Skip to content

Azure Pipelines

Add to azure-pipelines.yml:

trigger:
- main
pool:
vmImage: 'ubuntu-latest'
steps:
- task: GoTool@0
inputs:
version: '1.21'
- script: |
go install github.com/varalys/redactyl@latest
redactyl scan --sarif > $(Build.ArtifactStagingDirectory)/redactyl.sarif.json
displayName: 'Run Redactyl scan'
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: '$(Build.ArtifactStagingDirectory)/redactyl.sarif.json'
artifactName: 'SecurityScans'

Scan images built in your pipeline:

stages:
- stage: Build
jobs:
- job: BuildImage
steps:
- task: Docker@2
inputs:
command: build
dockerfile: Dockerfile
tags: |
$(Build.Repository.Name):$(Build.BuildId)
- script: |
docker save $(Build.Repository.Name):$(Build.BuildId) > image.tar
displayName: 'Save image'
- script: |
go install github.com/varalys/redactyl@latest
redactyl scan image.tar --sarif > redactyl.sarif.json
displayName: 'Scan image'
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: redactyl.sarif.json
artifactName: 'SecurityScans'
trigger: none
pr:
branches:
include:
- main
steps:
- script: |
go install github.com/varalys/redactyl@latest
redactyl scan --no-tui
displayName: 'Redactyl PR scan'

Create a reusable template:

templates/redactyl-scan.yml
parameters:
- name: severity
default: 'high'
- name: scanHelm
default: false
steps:
- script: go install github.com/varalys/redactyl@latest
displayName: 'Install Redactyl'
- script: |
redactyl scan \
--severity ${{ parameters.severity }} \
${{ if eq(parameters.scanHelm, true) }}--helm${{ endif }} \
--sarif > redactyl.sarif.json
displayName: 'Run Redactyl'

Use the template:

steps:
- template: templates/redactyl-scan.yml
parameters:
severity: medium
scanHelm: true
- script: |
go install github.com/varalys/redactyl@latest
redactyl scan --helm ./charts --json > helm-findings.json
displayName: 'Scan Helm charts'

Store configuration in variable groups:

variables:
- group: RedactylConfig
steps:
- script: |
redactyl scan \
--severity $(REDACTYL_SEVERITY) \
--baseline $(REDACTYL_BASELINE)
stages:
- stage: Scan
jobs:
- job: SecretScan
steps:
- script: |
go install github.com/varalys/redactyl@latest
redactyl scan --no-tui
displayName: 'Redactyl scan'
- stage: Build
dependsOn: Scan
condition: succeeded()
jobs:
- job: BuildApp
steps:
- script: echo "Building..."
schedules:
- cron: '0 0 * * *'
displayName: 'Nightly scan'
branches:
include:
- main
stages:
- stage: NightlyScan
jobs:
- job: FullScan
steps:
- script: |
go install github.com/varalys/redactyl@latest
redactyl scan --deep --json > findings.json