Azure Pipelines Integration
Introduction
Azure Pipelines
combines continuous integration (CI) and continuous delivery (CD) to test, build and ship your code to any target.
Using the Xygeni Task for Azure Pipelines
The simplest way to run the scanner in Azure Pipelines is to use the Xygeni Task. The tasks uses the Xygeni CLI to scan the software for vulnerabilities, malware and misconfigurations.
The API token should be registered safely as a (secret) pipeline variable. If you name the variable XYGENI_TOKEN
, the task will look for it automatically. Otherwise, you can pass it in an environment variable such as XYGENI_TOKEN
and set the input property xygeniToken = 'env:XYGENI_TOKEN'
.
Installation
From the Xygeni Task in the Azure DevOps Marketplace, you can install for an Azure DevOps organization by clicking the Get it free button. There you select the Azure DevOps organizations where you want to install the task.
For Azure DevOps Server, the task can be downloaded as a .vsix
file and installed in your Azure DevOps Server Extensions page (For example, http://someserver/_gallery/manage
). Click upload new extension, select the downloaded .vsix
file, click Install and select the Team Project Collection to install into.
Adding the task as a pipeline step
Edit your pipeline and add the Xygeni task as a pipeline step, using the Task Assistant filter by Xygeni and click Xygeni Security Scanner:

Edit the scan properties (1) by choosing the scan operations, the directory to scan. Then click Add button to add the YAML to the pipeline.

By default the XYGENI_TOKEN pipeline (secret) variable will be used if the Xygeni API Token
field is not specified.
You can also edit the YAML source directly (2) in the Pipeline Editor. Autocomplete will work to help you fill in the task properties.
Task properties
The following is an example of the Xygeni task, including the most relevant parameters.
steps:
# ...Other build steps here...
- task: xygeni-scanner@1
displayName: 'Run Xygeni Scanner'
env:
XYGENI_TOKEN: $(XYGENI_TOKEN)
# Token for checking Azure DevOps configuration for misconfigurations
AZURE_TOKEN: $(AZURE_TOKEN)
inputs:
scanDirectory: '$(Build.Repository.LocalPath)'
xygeniToken: 'env:XYGENI_TOKEN'
deps: true
inventory: true
secrets: true
misconfig: true
suspectdeps: true
iac: true
outputFile: '$(Build.ArtifactStagingDirectory)/xygeni/findings.json'
outputFormat: json
- task: PublishBuildArtifacts@1
displayName: 'Publish xygeni findings as artifacts'
inputs:
PathtoPublish: '$(Build.ArtifactStagingDirectory)/xygeni'
ArtifactName: 'Xygeni_findings'
Using the installation script
Another option is to download and unzip the scanner and run the CLI. Suppose that the secret xygeniToken
stores the Xygeni API token. In a Linux runner, you may use the Bash task:
steps:
- task: Bash@3
displayName: 'Install xygeni scanner'
inputs:
targetType: 'inline'
script: >
curl -s -L https://get.xygeni.io/latest/scanner/xygeni-release.zip -o xygeni_scanner.zip
unzip -qq xygeni_scanner.zip -d $(Pipeline.Workspace)
rm xygeni_scanner.zip
- task: Bash@3
displayName: 'Scan for issues'
inputs:
targetType: 'inline'
# Change the command arguments to match your needs
script: |
echo "Starting Xygeni scan for $(PROJECT_NAME)"
$(Pipeline.Workspace)/xygeni_scanner/xygeni scan -n $(PROJECT_NAME) --dir $(PROJECT_HOME)
env:
PROJECT_NAME: $(System.TeamProject)
PROJECT_HOME: $(Build.SourcesDirectory)
XYGENI_TOKEN: $(xygeniToken)
Under Windows, you may use the PowerShell task instead of the Bash task, and run the xygeni.ps1
instead:
steps:
- task: PowerShell@2
displayName: 'Install xygeni scanner'
inputs:
targetType: 'inline'
script: |
$zipPath = "xygeni_scanner.zip"
$extractPath = "$(Pipeline.Workspace)"
Write-Host "Downloading Xygeni scanner..."
Invoke-WebRequest -Uri "https://get.xygeni.io/latest/scanner/xygeni-release.zip" -OutFile $zipPath
Expand-Archive -Path $zipPath -DestinationPath $extractPath -Force
Remove-Item $zipPath -Force
- task: PowerShell@2
displayName: 'Scan for issues'
inputs:
targetType: 'inline'
# Change the command arguments to match your needs
script: |
Write-Host "Starting Xygeni scan for $env:PROJECT_NAME"
$scannerScript = "$(Pipeline.Workspace)\xygeni_scanner\xygeni.ps1"
& $scannerScript scan -n $env:PROJECT_NAME --dir $env:PROJECT_HOME
env:
PROJECT_NAME: $(System.TeamProject)
PROJECT_HOME: $(Build.SourcesDirectory)
XYGENI_TOKEN: $(xygeniToken)
Last updated