CodeThreat Security Scan for Azure DevOps
Comprehensive security scanning extension for Azure DevOps pipelines with AI-powered vulnerability analysis and multi-format reporting.
🛡️ Features
- 🔍 SAST (Static Application Security Testing) - Advanced source code vulnerability analysis
- 📦 SCA (Software Composition Analysis) - Dependency and license vulnerability scanning
- 🔐 Secrets Detection - Hardcoded credentials and API key detection
- 🏗️ Infrastructure as Code (IaC) - Infrastructure security scanning
- 🤖 AI-Powered Analysis - False positive elimination and intelligent insights
- 📊 Multiple Output Formats - SARIF, JSON, JUnit, CSV, XML support
- 🏢 On-Premises Compatible - Works in air-gapped and corporate environments
🚀 Quick Start
1. Install Extension
Install from the Azure DevOps Marketplace and add to your organization.
Create a variable group with your CodeThreat credentials:
| Variable |
Value |
Secret |
CODETHREAT_API_KEY |
Your API key |
✅ Yes |
CODETHREAT_SERVER_URL |
https://app.codethreat.com |
No |
3. Add to Pipeline
trigger:
- main
pool:
vmImage: 'ubuntu-latest'
variables:
- group: 'CodeThreat-Variables'
steps:
- task: CodeThreatSecurityScan@1
displayName: 'Security Scan'
inputs:
apiKey: '$(CODETHREAT_API_KEY)'
serverUrl: '$(CODETHREAT_SERVER_URL)'
scanTypes: 'sast,sca,secrets'
failOnCritical: true
outputFormat: 'junit'
outputFile: 'security-results.xml'
- task: PublishTestResults@2
condition: always()
inputs:
testResultsFormat: 'JUnit'
testResultsFiles: 'security-results.xml'
testRunTitle: 'Security Analysis'
📋 Task Configuration
- API Key: Your CodeThreat API key (store as secret variable)
- Server URL: CodeThreat server URL (default: https://app.codethreat.com)
Scan Configuration
- Scan Types: Choose from SAST, SCA, Secrets, IaC (default: sast,sca,secrets)
- Wait for Completion: Synchronous or asynchronous execution (default: true)
- Timeout: Maximum scan time in minutes (default: 30)
- Poll Interval: Status check frequency in seconds (default: 10)
Build Protection
- Fail on Critical: Fail build if critical vulnerabilities found (default: true)
- Fail on High: Fail build if high severity vulnerabilities found (default: false)
- Max Violations: Maximum allowed violations before failing (default: 0 = no limit)
Output Options
- Output Format: JSON, SARIF, JUnit, CSV, XML (default: json)
- Output File: Results file path (default: codethreat-results.json)
📊 Pipeline Integration
Task Outputs
The task sets pipeline variables for downstream tasks:
- script: |
echo "Violations: $(CodeThreat.ViolationCount)"
echo "Critical: $(CodeThreat.CriticalCount)"
echo "Security Score: $(CodeThreat.SecurityScore)/100"
echo "Dashboard: $(CodeThreat.ScanUrl)"
displayName: 'Security Summary'
Test Results Integration
- task: PublishTestResults@2
condition: always()
inputs:
testResultsFormat: 'JUnit'
testResultsFiles: 'codethreat-results.xml'
testRunTitle: 'CodeThreat Security Analysis'
🏢 Enterprise & On-Premises
Corporate Networks
- task: CodeThreatSecurityScan@1
inputs:
apiKey: '$(CODETHREAT_API_KEY)'
serverUrl: 'https://codethreat.yourcompany.com' # Internal server
cliVersion: '1.0.3' # Specific version for stability
Self-Hosted Agents
Works seamlessly with:
- Linux self-hosted agents (amd64, arm64)
- Windows self-hosted agents (amd64)
- macOS self-hosted agents (Intel, Apple Silicon)
- Container-based agents with pre-installed CLI
Air-Gapped Environments
The extension supports completely offline environments:
- Pre-install CLI in agent images
- Use internal CodeThreat server
- No external downloads required during execution
🎯 Advanced Usage
Multi-Stage Security Pipeline
stages:
- stage: SecurityScan
jobs:
- job: ComprehensiveScan
steps:
- task: CodeThreatSecurityScan@1
inputs:
apiKey: '$(CODETHREAT_API_KEY)'
serverUrl: '$(CODETHREAT_SERVER_URL)'
scanTypes: 'sast,sca,secrets,iac'
outputFormat: 'sarif'
failOnCritical: true
- stage: QualityGate
dependsOn: SecurityScan
jobs:
- job: SecurityEvaluation
steps:
- script: |
if [ "$(CodeThreat.SecurityScore)" -lt "80" ]; then
echo "##vso[task.logissue type=warning]Security score below threshold"
fi
- stage: Deploy
dependsOn: QualityGate
condition: succeeded()
jobs:
- deployment: Production
environment: 'production'
strategy:
runOnce:
deploy:
steps:
- script: echo "Deploying secure application"
Conditional Scanning
# Scan only on main branch
- task: CodeThreatSecurityScan@1
condition: eq(variables['Build.SourceBranch'], 'refs/heads/main')
inputs:
apiKey: '$(CODETHREAT_API_KEY)'
scanTypes: 'sast,sca,secrets,iac'
failOnCritical: true
failOnHigh: true
🔧 Troubleshooting
Common Issues
"API key is required"
- Add
CODETHREAT_API_KEY to variable group
- Mark as secret variable
- Link variable group to pipeline
"CLI installation failed"
- Ensure Node.js is available on agent
- Check internet access for npm installation
- For on-premises: verify binary download URL
"Authentication failed"
- Verify API key validity
- Check server URL accessibility
- Ensure organization permissions
"Scan timeout"
- Increase timeout for large repositories
- Use asynchronous scanning for very large codebases
- Check repository size and scan complexity
📚 Documentation
🆘 Support
- Issues: Report issues on GitHub
- Documentation: Comprehensive guides available
- Email Support: support@codethreat.com
- Community: Join our community discussions
CodeThreat Security Scan - Professional security analysis for Azure DevOps pipelines with AI-powered insights and comprehensive vulnerability detection.
