Azure Pipelines: Setting up gating for pull requests

Azure Pipelines: Setting up gating for pull requests

Aikido's integration with Azure Pipelines allows you to flag or block risky code from being merged. Our CI scans target IaC, SAST, and dependency issues.

If you're on the Aikido Pro plan, you can also use this integration for CI Gating.

Note: this integration is not available for TFVC repos

Set up integration

Step 1. Go to our CI Integrations page.

Step 2. Generate an authentication token. You will need to expose this in your CI environment for the integration. Make sure to copy the token in this step.

Step 3. Click on Azure Pipelines. You will be redirected to the Aikido Azure Extension Page

Install the extension

Click the green "Get it free"-button

Select the organisation where you want to install the extension and click install

The extension is now installed. You can verify this by going to "Organisation Settings > Extensions" In your Azure Organisation

Set up the pipeline for PRs

We recommend creating a separate Pipeline for this, but it can be integrated in existing build

Go to Pipelines and create a new azure pipeline. At the configure step select "Starter pipeline"

In the yml-file use following content.

pool:
  vmImage: ubuntu-latest
steps:
  - task: AikidoScanTask@1 
    inputs: 
      secretKey: $(AIKIDO_SECRET) 
      minimumSeverity: 'LOW'
      failOnDependencyScan: true
      failOnSastScan: false
      failOnIacScan: false
      failOnTimeout: true
      timeoutSeconds: 180

Add a new variable for the AIKIDO_SECRET. This is the token that you generated earlier in the Aikido app.

Under the input section there are some required field.

  • secretKey: This is the token generated in step2 of Set up integration. We recommend saving this in an ENV Variable for your pipeline.

  • minimumSeverity: When issues of this severity are found the pipeline should fail. Possible options are "LOW", "MEDIUM", "HIGH" & "CRITICAL"

Some optional fields are:

  • failOnDependencyScan: Boolean value that determines whether the scan should fail on the dependency scan. Default is false

  • failOnSastScan: Boolean value that determines whether the scan should fail on the SAST scan. Default is false

  • failOnIacScan: Boolean value that determines whether the scan should fail on the IaC scan. Default is false

  • timeoutSeconds: Integer value that determines when the task should stop running: Default is 180

  • failOnTimeout: Boolean value that determines whether the scan should fail on timeout. Default is false

Save and Run the pipeline.

Once your pipeline appears in Azure Pipelines. Go to "Branches" And Select "Branch policies" for the target branches of your PRs where you want run the scan.

Go to Build Validation and click the add icon

Select your new Aikido Scan pipeline. Fill in your preferred options and make sure to give this build policy a display name.

Aikido will now scan new PRs where the target branch is this branch. You can set this up for multiple branches