Cycode Azure DevOps ExtensionThe Cycode Azure DevOps Extension brings Cycode security scanning into your Azure Pipelines, helping teams adopt a shift-left strategy by catching security issues early in the development lifecycle — before they reach production, where they are far more costly to fix. The extension runs the Cycode CLI as a pipeline task, scans your code for exposed secrets, open-source vulnerabilities, infrastructure misconfigurations, and code-security issues, and publishes an aggregated report to a dedicated tab on the build results page. FeaturesThe Cycode Azure DevOps Extension provides functionalities such as:
InstallationTo install the Cycode Azure DevOps Extension, follow these steps:
AuthenticationThe extension authenticates to Cycode with an API client ID and secret. The recommended way to supply them is a Cycode service connection, which is region-aware. To create a Cycode service connection:
If you prefer not to use a service connection, you can pass the credentials as secret pipeline variables instead (see Usage below). UsageAdd the Cycode Security Scan task to your pipeline. Using a service connection (recommended):
Without a service connection, pass credentials as secret pipeline variables instead:
To scan a commit range, use
Viewing Scan Results
When gating is enabled, the pipeline fails if the scan reports findings at or above your chosen severity threshold; otherwise the run is marked succeeded with issues so results stay visible without blocking the pipeline. Task InputsCycode Security Scan (
|
| Input | Default | Description |
|---|---|---|
connectedServiceName |
— | Recommended. Cycode service connection (region-aware). When set, it supplies the credentials and API/App URLs. |
cycodeClientId |
— | Cycode API client ID. Fallback when no service connection is set (or the CYCODE_CLIENT_ID environment variable). |
cycodeClientSecret |
— | Cycode API client secret. Fallback when no service connection is set (or CYCODE_CLIENT_SECRET). |
apiUrl |
https://api.cycode.com |
Cycode API endpoint. Override for on-premises deployments. |
appUrl |
https://app.cycode.com |
Cycode app URL used to build report links. |
scanType |
all |
all, or a comma-separated subset of secret, sast, sca, iac. |
scanMode |
path |
path, repository, or commit-history. |
scanPath |
$(Build.SourcesDirectory) |
Path passed to the scan command. |
scanArguments |
— | Extra Cycode CLI scan arguments (e.g. a -r main..HEAD range for commit-history). |
severityThreshold |
High |
Minimum severity counted for gating: Info, Low, Medium, High, or Critical. |
breakPipeline |
false |
Fail the task when findings meet or exceed the severity threshold. |
generateReport |
true |
Attach the aggregated HTML report; when false, emit a console summary only. |
debug |
false |
Run the CLI in verbose mode for troubleshooting. Logs never contain secrets. |
Support
If you encounter any issues or have any questions about the Cycode Azure DevOps Extension, please reach out to the Cycode support team at support@cycode.com.
Contributing
Contributions are welcome. See CONTRIBUTION.md for build, test, and packaging instructions, and AGENTS.md for the architecture and contributor guide.
License
The Cycode Azure DevOps Extension is released under the MIT license.