Scanning CodeScan Cloud projects in Azure DevOps

Prerequisites

• CodeScan version 4.4+
• An Azure DevOps Project for your Salesforce code.

Install the CodeScan Cloud Extension

• At the top right of your screen, click the Marketplace icon. Select Browse Marketplace.
• Search for CodeScan, select the CodeScan Cloud extension and click Get it free
• Select your account and complete the installation.

Setup

• On your Project Dashboard, select Pipeline>Pipelines and create a new Pipeline.
• One the "Where is your code?" page, click "Use the classic editor to create a pipeline without YAML".  See below and follow the correct instructions for your source code location.

Azure DevOps Repo

• Select Azure Repos Git and your Repository name
• For your default branch, select the branch you would like to check pull requests against. Keep this branch name in mind, we will use it later in the setup.  Click Continue.
• On the Select a Template page, select the Salesforce with CodeScan Cloud template and click Apply.
• In the Agent pool dropdown menu, select Azure Pipelines.
• In the Agent Specification dropdown menu select ubuntu-20.04
• Click the Prepare Analysis on CodeScan Cloud section, create a new Service Endpoint.
  • You will need a token from your CodeScan Cloud account for this step. Learn how to create one here.
  • Add a name for your connection.
  • Make sure to verify the connection before leaving the pop-up.

• Select your new Service Endpoint and the Organisation you would like to connect to from the dropdown menu.
  • If you are not sure, the Organisation key is available at the top left of your Organisation page.

• Under "Choose a way to run the analysis" select Use standalone scanner.
• Under "Mode", make sure Manually provide configuration is checked.

Now, in CodeScan Cloud we can set up the project.

• In your selected CodeScan Cloud organisation navigate to Administration > Projects Management
• Click Create Project
• Enter your desired Project Name and Project Key and click Create.  Keep these in mind, we'll need them in a second.
• Click on your new empty project and navigate to Administration > Branches and Pull Requests
• Change your main branch name to the name of the default branch that you selected

Now, back to Azure DevOps.

• Enter the Project Name and Project Key You just created.
• Click Save and Queue and let the analysis complete to see your results in CodeScan Cloud.

Triggering Builds from an Azure Devops Repository

To trigger the builds you will need to create a build policy on the branch you would like to check pull requests against.

• Navigate to Repos > Branches.
• Click on the More... menu for the desired branch and click Branch Policies.
• In the Build Validation section, add a new build policy.
• Select your new pipeline, select Automatic for the Trigger settings and choose your policy requirements.

This pipeline will now run when:

1. Pull requests are created against the branch
2. Pull requests are updated
3. Pull requests are merged

And the project branches on CodeScan Cloud will be updated accordingly.

Breaking the builds

To break the builds based on the Quality Gate once this analysis has run, you can add a powershell script to the pipeline.

• First create a security token and add it as a variable named CODESCAN_TOKEN in your pipeline Variables menu. 
• In your pipeline Agent Specification, change the dropdown to windows-2019
• Add a PowerShell step to your pipeline after the Publish Quality Gate step and add the following script inline, changing the bold project_key to your actual project key.

$token = [System.Text.Encoding]::UTF8.GetBytes($env:CODESCAN_TOKEN + ":")
$base64 = [System.Convert]::ToBase64String($token)
 
$basicAuth = [string]::Format("Basic {0}", $base64)
$headers = @{ Authorization = $basicAuth }

$URL = [string]::Format("https://app.codescan.io/api/qualitygates/project_status?projectKey=azure-devops&branch={0}", $env:BUILD_SOURCEBRANCHNAME)

$result = Invoke-RestMethod -Method Get -Uri $URL  -Headers $headers
$result | ConvertTo-Json | Write-Host
 
if ($result.projectStatus.status -eq "OK") {
Write-Host "Quality Gate Succeeded"
}else{
throw "Quality Gate failed"
}

The pipeline will now fail if the quality gates for the project are not passed.