Integrate Code Pathfinder into your Azure DevOps pipelines for automated security scanning with CodeAnalysisLogs integration.
Quick Start
Add this to your azure-pipelines.yml:
trigger:
- main
pool:
vmImage: 'ubuntu-latest'
stages:
- stage: Security
displayName: 'Security Scan'
jobs:
- job: CodePathfinder
displayName: 'Run Code Pathfinder'
steps:
- checkout: self
- task: Bash@3
displayName: 'Run Security Scan'
inputs:
targetType: 'inline'
script: |
docker run --rm \
-v $(Build.SourcesDirectory):/workspace \
-w /workspace \
shivasurya/code-pathfinder:stable-latest \
scan --project . --ruleset python/deserialization,docker/security --output sarif --output-file pathfinder-results.sarif
- task: PublishBuildArtifacts@1
displayName: 'Publish SARIF Report'
inputs:
PathtoPublish: 'pathfinder-results.sarif'
ArtifactName: 'CodeAnalysisLogs'
condition: always()
Configuration Options
All pathfinder scan command options are available. Configure through command-line flags in the Docker command.
Rule Sources
--rules
Path to local Python SDK rules file or directory
--rules python-sdk/examples/owasp_top10.py--ruleset
Remote ruleset(s) from registry. Comma-separated for multiple.
--ruleset python/deserialization,docker/securityScan Configuration
--project
Default: .Path to source code to scan
--skip-tests
Default: trueSkip scanning test files
Output Options
--output
Default: sarifOutput format: sarif, json, csv, or text
--output-file
Default: pathfinder-results.sarifOutput file path
--fail-on
No defaultFail build on severities: critical, high, medium, low (comma-separated)
Advanced Options
--verbose
Default: falseEnable verbose output with progress and statistics
--debug
Default: falseEnable debug diagnostics with timestamps
--refresh-rules
Default: falseForce refresh of cached rulesets (bypasses cache)
--disable-metrics
Default: falseDisable anonymous usage metrics collection
Common Use Cases
Scan Python projects for deserialization, Django, and Flask vulnerabilities:
- task: Bash@3
displayName: 'Python Security Scan'
inputs:
targetType: 'inline'
script: |
docker run --rm \
-v $(Build.SourcesDirectory):/workspace \
-w /workspace \
shivasurya/code-pathfinder:stable-latest \
scan --project . --ruleset python/deserialization,python/django,python/flask --fail-on critical,high --output sarif --output-file results.sarif
Scan Dockerfiles and docker-compose files:
- task: Bash@3
displayName: 'Docker Security Scan'
inputs:
targetType: 'inline'
script: |
docker run --rm \
-v $(Build.SourcesDirectory):/workspace \
-w /workspace \
shivasurya/code-pathfinder:stable-latest \
scan --project . --ruleset docker/security,docker/best-practice --verbose --output sarif --output-file results.sarif
Scan specific directories in a monorepo:
jobs:
- job: ScanBackend
displayName: 'Scan Backend'
steps:
- task: Bash@3
displayName: 'Scan Python Backend'
inputs:
targetType: 'inline'
script: |
docker run --rm \
-v $(Build.SourcesDirectory):/workspace \
-w /workspace \
shivasurya/code-pathfinder:stable-latest \
scan --project ./backend --ruleset python/deserialization --output sarif --output-file backend-results.sarif
- job: ScanInfrastructure
displayName: 'Scan Infrastructure'
steps:
- task: Bash@3
displayName: 'Scan Docker Files'
inputs:
targetType: 'inline'
script: |
docker run --rm \
-v $(Build.SourcesDirectory):/workspace \
-w /workspace \
shivasurya/code-pathfinder:stable-latest \
scan --project ./infrastructure --ruleset docker/security --output sarif --output-file infra-results.sarif
Block pipelines if critical or high severity issues are found:
- task: Bash@3
displayName: 'Security Scan with Blocking'
inputs:
targetType: 'inline'
script: |
docker run --rm \
-v $(Build.SourcesDirectory):/workspace \
-w /workspace \
shivasurya/code-pathfinder:stable-latest \
scan --project . --ruleset python/deserialization,docker/security --fail-on critical,high --output sarif --output-file results.sarif
Azure Security Integration
Publish SARIF results to Azure DevOps for security tracking:
- task: Bash@3
displayName: 'Run Security Scan'
inputs:
targetType: 'inline'
script: |
docker run --rm \
-v $(Build.SourcesDirectory):/workspace \
-w /workspace \
shivasurya/code-pathfinder:stable-latest \
