CI / CDAzure DevOps

Azure DevOps

Pencheff ships a parameterized Azure Pipelines template at apps/azure-devops/azure-pipelines.yml.

Quick start

Reference the template in your azure-pipelines.yml:

extends:
  template: apps/azure-devops/azure-pipelines.yml@pencheff
  parameters:
    target: 'https://your-app.example.com'
    failOn: 'high'

Set PENCHEFF_API_TOKEN as a secret pipeline variable in Azure DevOps → Pipelines → Edit → Variables.

Parameters

ParameterDefaultDescription
target(required)Target URL or HOST:PORT
profilecicdquick | standard | deep | api-only | compliance | cicd
failOnhighMinimum severity to fail the build
apiBase(empty)Hosted Pencheff API base URL
engagementId(empty)Scope scan to a specific engagement
artifactNamepencheff-reportName of the published build artifact

Inline usage

If you prefer not to use the extends pattern, copy the steps: section from apps/azure-devops/azure-pipelines.yml directly into your existing pipeline.

Exit codes

CodeMeaning
0No findings at or above failOn severity
2At least one finding at or above threshold — build fails
otherScan error (network, auth, config)

Report artifact

The scan report (JSON + Markdown) is published as a build artifact under the name specified by artifactName. Access it in Azure DevOps → Pipelines → [run] → Artifacts.