Qodana is a code quality monitoring tool that identifies and suggests fixes for bugs, security vulnerabilities,
duplications, and imperfections.
Table of Contents
Qodana Scan is an Azure Pipelines task
packed inside the Qodana Azure Pipelines extension
to scan your code with Qodana.
After you've installed Qodana Azure Pipelines extension to your organization, to configure the Qodana Scan task, edit your
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
- task: Cache@2 # Not required, but Qodana will open projects with cache faster.
key: '"$(Build.Repository.Name)" | "$(Build.SourceBranchName)" | "$(Build.SourceVersion)"'
"$(Build.Repository.Name)" | "$(Build.SourceBranchName)"
- task: QodanaScan@2023
Triggering this job depends on what type of repository you are using in Azure Pipelines.
The task can be run on any OS and x86_64/arm64 CPUs, but it requires the agent to have Docker installed.
And since most of the Qodana Docker images are Linux-based, the docker daemon must be able to run Linux containers.
To send the results to Qodana Cloud, all you need to do is to specify the
QODANA_TOKEN environment variable in the build configuration.
- In the Azure Pipelines UI, create the
QODANA_TOKEN secret variable and
save the project token as its value.
- In the Azure pipeline file,
QODANA_TOKEN variable to the
env section of the
- task: QodanaScan@2023
After the token is set for analysis, all Qodana Scan job results will be uploaded to your Qodana Cloud project.
SARIF SAST Scans Tab
To display Qodana report summary in Azure DevOps UI in 'Scans' tab, install Microsoft DevLabs’ SARIF SAST Scans Tab extension.
You probably won't need other options than
args: all other options can be helpful if you are configuring multiple Qodana Scan jobs in one workflow.
|Additional Qodana CLI
scan command arguments, split the arguments with commas (
,), for example
|Directory to store the analysis results. Optional.
|Upload Qodana results as an artifact to the job. Optional.
|Upload qodana.sarif.json as an qodana.sarif artifact to the job. Optional.
|Specify Qodana results artifact name, used for results uploading. Optional.
|Directory to store Qodana caches. Optional.
All the issues, feature requests, and support related to the Qodana Azure Pipelines extension are handled on YouTrack.
If you'd like to file a new issue, please use the link YouTrack | New Issue.