Azure DevOps
Configuración previa
Añade las variables en Pipelines → Library → Variable groups (o directamente en el YAML como pipeline variables):
| Variable | Secreto | Descripción |
|---|---|---|
GERION_API_URL | No | URL del Gerion API Gateway |
GERION_API_KEY | Sí (icono candado) | API key M2M de tu organización |
Para compartir credenciales entre múltiples pipelines, crea un variable group llamado gerion-credentials
y referencialo en el YAML con:
variables: - group: gerion-credentialsPipeline completo
Copia este archivo en la raíz de tu repositorio como azure-pipelines.yml:
trigger: branches: include: - main - master - develop
pr: branches: include: - main - master
schedules: - cron: "0 2 * * *" displayName: Nightly security scan branches: include: - main always: true
pool: vmImage: ubuntu-latest
variables: GERION_IMAGE: ghcr.io/gerion-appsec/gerion-cli:latest
stages:
- stage: SecurityScan displayName: Gerion Security Scan jobs: - job: GerionScan displayName: Run security scans steps: - checkout: self fetchDepth: 0
# Escaneo completo → resultados enviados a la API de Gerion - script: | docker run --rm \ -v "$(Build.SourcesDirectory):/code" \ -e GERION_API_URL="$(GERION_API_URL)" \ -e GERION_API_KEY="$(GERION_API_KEY)" \ -e GERION_REPO_NAME="$(Build.Repository.Name)" \ -e GERION_BRANCH_NAME="$(Build.SourceBranchName)" \ -e GERION_COMMIT_HASH="$(Build.SourceVersion)" \ -e GERION_BUILD_ID="$(Build.BuildId)" \ "$(GERION_IMAGE)" \ gerion scan-all /code displayName: Gerion full scan (API) env: GERION_API_URL: $(GERION_API_URL) GERION_API_KEY: $(GERION_API_KEY)
# Escaneo completo → SARIF como artifact - script: | docker run --rm \ -v "$(Build.SourcesDirectory):/code" \ -e GERION_REPO_NAME="$(Build.Repository.Name)" \ -e GERION_BRANCH_NAME="$(Build.SourceBranchName)" \ -e GERION_COMMIT_HASH="$(Build.SourceVersion)" \ -e GERION_BUILD_ID="$(Build.BuildId)" \ "$(GERION_IMAGE)" \ gerion scan-all /code \ --format sarif \ --output-file /code/gerion-results.sarif displayName: Gerion full scan (SARIF)
- task: PublishBuildArtifacts@1 displayName: Publish SARIF artifact condition: always() inputs: pathToPublish: $(Build.SourcesDirectory)/gerion-results.sarif artifactName: GerionSARIF
# Generación de informe PDF (solo en ejecuciones programadas) - stage: SecurityReport displayName: Gerion Security Report dependsOn: SecurityScan condition: and(succeeded(), eq(variables['Build.Reason'], 'Schedule')) jobs: - job: GerionReport displayName: Generate PDF report steps: - checkout: self - script: | docker run --rm \ -v "$(Build.SourcesDirectory):/code" \ -e GERION_API_URL="$(GERION_API_URL)" \ -e GERION_API_KEY="$(GERION_API_KEY)" \ -e GERION_REPO_NAME="$(Build.Repository.Name)" \ -e GERION_BRANCH_NAME="$(Build.SourceBranchName)" \ "$(GERION_IMAGE)" \ gerion report \ --format pdf \ --output-file /code/gerion-report.pdf \ --severity HIGH \ --active-only displayName: Generate PDF report env: GERION_API_URL: $(GERION_API_URL) GERION_API_KEY: $(GERION_API_KEY) - task: PublishBuildArtifacts@1 displayName: Publish PDF report condition: always() inputs: pathToPublish: $(Build.SourcesDirectory)/gerion-report.pdf artifactName: GerionReportNotas
- Azure DevOps no detecta automáticamente las variables de entorno de Gerion. El pipeline las mapea explícitamente desde las variables predefinidas de Azure (
Build.Repository.Name,Build.SourceBranchName,Build.SourceVersion,Build.BuildId). - Las variables marcadas como secreto (
GERION_API_KEY) no son visibles en los logs. Pásalas siempre a través del bloqueenv:del step. - Azure DevOps no tiene un visualizador SARIF nativo. Los artifacts se publican como ficheros descargables desde la pestaña Artifacts del pipeline run.