuntu-latest'

steps:
  - checkout: self

  - task: CodeAntQualityGate@1
    inputs:
      accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
    displayName: 'CodeAnt Quality Gate'
```

### With Optional Parameters

You can customize the timeout and polling interval:

```yaml theme={null}
steps:
  - checkout: self

  - task: CodeAntQualityGate@1
    inputs:
      accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
      timeout: '300'
      pollInterval: '15'
    displayName: 'CodeAnt Quality Gate'
```

> **Important:**
>
> * In **Project → Pipelines → Library**, add a **secret variable** named `AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN` with your Azure DevOps Personal Access Token (PAT).

## How it works

1. **Setup environment**\
   Extract organization, project, and repository information from Azure DevOps built-in variables.

2. **Download script**\
   We fetch the quality gates script (`quality_gates.sh`) from the CodeAnt API endpoint.

3. **Start scan**\
   The script initiates a quality gate scan for your commit using the `-o start` operation.

4. **Poll for results**\
   The script polls for scan results using the `-o results` operation with:
   * **Timeout**: 300 seconds (5 minutes)
   * **Poll interval**: 15 seconds

5. **Pipeline feedback**
   * **Success**: Quality gate passes if no secrets are detected
   * **Failure**: Quality gate fails if secrets are found, blocking the build

## Quality Gate Checks

The quality gate performs comprehensive checks including:

### Security and Code Quality Checks

* **Secret Detection**: Scans for hardcoded secrets, API keys, passwords, and tokens
* **SAST (Static Application Security Testing)**: Detects security vulnerabilities in source code
* **SCA (Software Composition Analysis)**: Identifies vulnerabilities in third-party dependencies
* **IaC (Infrastructure as Code)**: Scans infrastructure configuration files for security issues
* **Duplicate Code Detection**: Identifies code duplication to improve maintainability
* Analyzes only the changed lines since your merge base commit
* Uses high-confidence detection to minimize false positives
* Blocks the build if any issues are found

## Best Practices

1. **Run on all branches**: Quality gates should run on every push to catch issues early
2. **Block builds**: Configure branch policies to require quality gate pipeline success before merging
3. **Review failures**: When quality gates fail, review the detected issues immediately
4. **Keep tokens secure**: Never commit access tokens directly - always use Azure DevOps Variable Groups or Pipeline Variables
5. **Use variable groups**: Store your `AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN` in a Variable Group for reuse across pipelines
6. **Set appropriate timeouts**: Adjust timeout values based on your repository size and complexity
7. **Monitor performance**: Track how long quality gate checks take and optimize if needed

***

## Troubleshooting

### Task not found

If you see "Task 'codeant-quality-gate' not found":

* Ensure the CodeAnt extension is installed in your Azure DevOps organization
* Go to **Organization Settings → Extensions** to verify installation
* Check that the extension is enabled for your project

### Quality gate times out

If the scan takes longer than expected:

* Increase the timeout using `timeout: '600'` (10 minutes)
* Check if the CodeAnt service is operational
* Consider optimizing your repository size
* Review your network connectivity to the CodeAnt API

### Authentication failures

If you see "Access token invalid" or "Access token  is required":

* Verify your `AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN` variable is correctly configured in Pipeline Variables or Variable Groups
* Ensure the token has appropriate repository permissions
* Check that the variable is marked as secret
* Verify the token hasn't expired

### No results returned

If the scan completes but returns no results:

* Check that quality gates are enabled for your repository in CodeAnt
* Verify the commit SHA is correct
* Ensure your Azure DevOps organization has proper integration with CodeAnt
* Check the CodeAnt dashboard to see if the scan was registered

### Repository format issues

If you see "Invalid repository format" or "Required Azure DevOps variables not found":

* Verify that environment variables are being set correctly
* Check that `BUILD_REPOSITORY_NAME`, `BUILD_SOURCEVERSION`, and `SYSTEM_TEAMPROJECT` are available
* The task expects repository format: `organization/project/repository`
* Add debugging by checking the task logs for environment variable values

### Pipeline fails silently

If the pipeline exits without clear error:

* Add `set -e` at the beginning of your script to fail on any error
* Add error handling:
  ```bash theme={null}
  ./quality_gates.sh ... || { echo "Quality gate failed!"; exit 1; }
  ```

## Extended Timeout for Large Repositories

For larger repositories that take longer to scan:

```yaml theme={null}
- task: CodeAntQualityGate@1
  inputs:
    accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
    timeout: '900'  # 15 minutes
    pollInterval: '30'  # Check every 30 seconds
```

***

## Windows Runner Configuration

If you're using Windows runner (`windows-latest`) instead of Linux runner, make the following change:

### Change Required

**Update pool configuration:**

```yaml theme={null}
pool:
  vmImage: 'windows-latest'  # Change from 'ubuntu-latest'
```

### Key Difference

| Configuration | Linux Runner               | Windows Runner              |
| ------------- | -------------------------- | --------------------------- |
| Pool Image    | `vmImage: 'ubuntu-latest'` | `vmImage: 'windows-latest'` |

***

## On-Premise Deployment

If you are using a self-hosted CodeAnt instance, you can specify a custom API endpoint using the `apiBase` parameter:

```yaml theme={null}
- task: CodeAntQualityGate@1
  inputs:
    accessToken: $(AZURE_DEVOPS_PERSONAL_ACCESS_TOKEN)
    apiBase: 'https://your-codeant-instance.example.com'
  displayName: 'CodeAnt Quality Gate (On-Premise)'
```

> **Note:** The `apiBase` parameter is only required for on-premise deployments. Cloud users do not need to configure this.

***

With quality gates in place, every push will automatically be scanned for security issues, helping you maintain code security and compliance standards in your Azure DevOps repositories.