ScanningAzure DevOps

Azure DevOps

Coana can be integrated into your Azure DevOps repository using Azure DevOps pipeline actions.

Generate an API key

Go to Settings → API Keys to generate an API key.

Add the generated API key as a repository secret

Add the generated API key to your repository by creating a pipeline variable with the name COANA_API_KEY in your Azure DevOps pipeline settings. You can do this by:

  1. Going to your pipeline settings
  2. Selecting “Variables”
  3. Adding a new variable named COANA_API_KEY
  4. Marking it as “Secret” to keep it secure

You can also add a variable group in your Azure DevOps project settings that can be shared across multiple pipelines. The variable group will be available to all pipelines in the project that reference it, making it a better option if you need to run Coana across many repositories.

Create the workflow file

Create a new pipeline file in your Azure DevOps repository and copy the template provided below into it. You can name it coana-analysis.yml.

coana-analysis.yml
trigger: none
 
schedules:
  - cron: '0 3 * * *' # Runs every day at 3 AM
    displayName: 'Daily Coana Vulnerability Analysis'
    branches:
      include:
        # Adjust if needed
        - main
        - master
 
pool:
  vmImage: ubuntu-latest
 
steps:
  - task: NodeTool@0
    inputs:
      versionSpec: '20.x'
    displayName: 'Install Node.js'
 
  - checkout: self 
 
  - script: |
      npx @coana-tech/cli run . \
        --api-key $COANA_API_KEY \
        # Adjust to match your source control system.
        --repo-url https://github.com/$(Build.Repository.Name)
    displayName: 'Coana Scan'
    env:
      COANA_API_KEY: $(COANA_API_KEY)

You can adjust the cron schedule to run at a different time or frequency. Remember to also adjust the repo-url to match your source control system.

Create the new pipeline

Finally, create a new pipeline in your Azure DevOps project and select the repository you want to scan. Then choose configuration ‘Existing Azure Pipelines YAML file’ and select the coana-analysis.yml file you created earlier.

💡
A new project is automatically created in Coana when you submit your first report if a project matching its repository url or project name doesn't already exist. There is no reason to manually create the project in Coana first.
💡
You can change the reachability analyzers' memory limit by using the --memory-limit <memoryMB> flag (defaults to 8GB). For example, to increase the memory limit to 16GB, use --memory-limit 16384.

You don’t need to install project dependencies, such as by running npm install, before using Coana, as Coana will handle the installation of the dependencies for you. However, if you have specific requirements for the installation command, we recommend adding a step to install the dependencies manually.

It’s not necessary to compile or bundle your code prior to running Coana.

We recommend configuring Coana to run daily as in the template. This ensures you receive consistent updates regarding vulnerabilities in your dependencies.

GitLabPhantom Dependencies