Run CybeDefend scans in your on-prem Azure DevOps Server pipeline, maintaining code on your own infrastructure while benefiting from automated security checks.
Prerequisites
- API Key: Create one in your CybeDefend profile.
- Agent Permissions: Ensure your self-hosted agent can install or run the CybeDefend CLI.
- Azure DevOps Access: Sufficient rights to modify your pipeline definition.
Make sure the agent’s OS matches one of our supported CLI binaries (Windows, Linux, or macOS).
Example azure-pipelines.yml
trigger:
- main
pool:
vmImage: 'ubuntu-latest'
steps:
- checkout: self
- script: |
curl -L https://github.com/CybeDefend/cybedefend-cli/releases/download/v1.0.0/cybedefend-linux-amd64 -o cybedefend
chmod +x cybedefend
sudo mv cybedefend /usr/local/bin/
displayName: 'Install CybeDefend CLI'
- script: |
cybedefend scan --dir . \
--ci \
--api-key $(CYBEDEFEND_API_KEY) \
--project-id $(CYBEDEFEND_PROJECT_ID)
displayName: 'Run CybeDefend Scan'
Explanation
- checkout: self
Ensures your code is present on the build agent.
- Download & Install
Grabs the CLI binary, grants permissions, and moves it to /usr/local/bin.
- Run the Scan
The --ci flag keeps the output minimal. We rely on environment variables for the API key and project ID.
Viewing Scan Results
- CLI Output
The console output shows a summary of detected issues.
- CLI “results”
If you want more detail in the pipeline logs, add a step:
- script: |
cybedefend results --project-id $(CYBEDEFEND_PROJECT_ID) --all --output sarif
displayName: 'Fetch Results in SARIF'
- CybeDefend Dashboard
Login to your CybeDefend account to see a full vulnerability breakdown.
Large repos can take extra time to upload. Ensure your pipeline has enough timeout for the scan process.
For advanced gating, fail the job if a certain severity is found. Combine —ci with parsing the CLI exit codes or vulnerability count from the JSON output.
