Azure DevOps
Prerequisites
Add the variables in Pipelines → Library → Variable groups (or directly in the YAML as pipeline variables):
| Variable | Secret | Description |
|---|---|---|
GERION_API_URL | No | Gerion API Gateway URL |
GERION_API_KEY | Yes (lock icon) | M2M API key for your organization |
To share credentials across multiple pipelines, create a variable group named gerion-credentials
and reference it in the YAML with:
variables: - group: gerion-credentialsFull pipeline
Copy this file to the root of your repository as azure-pipelines.yml:
trigger: branches: include: - main - master - develop
pr: branches: include: - main - master
schedules: - cron: "0 2 * * *" displayName: Nightly security scan branches: include: - main always: true
pool: vmImage: ubuntu-latest
variables: GERION_IMAGE: ghcr.io/gerion-appsec/gerion-cli:latest
stages:
- stage: SecurityScan displayName: Gerion Security Scan jobs: - job: GerionScan displayName: Run security scans steps: - checkout: self fetchDepth: 0
# Full scan — results sent to Gerion API - script: | docker run --rm \ -v "$(Build.SourcesDirectory):/code" \ -e GERION_API_URL="$(GERION_API_URL)" \ -e GERION_API_KEY="$(GERION_API_KEY)" \ -e GERION_REPO_NAME="$(Build.Repository.Name)" \ -e GERION_BRANCH_NAME="$(Build.SourceBranchName)" \ -e GERION_COMMIT_HASH="$(Build.SourceVersion)" \ -e GERION_BUILD_ID="$(Build.BuildId)" \ "$(GERION_IMAGE)" \ gerion scan-all /code displayName: Gerion full scan (API) env: GERION_API_URL: $(GERION_API_URL) GERION_API_KEY: $(GERION_API_KEY)
# Full scan — SARIF artifact - script: | docker run --rm \ -v "$(Build.SourcesDirectory):/code" \ -e GERION_REPO_NAME="$(Build.Repository.Name)" \ -e GERION_BRANCH_NAME="$(Build.SourceBranchName)" \ -e GERION_COMMIT_HASH="$(Build.SourceVersion)" \ -e GERION_BUILD_ID="$(Build.BuildId)" \ "$(GERION_IMAGE)" \ gerion scan-all /code \ --format sarif \ --output-file /code/gerion-results.sarif displayName: Gerion full scan (SARIF)
- task: PublishBuildArtifacts@1 displayName: Publish SARIF artifact condition: always() inputs: pathToPublish: $(Build.SourcesDirectory)/gerion-results.sarif artifactName: GerionSARIF
# PDF report generation (scheduled runs only) - stage: SecurityReport displayName: Gerion Security Report dependsOn: SecurityScan condition: and(succeeded(), eq(variables['Build.Reason'], 'Schedule')) jobs: - job: GerionReport displayName: Generate PDF report steps: - checkout: self - script: | docker run --rm \ -v "$(Build.SourcesDirectory):/code" \ -e GERION_API_URL="$(GERION_API_URL)" \ -e GERION_API_KEY="$(GERION_API_KEY)" \ -e GERION_REPO_NAME="$(Build.Repository.Name)" \ -e GERION_BRANCH_NAME="$(Build.SourceBranchName)" \ "$(GERION_IMAGE)" \ gerion report \ --format pdf \ --output-file /code/gerion-report.pdf \ --severity HIGH \ --active-only displayName: Generate PDF report env: GERION_API_URL: $(GERION_API_URL) GERION_API_KEY: $(GERION_API_KEY) - task: PublishBuildArtifacts@1 displayName: Publish PDF report condition: always() inputs: pathToPublish: $(Build.SourcesDirectory)/gerion-report.pdf artifactName: GerionReportNotes
- Azure DevOps does not automatically detect Gerion environment variables. The pipeline maps them explicitly from Azure’s predefined variables (
Build.Repository.Name,Build.SourceBranchName,Build.SourceVersion,Build.BuildId). - Variables marked as secret (
GERION_API_KEY) are not visible in logs. Always pass them through the step’senv:block. - Azure DevOps does not have a native SARIF viewer. Artifacts are published as downloadable files from the Artifacts tab of the pipeline run.