CodeThreat Security Scan for Azure DevOps

Professional security scanning extension for Azure DevOps pipelines with comprehensive vulnerability detection and AI-powered analysis.

🛡️ Features

• 🔍 SAST (Static Application Security Testing) - Source code vulnerability analysis
• 📦 SCA (Software Composition Analysis) - Dependency vulnerability scanning
• 🔐 Secrets Detection - Hardcoded credentials and API key detection
• 🏗️ Infrastructure as Code (IaC) - Infrastructure security scanning
• 🤖 AI-Powered Analysis - False positive elimination and intelligent insights
• 📊 Multiple Output Formats - SARIF, JSON, JUnit, CSV, XML
• 📋 Custom Results Tab - Beautiful results visualization in Azure DevOps UI
• 🔍 Network Diagnostics - Comprehensive debugging for corporate environments
• 🏢 On-Premises Support - Works in air-gapped and corporate environments

🚀 Quick Start

1. Install Extension

Install the CodeThreat Security Scan extension from the Azure DevOps Marketplace.

2. Add to Pipeline

Add the CodeThreat Security Scan task to your azure-pipelines.yml:

trigger:
  - main

pool:
  vmImage: 'ubuntu-latest'  # Recommended: ubuntu-latest, windows-latest, macOS-latest

steps:
  - task: CodeThreatSecurityScan@1
    displayName: 'CodeThreat Security Scan'
    inputs:
      # Required
      apiKey: '$(CODETHREAT_API_KEY)'
      serverUrl: '$(CODETHREAT_SERVER_URL)'
      
      # Scan Configuration
      scanTypes: 'sast,sca,secrets'
      waitForCompletion: true
      timeout: 30
      
      # Build Protection
      failOnCritical: true
      failOnHigh: false
      
      # Output Configuration
      outputFormat: 'junit'
      outputFile: 'codethreat-results.xml'

  - task: PublishTestResults@2
    displayName: 'Publish Security Results'
    condition: always()
    inputs:
      testResultsFormat: 'JUnit'
      testResultsFiles: 'codethreat-results.xml'
      testRunTitle: 'CodeThreat Security Scan'

3. Configure Variables

In your Azure DevOps project, go to Library → Variable groups and add:

Variable Name	Value	Secret
CODETHREAT_API_KEY	your_api_key_here	✅ Yes
CODETHREAT_SERVER_URL	https://app.codethreat.com	No

📋 Task Inputs

Required

Input	Description	Example
apiKey	CodeThreat API key	$(CODETHREAT_API_KEY)
serverUrl	CodeThreat server URL	https://app.codethreat.com

Optional

Input	Description	Default	Options
organizationId	Organization ID	Auto-detected	org-123
repositoryUrl	Repository URL	$(Build.Repository.Uri)	Git URL
branch	Branch to scan	$(Build.SourceBranchName)	Branch name
scanTypes	Scan types	sast,sca,secrets	sast, sca, secrets, iac
waitForCompletion	Wait for completion	true	true, false
timeout	Timeout in minutes	30	1-120
pollInterval	Poll interval in seconds	10	5-60
outputFormat	Output format	json	json, sarif, junit, csv, xml
outputFile	Output file path	codethreat-results.json	File path
failOnCritical	Fail on critical	true	true, false
failOnHigh	Fail on high severity	false	true, false
maxViolations	Max violations	0	Number (0 = no limit)
skipImport	Skip repository import	false	true, false
cliVersion	CLI version	latest	Version number
verbose	Verbose logging	false	true, false

📊 Task Outputs

The task sets the following pipeline variables:

Variable	Description
CodeThreat.ScanId	Scan identifier
CodeThreat.RepositoryId	Repository identifier
CodeThreat.ViolationCount	Total violations found
CodeThreat.CriticalCount	Critical vulnerabilities
CodeThreat.HighCount	High severity vulnerabilities
CodeThreat.SecurityScore	Security score (0-100)
CodeThreat.ScanUrl	Dashboard URL
CodeThreat.ResultsFile	Results file path

Using Outputs

- task: CodeThreatSecurityScan@1
  name: SecurityScan
  inputs:
    apiKey: '$(CODETHREAT_API_KEY)'
    serverUrl: '$(CODETHREAT_SERVER_URL)'

- script: |
    echo "Violations found: $(CodeThreat.ViolationCount)"
    echo "Security Score: $(CodeThreat.SecurityScore)/100"
    echo "View Results: $(CodeThreat.ScanUrl)"
  displayName: 'Display Results'

📋 Custom Results Tab

After running the CodeThreat Security Scan task, a "CodeThreat Results" tab will automatically appear in your Azure DevOps pipeline results alongside the default Summary tab.

