Azure DevOps Integration Integrate Code Pathfinder into your Azure DevOps pipelines for automated security scanning with CodeAnalysisLogs integration.
Quick Start Add this to your azure-pipelines.yml:
trigger :
- main
pool :
vmImage : 'ubuntu-latest'
stages :
- stage : Security
displayName : 'Security Scan'
jobs :
- job : CodePathfinder
displayName : 'Run Code Pathfinder'
steps :
- checkout : self
- task : Bash@3
displayName : 'Run Security Scan'
inputs :
targetType : 'inline'
script : |
docker run --rm \
-v $(Build.SourcesDirectory):/workspace \
-w /workspace \
shivasurya/code-pathfinder:stable-latest \
ci --project . --ruleset python/all --ruleset docker/all --ruleset docker-compose/all --output sarif --output-file pathfinder-results.sarif --fail-on critical,high
- task : PublishBuildArtifacts@1
displayName : 'Publish SARIF Report'
inputs :
PathtoPublish : 'pathfinder-results.sarif'
ArtifactName : 'CodeAnalysisLogs'
condition : always() Version Pinning
Pin to a specific image tag like shivasurya/code-pathfinder:v2.0.2 instead of stable-latest for reproducible builds. stable-latest always tracks the latest stable release.
Configuration Options All pathfinder ci flags are passed after the image name in the Docker command.
Flag Description Default --rules Path to local Python SDK rules file or directory — --ruleset Remote ruleset(s) from codepathfinder.dev/registry . Use multiple --ruleset flags for multiple rulesets. — --project Path to source code to scan . --skip-tests Skip test files (test_*.py, *_test.py, conftest.py) true --output Output format: sarif, json, or csv sarif --output-file Write output to file. Omit to stream to stdout. — --fail-on Exit code 1 if findings match severities: critical, high, medium, low (comma-separated) — --no-diff Disable diff-aware scanning and scan all files false --verbose Show statistics and timing information false --debug Show detailed debug diagnostics with timestamps false --refresh-rules Force refresh of cached rulesets false
Common Use Cases Python Security Scan Python projects for vulnerabilities:
- task : Bash@3
displayName : 'Python Security Scan'
inputs :
targetType : 'inline'
script : |
docker run --rm \
-v $(Build.SourcesDirectory):/workspace \
-w /workspace \
shivasurya/code-pathfinder:stable-latest \
ci --project . --ruleset python/all --fail-on critical,high --output sarif --output-file results.sarif Docker Security Scan Dockerfiles and docker-compose files:
- task : Bash@3
displayName : 'Docker Security Scan'
inputs :
targetType : 'inline'
script : |
docker run --rm \
-v $(Build.SourcesDirectory):/workspace \
-w /workspace \
shivasurya/code-pathfinder:stable-latest \
ci --project . --ruleset docker/all --ruleset docker-compose/all --verbose --output sarif --output-file results.sarif Block on Critical Findings Fail the pipeline if critical or high severity issues are found:
- task : Bash@3
displayName : 'Security Gate'
inputs :
targetType : 'inline'
script : |
docker run --rm \
-v $(Build.SourcesDirectory):/workspace \
-w /workspace \
shivasurya/code-pathfinder:stable-latest \
ci --project . --ruleset python/all --ruleset docker/all --ruleset docker-compose/all --fail-on critical,high --output sarif --output-file results.sarif Azure Security Integration Publish the SARIF file as a CodeAnalysisLogs artifact — Azure DevOps parses this artifact name to display security findings in the pipeline UI:
- task : Bash@3
displayName : 'Run Security Scan'
inputs :
targetType : 'inline'
script : |
docker run --rm \
-v $(Build.SourcesDirectory):/workspace \
-w /workspace \
shivasurya/code-pathfinder:stable-latest \
ci --project . --ruleset python/all --ruleset docker/all --ruleset docker-compose/all --output sarif --output-file pathfinder-results.sarif
- task : PublishBuildArtifacts@1
displayName : 'Publish Security Report'
inputs :
PathtoPublish : 'pathfinder-results.sarif'
ArtifactName : 'CodeAnalysisLogs'
condition : always() CodeAnalysisLogs
Publishing to the CodeAnalysisLogs artifact name allows Azure DevOps to automatically parse and display security findings in the pipeline summary.
