Skip to content

Troubleshooting

This page covers common SecureObs integration failures.

401 Unauthorized

The API key or JWT was rejected.

Common causes:

  • missing X-Api-Key header;
  • malformed key;
  • revoked key;
  • expired key.

Fix: create a new API key in the dashboard, update the CI secret, and re-run the pipeline.

403 Forbidden

The credential is valid but not allowed to perform the requested action.

Common causes:

  • the signed-in user is not a member of the tenant;
  • the API key is project-scoped and the scan uses a different project ID.

Fix: verify the tenant ID, project ID, and key scope.

404 Not Found

The resource does not exist or the caller cannot see it. SecureObs intentionally does not distinguish those cases for tenant-scoped resources.

429 Too Many Requests

The rate limiter tripped. Check the Retry-After header and reduce scan frequency if needed.

Scanner Runs But No Findings Appear

Check these first:

  1. The workspace is mounted into the container.
  2. At least one scanner is enabled for the project.
  3. The project ID matches the API key scope.
  4. The scanner actually found findings for the repository contents.

Docker Image Fails To Pull

Common causes:

  • transient Docker Hub rate limit;
  • enterprise proxy blocking Docker Hub;
  • typo in the image tag.

Use secureobs/scanner:v1 unless you intentionally pin a full version.

Build Gate Passes Unexpectedly

Common causes:

  • policy is set to Never block;
  • scan step did not ingest findings;
  • scan and gate used different pipeline run IDs;
  • relevant findings are suppressed.

Build Gate Fails But The Dashboard Looks Clean

Common causes:

  • the dashboard filter is hiding blocking findings;
  • severity normalization mapped scanner-specific severity to HIGH or CRITICAL;
  • the gate is checking a different pipeline run than the one you are viewing.

Azure DevOps Variable Appears Literally

If your script prints $(SECUREOBS_API_KEY) literally, the variable group is not linked or the variable was not mapped through env:.

Secret variables are not automatically available inside scripts. Map them:

env:
  SECUREOBS_API_KEY: $(SECUREOBS_API_KEY)

Then reference $SECUREOBS_API_KEY in shell code.

Account Looks Empty After Sign-In

Organizations are keyed to the Microsoft account object ID, not email alone. Signing in with a different Microsoft account can look like a brand new user.

Use the account recovery prompt in the dashboard or contact support@secureobs.com.