Features

The custom tab provides:

• 📊 Visual Summary Cards: Interactive cards showing violation counts by severity
• 🎯 Security Score Visualization: Progress bar with color-coded score (0-100)
• 📋 Detailed Scan Information: Complete scan metadata and configuration
• 🔍 Violations Breakdown: Detailed table with severity distribution and descriptions
• 🔬 Scan Types Analysis: Status and description of each security test performed
• 🔗 Quick Actions: Direct links to CodeThreat dashboard and result downloads

Tab Content

The tab displays:

1. Summary Cards: Critical, High, Medium, Low violation counts + Security Score + Scan Duration
2. Security Score Progress: Visual progress bar with color coding (Red < 60 < Orange < Yellow < Green)
3. Scan Details Table: Scan ID, Repository, Branch, Types, Duration, Results file
4. Violations Analysis: Severity breakdown with percentages and descriptions
5. Scan Types Status: SAST, SCA, Secrets, IaC completion status
6. Quick Actions: Links to dashboard, download results, view raw data

Example Tab View

🛡️ CodeThreat Security Analysis Results
Comprehensive security scan results with AI-powered analysis

[Critical: 1] [High: 3] [Medium: 5] [Low: 2] [Score: 78/100] [Duration: 85s]

📊 Security Score Analysis
████████████████████████████████████████████████████████████████████████████░░░░░░░░░░░░░░░░░░░░ 78%

📋 Scan Information
┌─────────────────┬──────────────────────────────────────────┐
│ Scan ID         │ cmf5fitgk003s2mig1efs7cjx                │
│ Repository      │ MyApp Repository                         │
│ Branch          │ main                                     │
│ Scan Types      │ SAST, SCA, Secrets                       │
│ Duration        │ 85 seconds                               │
│ Total Violations│ 11                                       │
└─────────────────┴──────────────────────────────────────────┘

🔍 Violations by Severity
┌──────────┬───────┬────────────┬──────────────────────────────────────────────┐
│ Severity │ Count │ Percentage │ Description                                  │
├──────────┼───────┼────────────┼──────────────────────────────────────────────┤
│ Critical │   1   │     9%     │ Immediate attention required                 │
│ High     │   3   │    27%     │ Should be fixed soon                         │
│ Medium   │   5   │    46%     │ Should be addressed                          │
│ Low      │   2   │    18%     │ Consider fixing                              │
└──────────┴───────┴────────────┴──────────────────────────────────────────────┘

[🌐 View in CodeThreat Dashboard] [📄 Download Results] [🔍 View Raw Results]

🎯 Usage Examples

Basic Security Scan

- task: CodeThreatSecurityScan@1
  inputs:
    apiKey: '$(CODETHREAT_API_KEY)'
    serverUrl: '$(CODETHREAT_SERVER_URL)'
    scanTypes: 'sast,sca,secrets'

Advanced Configuration

- task: CodeThreatSecurityScan@1
  inputs:
    # Authentication
    apiKey: '$(CODETHREAT_API_KEY)'
    serverUrl: '$(CODETHREAT_SERVER_URL)'
    organizationId: '$(CODETHREAT_ORG_ID)'
    
    # Scan Configuration
    scanTypes: 'sast,sca,secrets,iac'
    waitForCompletion: true
    timeout: 45
    pollInterval: 15
    
    # Build Protection
    failOnCritical: true
    failOnHigh: true
    maxViolations: 10
    
    # Output Configuration
    outputFormat: 'sarif'
    outputFile: 'security-results.sarif'
    verbose: true

Multi-Environment Pipeline

stages:
  - stage: SecurityScan
    displayName: 'Security Analysis'
    jobs:
      - job: CodeThreatScan
        displayName: 'CodeThreat Security Scan'
        steps:
          - task: CodeThreatSecurityScan@1
            displayName: 'Run Security Scan'
            inputs:
              apiKey: '$(CODETHREAT_API_KEY)'
              serverUrl: '$(CODETHREAT_SERVER_URL)'
              scanTypes: 'sast,sca,secrets'
              failOnCritical: true
              outputFormat: 'junit'
              outputFile: 'security-results.xml'
          
