CI secret scanning for Azure Pipelines

Azure Pipelines is supported with GitHub, Bitbucket, or GitLab repositories

To configure CI secret scanning for Azure Pipelines, you will need to create two pipeline variables and create or add to your yaml pipeline script.

Note: This CI integration supports scanning of pull requests.

Create Variables:

The following two pipeline variables need to be created whether you are creating a new pipeline or using an existing pipeline:

Name: BLUBRACKET_INTEGRATION_KEY

Value: Create a BluBracket Integration API token

Steps to create a BluBracket API token:
https://support.blubracket.com/hc/en-us/articles/4403018405140-Event-and-Alert-APIs

Name: BLUBRACKET_CI_CD_API

Value: https://[your BluBracket tenant name]/api/analyzer/commit/scan
Example: https://acme.blubracket.com/api/analyzer/commit/scan

Pipeline Script:
The following should be added to your pipeline script:

trigger:
  branches:
    include:
    - main

pr:
  branches:
    include:
    - main

pool:
  vmImage: 'ubuntu-18.04'

jobs:
- job: Build
  timeoutInMinutes: 15
  workspace:
    clean: all
  steps:

  - task: Bash@3
    displayName: 'Run BluBracket Secret Scan'
    inputs:
      targetType: 'inline'
      script: |
        set -ax
        docker run \
        -e SYSTEM_PULLREQUEST_PULLREQUESTNUMBER="${SYSTEM_PULLREQUEST_PULLREQUESTNUMBER}" \
        -e BLUBRACKET_CI_CD_API="${BLUBRACKET_CI_CD_API}" \
        -e BLUBRACKET_CI_CD_TOKEN="${BLUBRACKET_INTEGRATION_KEY}" \
        -e BUILD_REPOSITORY_URI="${BUILD_REPOSITORY_URI}" \
        blubracket/ci-cd-scan:latest
    env:
      BLUBRACKET_CI_CD_API: $(BLUBRACKET_CI_CD_API)
      BLUBRACKET_INTEGRATION_KEY: $(BLUBRACKET_INTEGRATION_KEY)
    condition: eq(variables['Build.Reason'], 'PullRequest')

Related articles