Skip to content
| Marketplace
Sign in
Azure DevOps>Azure Pipelines>Cycode
Cycode

Cycode

cycodehq

cycode.com
|
1 install
| (0) | Free
Run Cycode security scans (Secrets, SAST, SCA, IaC) in Azure Pipelines and view an aggregated HTML report in a build results tab.
Get it free

Cycode Azure DevOps Extension

The Cycode Azure DevOps Extension brings Cycode security scanning into your Azure Pipelines, helping teams adopt a shift-left strategy by catching security issues early in the development lifecycle — before they reach production, where they are far more costly to fix.

The extension runs the Cycode CLI as a pipeline task, scans your code for exposed secrets, open-source vulnerabilities, infrastructure misconfigurations, and code-security issues, and publishes an aggregated report to a dedicated tab on the build results page.

Features

The Cycode Azure DevOps Extension provides functionalities such as:

  • Cycode Security Scan task that scans your repository for:
    • Hardcoded Secrets
    • Open-source Threats (SCA)
    • Infrastructure as Code (IaC)
    • Code Security (SAST)
  • Running one scan type, a comma-separated subset, or all of them in a single task.
  • Three scan modes — scan a path, a repository, or a commit range (commit-history).
  • An aggregated HTML report across all scan types, shown in the Cycode Security Scan tab on the build results page, with severity, location, and rule details for every finding.
  • Pipeline gating — optionally fail the build when findings meet or exceed a chosen severity.
  • The Cycode CLI is downloaded automatically, pinned to a known version, and verified by SHA-256 — no Python or pip required on the build agent.

Installation

To install the Cycode Azure DevOps Extension, follow these steps:

  1. Open the Cycode extension on the Visual Studio Marketplace.
  2. Click Get it free.
  3. Select the Azure DevOps organization to install it into, and click Install.
  4. Wait for the installation to complete. The Cycode tasks are now available to your pipelines.

Authentication

The extension authenticates to Cycode with an API client ID and secret. The recommended way to supply them is a Cycode service connection, which is region-aware.

To create a Cycode service connection:

  1. In your Azure DevOps project, go to Project settings → Service connections.
  2. Click New service connection and choose Cycode.
  3. Select your Region (US, EU, or Custom). For Custom, provide your own API and App URLs (for on-premises Cycode deployments — ask your admin for the relevant URLs).
  4. Enter your Cycode Client ID and Client Secret, name the connection (e.g. Cycode), and save it.

You can generate an API client ID and secret in the Cycode portal.

If you prefer not to use a service connection, you can pass the credentials as secret pipeline variables instead (see Usage below).

Usage

Add the Cycode Security Scan task to your pipeline. Using a service connection (recommended):

- task: cycodescan@1
  inputs:
    connectedServiceName: 'Cycode' # the name of your Cycode service connection
    scanType: 'all'
    scanMode: 'path'
    severityThreshold: 'High'
    breakPipeline: true

Without a service connection, pass credentials as secret pipeline variables instead:

- task: cycodescan@1
  inputs:
    cycodeClientId: $(CYCODE_CLIENT_ID) # store as a secret pipeline variable
    cycodeClientSecret: $(CYCODE_CLIENT_SECRET) # store as a secret pipeline variable
    scanType: 'all'
    scanMode: 'path'
    severityThreshold: 'High'
    breakPipeline: true

To scan a commit range, use commit-history mode and pass the range through scanArguments:

- task: cycodescan@1
  inputs:
    connectedServiceName: 'Cycode'
    scanMode: 'commit-history'
    scanArguments: '-r $(System.PullRequest.TargetBranch)..HEAD'

Viewing Scan Results

  1. Open the pipeline run on the build results page.
  2. Select the Cycode Security Scan tab to view the aggregated report — findings across all scan types, grouped and sorted by severity, with the file location and rule for each.

When gating is enabled, the pipeline fails if the scan reports findings at or above your chosen severity threshold; otherwise the run is marked succeeded with issues so results stay visible without blocking the pipeline.

Task Inputs

Cycode Security Scan (cycodescan)

Input Default Description
connectedServiceName — Recommended. Cycode service connection (region-aware). When set, it supplies the credentials and API/App URLs.
cycodeClientId — Cycode API client ID. Fallback when no service connection is set (or the CYCODE_CLIENT_ID environment variable).
cycodeClientSecret — Cycode API client secret. Fallback when no service connection is set (or CYCODE_CLIENT_SECRET).
apiUrl https://api.cycode.com Cycode API endpoint. Override for on-premises deployments.
appUrl https://app.cycode.com Cycode app URL used to build report links.
scanType all all, or a comma-separated subset of secret, sast, sca, iac.
scanMode path path, repository, or commit-history.
scanPath $(Build.SourcesDirectory) Path passed to the scan command.
scanArguments — Extra Cycode CLI scan arguments (e.g. a -r main..HEAD range for commit-history).
severityThreshold High Minimum severity counted for gating: Info, Low, Medium, High, or Critical.
breakPipeline false Fail the task when findings meet or exceed the severity threshold.
generateReport true Attach the aggregated HTML report; when false, emit a console summary only.
debug false Run the CLI in verbose mode for troubleshooting. Logs never contain secrets.

Support

If you encounter any issues or have any questions about the Cycode Azure DevOps Extension, please reach out to the Cycode support team at support@cycode.com.

Contributing

Contributions are welcome. See CONTRIBUTION.md for build, test, and packaging instructions, and AGENTS.md for the architecture and contributor guide.

License

The Cycode Azure DevOps Extension is released under the MIT license.

  • Contact us
  • Jobs
  • Privacy
  • Manage cookies
  • Terms of use
  • Trademarks
© 2026 Microsoft