scan --project . --ruleset python/deserialization,docker/security --output sarif --output-file pathfinder-results.sarif
- task: PublishBuildArtifacts@1
displayName: 'Publish Security Report'
inputs:
PathtoPublish: 'pathfinder-results.sarif'
ArtifactName: 'CodeAnalysisLogs'
condition: always()
:::tip[Azure DevOps Security] Publishing to the CodeAnalysisLogs artifact name allows Azure DevOps to automatically parse and display security findings. :::
Pull Request Integration
Show security findings in pull requests:
trigger:
branches:
include:
- main
pr:
branches:
include:
- main
stages:
- stage: Security
displayName: 'Security Scan'
jobs:
- job: CodePathfinder
displayName: 'Run Code Pathfinder'
steps:
- checkout: self
- task: Bash@3
displayName: 'Run Security Scan'
inputs:
targetType: 'inline'
script: |
docker run --rm \
-v $(Build.SourcesDirectory):/workspace \
-w /workspace \
shivasurya/code-pathfinder:stable-latest \
scan --project . --ruleset python/deserialization,docker/security --output sarif --output-file results.sarif
- task: PublishBuildArtifacts@1
displayName: 'Publish SARIF'
inputs:
PathtoPublish: 'results.sarif'
ArtifactName: 'CodeAnalysisLogs'
condition: always()
Scheduled Scans
Run security scans on a schedule:
schedules:
- cron: "0 0 * * 0" # Every Sunday at midnight
displayName: 'Weekly Security Scan'
branches:
include:
- main
always: true
trigger: none
stages:
- stage: Security
displayName: 'Security Scan'
jobs:
- job: CodePathfinder
displayName: 'Run Code Pathfinder'
steps:
- checkout: self
- task: Bash@3
displayName: 'Run Security Scan'
inputs:
targetType: 'inline'
script: |
docker run --rm \
-v $(Build.SourcesDirectory):/workspace \
-w /workspace \
shivasurya/code-pathfinder:stable-latest \
scan --project . --ruleset python/deserialization,docker/security --output sarif --output-file results.sarif
- task: PublishBuildArtifacts@1
inputs:
PathtoPublish: 'results.sarif'
ArtifactName: 'CodeAnalysisLogs'
Output Formats
SARIF (Azure Security)
Azure-compatible format for security alerts:
script: |
docker run --rm \
-v $(Build.SourcesDirectory):/workspace \
-w /workspace \
shivasurya/code-pathfinder:stable-latest \
scan --project . --ruleset python/deserialization --output sarif --output-file results.sarif
JSON
Machine-readable format for custom processing:
script: |
docker run --rm \
-v $(Build.SourcesDirectory):/workspace \
-w /workspace \
shivasurya/code-pathfinder:stable-latest \
scan --project . --ruleset python/deserialization --output json --output-file scan-results.json
CSV
Spreadsheet-friendly format for reporting:
script: |
docker run --rm \
-v $(Build.SourcesDirectory):/workspace \
-w /workspace \
shivasurya/code-pathfinder:stable-latest \
scan --project . --ruleset python/deserialization --output csv --output-file vulnerabilities.csv
Troubleshooting
No vulnerabilities detected
Enable debug mode:
script: |
docker run --rm \
-v $(Build.SourcesDirectory):/workspace \
-w /workspace \
shivasurya/code-pathfinder:stable-latest \
scan --project . --ruleset python/deserialization --debug --verbose --output sarif --output-file results.sarif
Pipeline timeout
Use Azure's timeout setting and scan specific directories:
- task: Bash@3
displayName: 'Run Security Scan'
timeoutInMinutes: 60
inputs:
targetType: 'inline'
script: |
docker run --rm \
-v $(Build.SourcesDirectory):/workspace \
-w /workspace \
shivasurya/code-pathfinder:stable-latest \
scan --project ./src --ruleset python/deserialization --output sarif --output-file results.sarif
Cache issues with remote rulesets
Force refresh cached rulesets:
script: |
docker run --rm \
-v $(Build.SourcesDirectory):/workspace \
-w /workspace \
shivasurya/code-pathfinder:stable-latest \
scan --project . --ruleset python/deserialization --refresh-rules --output sarif --output-file results.sarif
Using Self-Hosted Agents
For self-hosted agents with pathfinder binary installed:
jobs:
- job: CodePathfinder
pool:
name: 'self-hosted-pool'
steps:
- checkout: self
- task: Bash@3
displayName: 'Run Security Scan'
inputs:
targetType: 'inline'
script: |
pathfinder scan --project . --ruleset python/deserialization,docker/security --output sarif --output-file results.sarif
- task: PublishBuildArtifacts@1
inputs:
PathtoPublish: 'results.sarif'
ArtifactName: 'CodeAnalysisLogs'
condition: always()