          - task: PublishTestResults@2
            displayName: 'Publish Security Results'
            condition: always()
            inputs:
              testResultsFormat: 'JUnit'
              testResultsFiles: 'security-results.xml'
              testRunTitle: 'Security Analysis'

  - stage: Deploy
    displayName: 'Deploy Application'
    dependsOn: SecurityScan
    condition: succeeded()
    jobs:
      - deployment: Deploy
        displayName: 'Deploy to Production'
        environment: 'production'
        strategy:
          runOnce:
            deploy:
              steps:
                - script: echo "Deploying secure application..."

Conditional Scanning

# Only scan on main branch pushes
- task: CodeThreatSecurityScan@1
  condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/main'))
  inputs:
    apiKey: '$(CODETHREAT_API_KEY)'
    serverUrl: '$(CODETHREAT_SERVER_URL)'
    scanTypes: 'sast,sca,secrets,iac'
    failOnCritical: true
    failOnHigh: true

🏢 On-Premises Usage

Air-Gapped Environments

The extension supports on-premises and air-gapped environments:

- task: CodeThreatSecurityScan@1
  inputs:
    apiKey: '$(CODETHREAT_API_KEY)'
    serverUrl: 'https://codethreat.yourcompany.com'  # Your private server
    cliVersion: '1.0.3'  # Specific version for stability

Custom CLI Installation

For environments with restricted internet access, you can pre-install the CLI:

# Pre-install CLI in pipeline
- script: |
    npm install -g @codethreat/appsec-cli@1.0.3
  displayName: 'Install CodeThreat CLI'

- task: CodeThreatSecurityScan@1
  inputs:
    apiKey: '$(CODETHREAT_API_KEY)'
    serverUrl: '$(CODETHREAT_SERVER_URL)'

🔧 Troubleshooting

Common Issues

"API key is required"

• Ensure CODETHREAT_API_KEY is set in your variable group
• Verify the variable is marked as secret
• Check variable group is linked to your pipeline

"Authentication failed"

• Verify API key is valid and not expired
• Check server URL is correct and accessible
• Ensure organization has appropriate permissions

"CLI installation failed"

• Check if Node.js is available in the build agent
• Verify internet access for npm installation
• For on-premises: ensure binary download URL is accessible

"Scan timeout"

• Increase timeout value for large repositories
• Consider running scans asynchronously (waitForCompletion: false)
• Check repository size and scan types

Azure DevOps Warnings

"Node version (16) is end-of-life"

• ✅ Fixed in v1.1.0+: Extension now uses Node.js 20
• Update to latest extension version from marketplace

"windows-2019 runner image is being deprecated"

• Solution: Update your pipeline YAML to use latest runner images
• Use vmImage: 'windows-latest' instead of windows-2019
• Use vmImage: 'ubuntu-latest' instead of ubuntu-18.04

# ✅ Recommended (no warnings)
pool:
  vmImage: 'ubuntu-latest'    # Latest Ubuntu LTS
  # or
  vmImage: 'windows-latest'   # Latest Windows Server
  # or  
  vmImage: 'macOS-latest'     # Latest macOS

# ❌ Deprecated (causes warnings)  
pool:
  vmImage: 'windows-2019'     # Deprecated
  vmImage: 'ubuntu-18.04'     # Deprecated
  vmImage: 'macOS-10.15'      # Deprecated

Debug Mode

Enable verbose logging:

- task: CodeThreatSecurityScan@1
  inputs:
    apiKey: '$(CODETHREAT_API_KEY)'
    serverUrl: '$(CODETHREAT_SERVER_URL)'
    verbose: true

Or enable system debug:

• Set System.Debug pipeline variable to true

📚 Documentation

• Getting Started: https://docs.codethreat.com/azure-devops
• API Documentation: https://docs.codethreat.com/api
• CLI Reference: https://docs.codethreat.com/cli
• Support: https://support.codethreat.com

🤝 Contributing

1. Fork the repository
2. Create a feature branch
3. Make your changes
4. Add tests
5. Submit a pull request

📄 License

MIT License - see LICENSE file for details.

🆘 Support

• Issues: https://github.com/CodeThreat/codethreat-azure-extension/issues
• Documentation: https://docs.codethreat.com
• Email: support@codethreat.com