Azure DevOps Setup

Complete guide for configuring Fluid Attacks' PR/MR scanner with Azure DevOps pipelines.

Overview

This guide covers the setup process for integrating Smells security analysis into Azure DevOps pipelines, including token creation, variable configuration, and pipeline examples.

Prerequisites

• Azure DevOps organization with appropriate permissions
• Repository with pull request workflow
• Access to create Personal Access Tokens

Personal Access Token Creation

Step 1: Create PAT

1. Navigate to Azure DevOps and click your profile icon
2. Select User settings → Personal access tokens
3. Click New Token
4. Configure the token:
   • Name: Smells Security Analysis
   • Organization: Select your organization
   • Expiration: Set appropriate expiration date
   • Scopes: Select the following permissions:

Required Scopes

Step 2: Copy Token

1. Click Create and immediately copy the generated token
2. Store the token securely - it won't be shown again

Variable Configuration

Required Variables

Configure these variables in your Azure DevOps project:

Manual Variables (Secrets)

Automatic Variables (System)

These are automatically provided by Azure DevOps:

Variable Groups Setup

Option 1: Variable Groups (Recommended)

1. Navigate to Pipelines → Library → Variable groups
2. Click + Variable group
3. Name: smells-secrets
4. Add the following variables:

FLUIDATTACKS_JWT = [your-jwt-token] (Secret)
AZURE_TOKEN = [your-pat-token] (Secret)

Save the variable group

Option 2: Pipeline Variables

Alternatively, configure variables directly in the pipeline:

1. Edit your pipeline
2. Go to Variables tab
3. Add each required variable
4. Mark sensitive variables as Secret

Pipeline Configuration

Basic Pipeline

# azure-pipelines.yml
trigger: none

pool:
  name: 'agent-pools'

jobs:
- job: FluidAttacksAnalysis
  displayName: 'Fluid Attacks Analysis'
  steps:
  - checkout: self
    fetchDepth: 1

  - bash: |
      docker run --rm \
        -v "$(Build.SourcesDirectory):/src" \
        -w /src \
        -e SYSTEM_TEAMFOUNDATIONCOLLECTIONURI="$(System.TeamFoundationCollectionUri)" \
        -e SYSTEM_TEAMPROJECT="$(System.TeamProject)" \
        -e SYSTEM_PULLREQUEST_PULLREQUESTID="$(System.PullRequest.PullRequestId)" \
        -e BUILD_REPOSITORY_ID="$(Build.Repository.ID)" \
        -e AZURE_TOKEN="$(AZURE_TOKEN)" \
        -e FLUIDATTACKS_JWT="$(FLUIDATTACKS_JWT)" \
        fluidattacks/smells:latest smells-pipeline
    displayName: 'Executing Fluid Attacks Analysis'
    env:
      AZURE_TOKEN: $(AZURE_TOKEN)
      FLUIDATTACKS_JWT: $(FLUIDATTACKS_JWT)
    condition: eq(variables['Build.Reason'], 'PullRequest')

Permissions and Security

Required Permissions

Your Azure DevOps user/service account needs:

• Repository: Read access to source code
• Pull Requests: Read/write access to create discussions
• Build: Read access to pipeline information

Token Security Best Practices

• Use short expiration periods (30-90 days)
• Regularly rotate tokens
• Monitor token usage in audit logs
• Never commit tokens to source control

Troubleshooting

Common Issues

1. Token Permission Errors

Error: Invalid Azure DevOps token or insufficient permissions

Solutions:

• Verify PAT has correct scopes (Code: Read & Write, Pull Request: Read & Write)
• Check token hasn't expired
• Ensure token is for the correct organization

2. Missing Pull Request Context

Error: Neither GitLab nor Azure DevOps environment variables found

Solutions:

• Ensure pipeline is triggered by pull request
• Verify pr: trigger is configured in YAML
• Check that pull request is targeting correct branch

3. Organization URI Issues

Error: Invalid organization format

Solutions:

• Check SYSTEM_TEAMFOUNDATIONCOLLECTIONURI format
• Verify organization name extraction logic
• Ensure no trailing slashes in manual configuration

Integrating with GitLab instead? Read the guide!