Run CybeDefend scans in your on-prem Azure DevOps Server pipeline, maintaining code on your own infrastructure while benefiting from automated security checks.

Prerequisites

  • API Key: Create one in your CybeDefend profile.
  • Agent Permissions: Ensure your self-hosted agent can install or run the CybeDefend CLI.
  • Azure DevOps Access: Sufficient rights to modify your pipeline definition.

Make sure the agent’s OS matches one of our supported CLI binaries (Windows, Linux, or macOS).

Example azure-pipelines.yml

trigger:
  - main

pool:
  vmImage: 'ubuntu-latest'

steps:
  - checkout: self
  - script: |
      curl -L https://github.com/CybeDefend/cybedefend-cli/releases/download/v1.0.0/cybedefend-linux-amd64 -o cybedefend
      chmod +x cybedefend
      sudo mv cybedefend /usr/local/bin/
    displayName: 'Install CybeDefend CLI'

  - script: |
      cybedefend scan --dir . \
        --ci \
        --api-key $(CYBEDEFEND_API_KEY) \
        --project-id $(CYBEDEFEND_PROJECT_ID)
    displayName: 'Run CybeDefend Scan'

Explanation

  1. checkout: self
    Ensures your code is present on the build agent.
  2. Download & Install
    Grabs the CLI binary, grants permissions, and moves it to /usr/local/bin.
  3. Run the Scan
    The --ci flag keeps the output minimal. We rely on environment variables for the API key and project ID.

Viewing Scan Results

  1. CLI Output
    The console output shows a summary of detected issues.
  2. CLI “results”
    If you want more detail in the pipeline logs, add a step: 
    - script: |
    cybedefend results --project-id $(CYBEDEFEND_PROJECT_ID) --all --output sarif
  displayName: 'Fetch Results in SARIF'
  3. CybeDefend Dashboard
    Login to your CybeDefend account to see a full vulnerability breakdown.

Large repos can take extra time to upload. Ensure your pipeline has enough timeout for the scan process.

For advanced gating, fail the job if a certain severity is found. Combine —ci with parsing the CLI exit codes or vulnerability count from the JSON output.