Cerbi Scanner — Azure DevOps Extension
Scan your repository for logging governance violations directly in your Azure DevOps pipeline. Powered by Cerbi.Scanner — a read-only, multi-language static analysis tool for logging hygiene.
What it detects
| Rule |
Description |
| SensitiveField |
Logs containing passwords, tokens, SSNs, credit card numbers, or other PII |
| MissingRequiredField |
Logging calls missing fields required by your governance profile |
| DisallowedField |
Fields explicitly banned from appearing in logs |
| RawBodyOrPayload |
HTTP request/response bodies or raw payloads logged verbatim |
| RiskyObjectDestructuring |
Entire objects serialized into log messages (e.g. {@user}) |
| DynamicTemplateOrSerialized |
Dynamic log templates that may bypass governance rules |
Supported languages
- C# / .NET (Serilog, MEL, NLog, log4net)
- Go (zap, zerolog)
- Java (Log4j2, Logback)
- Node / TypeScript (Winston, Pino)
- Python (standard
logging)
Installation
Install from the Visual Studio Marketplace.
Or install privately for testing:
tfx extension install --vsix cerbi-scanner-*.vsix --service-url https://dev.azure.com/your-org
Pipeline usage
Minimal — SARIF report only (never fails the build)
- task: CerbiScan@1
displayName: Cerbi Governance Scan
Fail on high-severity violations
- task: CerbiScan@1
displayName: Cerbi Governance Scan
inputs:
failOnSeverity: high
Full configuration
- task: CerbiScan@1
displayName: Cerbi Governance Scan
inputs:
scanPath: $(Build.SourcesDirectory)
outputFormat: sarif
outputFile: $(Build.ArtifactStagingDirectory)/cerbi-scan.sarif
failOnSeverity: high # none | critical | high | medium | low
noSnippets: true # suppress source snippets in report
scannerVersion: latest # or pin e.g. 1.0.0
additionalArguments: '--include **/*.cs'
Publish SARIF to ADO Security tab
- task: CerbiScan@1
displayName: Cerbi Governance Scan
inputs:
outputFormat: sarif
outputFile: $(Build.ArtifactStagingDirectory)/cerbi-scan.sarif
- task: PublishBuildArtifacts@1
displayName: Publish Cerbi SARIF
inputs:
PathtoPublish: $(Build.ArtifactStagingDirectory)/cerbi-scan.sarif
ArtifactName: cerbi-scan
condition: always()
| Input |
Default |
Description |
scanPath |
$(Build.SourcesDirectory) |
Directory to scan |
outputFormat |
sarif |
sarif | json | html | console |
outputFile |
$(Build.ArtifactStagingDirectory)/cerbi-scan.sarif |
Output file path (ignored for console) |
failOnSeverity |
none |
Minimum severity that fails the task: none | critical | high | medium | low |
noSnippets |
true |
Suppress source code snippets in reports |
scannerVersion |
latest |
Pin to a specific Cerbi.Scanner NuGet version |
additionalArguments |
(empty) |
Extra flags passed directly to cerbi-scanner audit |
Exit codes
| Code |
Meaning |
0 |
Scan complete, no violations above threshold |
1 |
Violations found at or above failOnSeverity |
2 |
Scanner error (bad arguments, crash) |
Privacy & security
- Read-only: the scanner never writes to or modifies source files.
- No upload by default: findings stay local unless you explicitly configure CerbiShield upload.
- No snippets by default: source code is not embedded in reports unless
noSnippets: false.
- No telemetry: telemetry is disabled in v1.
Requirements
- Azure DevOps agent with .NET 8 SDK installed (or use
UseDotNet@2 task first)
- Internet access to NuGet.org (to
dotnet tool install Cerbi.Scanner on first run)
Links
