ConfigDiff Studio for Azure DevOps
Catch configuration drift before it reaches production.
ConfigDiff Studio for Azure DevOps adds the GatewayLabs Scan task to Azure Pipelines so teams can compare pipeline and deployment state against a ConfigDiff Studio baseline, fail release gates when risky drift is detected, and feed automation health back into the product.
This Marketplace listing is a public preview. The extension is free to install; workflow access is enforced by your ConfigDiff Studio subscription.
What you get
- repo-backed drift scans inside Azure DevOps pipelines
- configurable gate failures by severity, change count, or validation warnings
- PR status publishing through ConfigDiff Studio
- run and HTML report URLs as pipeline outputs
- automation inventory visibility inside ConfigDiff Studio for Azure DevOps and self-hosted endpoints
Best fit
This extension is built for teams that:
- use Azure DevOps Services or Azure DevOps Server
- manage
.NET, IIS, or environment-specific config through Azure Repos or connected repositories
- want release gates that understand baseline drift instead of only raw file diffs
- need private-network or self-hosted rollout paths
Before you start
You need:
- a ConfigDiff Studio workspace
- a project created in ConfigDiff Studio
- the project ID
- a project-scoped automation token from
Studio -> Projects -> [project] -> Automation Token
Recommended:
- use the project automation token instead of a broader API key
Install and first run
- Install the extension into your Azure DevOps organization.
- In ConfigDiff Studio, open the target project.
- Copy the project automation token and project ID.
- Add
GatewayLabs Scan to a pipeline.
- Run the pipeline once and confirm:
- the task completes
- a ConfigDiff Studio run is created
- the pipeline exposes run/report output variables
- the calling Azure DevOps endpoint appears in ConfigDiff Studio automation inventory screens
YAML example
- task: GatewayLabsScan@0
displayName: GatewayLabs drift scan
inputs:
apiBaseUrl: "https://gatewaylabs.net"
automationToken: "$(GATEWAYLABS_AUTOMATION_TOKEN)"
projectId: "$(GatewayProjectId)"
runnerMode: "hosted"
leftEnv: "prod"
rightEnv: "staging"
failOnSeverity: "high"
apiBaseUrl: public ConfigDiff Studio base URLautomationToken: recommended project-scoped credentialprojectId: owning ConfigDiff Studio projectrunnerMode: hosted or self_hostedleftEnv / rightEnv: optional environment namesfailOnSeverity: drift threshold for failing the pipelinesetAsBaselineOnSuccess: promote a known-good run to the pinned baselineskipPullRequestStatus: disable PR status publishing when needed
Outputs
The task writes these pipeline variables:
GatewayLabs.RunIdGatewayLabs.GateFailedGatewayLabs.MaxSeverityGatewayLabs.TotalChangesGatewayLabs.ValidationWarningsGatewayLabs.BaselineUpdatedGatewayLabs.RunUrlGatewayLabs.HtmlReportUrl
Self-hosted and private-network usage
Choose runnerMode: self_hosted when your repository, IIS host, or ConfigDiff Studio instance is only reachable from a private network.
For deployment-time host checks, pair the extension with the bundled PowerShell scripts:
deploy/azure-devops/GatewayLabs.Scan.ps1deploy/azure-devops/GatewayLabs.LiveSnapshot.ps1
Those scripts support private-network rollout checks and also register the calling endpoint in ConfigDiff Studio automation inventory screens.
Plans and licensing
Team: standard hosted Azure DevOps pipeline step and PR status workflowBusiness: self-hosted runner mode, private-network rollout paths, Azure DevOps Server support, and live snapshot workflows- dedicated self-hosted ConfigDiff Studio deployments are handled as a guided Business+ / Enterprise rollout, separate from the Marketplace task itself
Licensing is workspace-based rather than machine-based, so customers can install multiple agents while the active subscription controls available runner modes.
Learn more
