Azure DevOps Quickstart¶
This guide adds SecureObs scanning to one Azure DevOps pipeline.
1. Create A Variable Group¶
In Azure DevOps, open Project settings -> Pipelines -> Library and create a
variable group named secureobs.
Add:
| Variable | Secret? | Value |
|---|---|---|
SECUREOBS_API_KEY |
Yes | Raw API key from SecureObs |
SECUREOBS_TENANT_ID |
No | Tenant ID from SecureObs |
SECUREOBS_PROJECT_ID |
No | Project ID from SecureObs |
2. Add The Pipeline¶
Create or update azure-pipelines.yml:
azure-pipelines.yml
trigger:
branches:
include: [main]
pr:
branches:
include: ['*']
pool:
vmImage: ubuntu-latest
variables:
- group: secureobs
stages:
- stage: SecureObsScan
jobs:
- job: scan
steps:
- checkout: self
- script: |
docker run --rm \
-v "$(Build.SourcesDirectory):/workspace" \
-e SECUREOBS_API_KEY \
secureobs/scanner:v1 \
scan \
--project-id "$SECUREOBS_PROJECT_ID" \
--tenant-id "$SECUREOBS_TENANT_ID" \
--pipeline-run-id "$BUILD_BUILDID"
displayName: Run SecureObs scanners
env:
SECUREOBS_API_KEY: $(SECUREOBS_API_KEY)
SECUREOBS_PROJECT_ID: $(SECUREOBS_PROJECT_ID)
SECUREOBS_TENANT_ID: $(SECUREOBS_TENANT_ID)
BUILD_BUILDID: $(Build.BuildId)
- script: |
docker run --rm \
-e SECUREOBS_API_KEY \
secureobs/scanner:v1 \
gate \
--project-id "$SECUREOBS_PROJECT_ID" \
--tenant-id "$SECUREOBS_TENANT_ID" \
--pipeline-run-id "$BUILD_BUILDID"
displayName: Enforce build gate
env:
SECUREOBS_API_KEY: $(SECUREOBS_API_KEY)
SECUREOBS_PROJECT_ID: $(SECUREOBS_PROJECT_ID)
SECUREOBS_TENANT_ID: $(SECUREOBS_TENANT_ID)
BUILD_BUILDID: $(Build.BuildId)
Notes¶
- Microsoft-hosted
ubuntu-latestcan run Docker. - Secret Azure DevOps variables are not automatically available inside shell
scripts. The explicit
env:mapping is required. - Keep
$(SECUREOBS_API_KEY)in theenv:block, then reference$SECUREOBS_API_KEYinside shell code. - The recommended setup is self-contained. It does not require a GitHub service connection.
Verify¶
Open the SecureObs project Findings tab after the pipeline completes. The
Pipeline Run column should match $(Build.BuildId).