Azure DevOps: Setting Up Gating for Pull Requests via Code

Important Notice

We do not recommend using this functionality anymore, but use the PR gating via the Aikido Dashboard instead as it does not use CI minutes, easier management in bulk and less error-prone.

Intro

Aikido's integration with Azure Pipelines allows you to flag or block risky code from being merged. Our CI scans target IaC, SAST, and dependency issues.

If you're on the Aikido Pro plan, you can also use this integration for CI Gating.

Note: this integration is not available for TFVC repos.

Set up integration

Step 1. Go to our CI Integrations page.

Step 2. Generate an authentication token. You will need to expose this in your CI environment for the integration. Make sure to copy the token in this step.

Step 3. Click on Azure Pipelines. You will be redirected to the Aikido Azure Extension Page

Install the extension

Click the green "Get it free"-button

Select the organisation where you want to install the extension and click install

The extension is now installed. You can verify this by going to "Organisation Settings > Extensions" In your Azure Organisation

Set up the pipeline for PRs

We recommend creating a separate Pipeline for this, but it can be integrated in existing build

Go to Pipelines and create a new azure pipeline. At the configure step select "Starter pipeline"

In the yml-file use following content.

pool:
  vmImage: ubuntu-latest
steps:
  - task: AikidoScanTask@1 
    inputs: 
      secretKey: $(AIKIDO_SECRET) 
      minimumSeverity: 'LOW'
      failOnDependencyScan: true
      failOnSastScan: false
      failOnIacScan: false
      failOnTimeout: true
      timeoutSeconds: 180

For the secretKey we recommend using a variable to avoid the secretKey from being exposed.

Add a new variable for the AIKIDO_SECRET. This is the token that you generated earlier in the Aikido app.

Click the Variables button.

Click the button with the Plus icon.

Give your Variable the name "AIKIDO_SECRET". The value should be the token that you generated earlier in the Aikido app. Check the "Keep this value secret option" to fully secure this secret. Click "OK" to save the variable.

Under the input section there are some required field.

secretKey: This is the token generated in step2 of Set up integration. We recommend saving this in an ENV Variable for your pipeline.
minimumSeverity: When issues of this severity are found the pipeline should fail. Possible options are "LOW", "MEDIUM", "HIGH" & "CRITICAL"

Some optional fields are:

failOnDependencyScan: Boolean value that determines whether the scan should fail on the dependency scan. Default is false
failOnSastScan: Boolean value that determines whether the scan should fail on the SAST scan. Default is false
failOnIacScan: Boolean value that determines whether the scan should fail on the IaC scan. Default is false
timeoutSeconds: Integer value that determines when the task should stop running: Default is 180
failOnTimeout: Boolean value that determines whether the scan should fail on timeout. Default is false

Save and Run the pipeline.

Once your pipeline appears in Azure Pipelines. Go to "Branches" And Select "Branch policies" for the target branches of your PRs where you want run the scan.

Go to Build Validation and click the add icon

Select your new Aikido Scan pipeline. Fill in your preferred options and make sure to give this build policy a display name.

Aikido will now scan new PRs where the target branch is this branch. You can set this up for multiple branches

Last updated 2 months ago

Was this helpful?

hashtagImportant Notice

hashtagIntro

hashtagSet up integration

hashtagInstall the extension

hashtagSet up the pipeline for PRs

Important Notice

Intro

Set up integration

Install the extension

Set up the pipeline for PRs