Azure Pipelines
Basic Pipeline
Section titled “Basic Pipeline”Add to azure-pipelines.yml:
trigger: - main
pool: vmImage: 'ubuntu-latest'
steps: - task: GoTool@0 inputs: version: '1.21'
- script: | go install github.com/varalys/redactyl@latest redactyl scan --sarif > $(Build.ArtifactStagingDirectory)/redactyl.sarif.json displayName: 'Run Redactyl scan'
- task: PublishBuildArtifacts@1 inputs: pathToPublish: '$(Build.ArtifactStagingDirectory)/redactyl.sarif.json' artifactName: 'SecurityScans'Container Scanning
Section titled “Container Scanning”Scan images built in your pipeline:
stages: - stage: Build jobs: - job: BuildImage steps: - task: Docker@2 inputs: command: build dockerfile: Dockerfile tags: | $(Build.Repository.Name):$(Build.BuildId)
- script: | docker save $(Build.Repository.Name):$(Build.BuildId) > image.tar displayName: 'Save image'
- script: | go install github.com/varalys/redactyl@latest redactyl scan image.tar --sarif > redactyl.sarif.json displayName: 'Scan image'
- task: PublishBuildArtifacts@1 inputs: pathToPublish: redactyl.sarif.json artifactName: 'SecurityScans'Pull Request Validation
Section titled “Pull Request Validation”trigger: none
pr: branches: include: - main
steps: - script: | go install github.com/varalys/redactyl@latest redactyl scan --no-tui displayName: 'Redactyl PR scan'Template Usage
Section titled “Template Usage”Create a reusable template:
parameters: - name: severity default: 'high' - name: scanHelm default: false
steps: - script: go install github.com/varalys/redactyl@latest displayName: 'Install Redactyl'
- script: | redactyl scan \ --severity ${{ parameters.severity }} \ ${{ if eq(parameters.scanHelm, true) }}--helm${{ endif }} \ --sarif > redactyl.sarif.json displayName: 'Run Redactyl'Use the template:
steps: - template: templates/redactyl-scan.yml parameters: severity: medium scanHelm: trueHelm Chart Scanning
Section titled “Helm Chart Scanning”- script: | go install github.com/varalys/redactyl@latest redactyl scan --helm ./charts --json > helm-findings.json displayName: 'Scan Helm charts'Variable Groups
Section titled “Variable Groups”Store configuration in variable groups:
variables: - group: RedactylConfig
steps: - script: | redactyl scan \ --severity $(REDACTYL_SEVERITY) \ --baseline $(REDACTYL_BASELINE)Multi-Stage Pipeline
Section titled “Multi-Stage Pipeline”stages: - stage: Scan jobs: - job: SecretScan steps: - script: | go install github.com/varalys/redactyl@latest redactyl scan --no-tui displayName: 'Redactyl scan'
- stage: Build dependsOn: Scan condition: succeeded() jobs: - job: BuildApp steps: - script: echo "Building..."Scheduled Scans
Section titled “Scheduled Scans”schedules: - cron: '0 0 * * *' displayName: 'Nightly scan' branches: include: - main
stages: - stage: NightlyScan jobs: - job: FullScan steps: - script: | go install github.com/varalys/redactyl@latest redactyl scan --deep --json > findings.json