Pull Request Integration Run on both the main branch and pull requests:
trigger :
branches :
include :
- main
pr :
branches :
include :
- main
stages :
- stage : Security
displayName : 'Security Scan'
jobs :
- job : CodePathfinder
displayName : 'Run Code Pathfinder'
steps :
- checkout : self
- task : Bash@3
displayName : 'Run Security Scan'
inputs :
targetType : 'inline'
script : |
docker run --rm \
-v $(Build.SourcesDirectory):/workspace \
-w /workspace \
shivasurya/code-pathfinder:stable-latest \
ci --project . --ruleset python/all --ruleset docker/all --ruleset docker-compose/all --output sarif --output-file results.sarif --fail-on critical,high
- task : PublishBuildArtifacts@1
displayName : 'Publish SARIF'
inputs :
PathtoPublish : 'results.sarif'
ArtifactName : 'CodeAnalysisLogs'
condition : always() Scheduled Scans Run a weekly security scan on the main branch:
schedules :
- cron : "0 0 * * 0"
displayName : 'Weekly Security Scan'
branches :
include :
- main
always : true
trigger : none
stages :
- stage : Security
displayName : 'Security Scan'
jobs :
- job : CodePathfinder
steps :
- checkout : self
- task : Bash@3
displayName : 'Run Security Scan'
inputs :
targetType : 'inline'
script : |
docker run --rm \
-v $(Build.SourcesDirectory):/workspace \
-w /workspace \
shivasurya/code-pathfinder:stable-latest \
ci --project . --ruleset python/all --ruleset docker/all --ruleset docker-compose/all --output sarif --output-file results.sarif
- task : PublishBuildArtifacts@1
inputs :
PathtoPublish : 'results.sarif'
ArtifactName : 'CodeAnalysisLogs'
condition : always() Self-Hosted Agents For self-hosted agents with the pathfinder binary installed directly:
jobs :
- job : CodePathfinder
pool :
name : 'self-hosted-pool'
steps :
- checkout : self
- task : Bash@3
displayName : 'Run Security Scan'
inputs :
targetType : 'inline'
script : |
pathfinder ci --project . --ruleset python/all --ruleset docker/all --ruleset docker-compose/all --output sarif --output-file results.sarif --fail-on critical,high
- task : PublishBuildArtifacts@1
inputs :
PathtoPublish : 'results.sarif'
ArtifactName : 'CodeAnalysisLogs'
condition : always() Troubleshooting No vulnerabilities detected Enable debug and verbose output:
script : |
docker run --rm \
-v $(Build.SourcesDirectory):/workspace \
-w /workspace \
shivasurya/code-pathfinder:stable-latest \
ci --project . --ruleset python/all --debug --verbose --output sarif --output-file results.sarif Scan full codebase instead of changed files Disable diff-aware scanning to scan everything:
script : |
docker run --rm \
-v $(Build.SourcesDirectory):/workspace \
-w /workspace \
shivasurya/code-pathfinder:stable-latest \
ci --project . --ruleset python/all --no-diff --output sarif --output-file results.sarif Pipeline timeout Set a task timeout and scan a subdirectory to reduce scope:
- task : Bash@3
displayName : 'Run Security Scan'
timeoutInMinutes : 60
inputs :
targetType : 'inline'
script : |
docker run --rm \
-v $(Build.SourcesDirectory):/workspace \
-w /workspace \
shivasurya/code-pathfinder:stable-latest \
ci --project ./src --ruleset python/all --output sarif --output-file results.sarif Cache issues with remote rulesets Force refresh cached rulesets:
script : |
docker run --rm \
-v $(Build.SourcesDirectory):/workspace \
-w /workspace \
shivasurya/code-pathfinder:stable-latest \
ci --project . --ruleset python/all --refresh-rules --output sarif --output-file results.sarif