Azure Pipelines
Qodana Scan is an Azure Pipelines task packed inside the Qodana Azure Pipelines extension to scan your code with Qodana.
After you've installed the Qodana Azure Pipelines extension to your organization, to configure the Qodana Scan task, edit your azure-pipelines.yml
file:
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml
trigger:
- main
pool:
vmImage: ubuntu-latest
steps:
- task: Cache@2 # Not required, but Qodana will open projects with cache faster.
inputs:
key: '"$(Build.Repository.Name)" | "$(Build.SourceBranchName)" | "$(Build.SourceVersion)"'
path: '$(Agent.TempDirectory)/qodana/cache'
restoreKeys: |
"$(Build.Repository.Name)" | "$(Build.SourceBranchName)"
"$(Build.Repository.Name)"
- task: QodanaScan@2024
Triggering this job depends on the repository type that you are using in Azure Pipelines.
If you use the classic editor to create pipelines, add the Qodana Scan
task to the pipeline configuration and then click it. This will open the task configuration as shown below.
The description of these fields is available in the Configuration chapter of this section.
The task can be run on any OS and x86_64/arm64 CPUs, but it requires the agent to have Docker installed. And since most of the Qodana Docker images are Linux-based, the docker daemon must be able to run Linux containers.
Alternatively, you can configure your pipelines using the Classic interface as explained on the Microsoft documentation portal.
To send analysis results to Qodana Cloud, all you need to do is to specify the QODANA_TOKEN
environment variable in the build configuration. If you are using a Qodana Cloud instance other than https://qodana.cloud/, override it by declaring the QODANA_ENDPOINT
environment variable.
In the Azure Pipelines UI, create the
QODANA_TOKEN
secret variable and save the project token as its value.In the Azure pipeline file, add
QODANA_TOKEN
variable to theenv
section of theQodanaScan
task:
- task: QodanaScan@2024
env:
QODANA_TOKEN: $(QODANA_TOKEN)
After the token is set for analysis, all Qodana Scan job results will be uploaded to your Qodana Cloud project.
To display Qodana report summary in Azure DevOps UI in 'Scans' tab, install Microsoft DevLabs’ SARIF SAST Scans Tab extension.
You won't probably need other options than args
: all other options can be helpful if you are configuring multiple Qodana Scan
jobs in one workflow.
YAML option | UI element of the classic editor | Description | Default Value |
---|---|---|---|
| Qodana CLI arguments | Additional Qodana CLI | None |
| Results Directory | Directory to store the analysis results. Optional. |
|
| Upload Result | Upload Qodana results as an artifact to the job. Optional. |
|
| Upload SARIF | Upload qodana.sarif.json as an qodana.sarif artifact to the job. Optional. |
|
| Artifact Name | Specify Qodana results artifact name, used for results uploading. Optional. |
|
| Cache Directory | Directory to store Qodana caches. Optional. |
|
Thanks for your feedback!