From 9cb537a340b863513cc5b03e286c536774c88934 Mon Sep 17 00:00:00 2001 From: appsechq-brian Date: Wed, 22 Apr 2026 17:15:22 -0400 Subject: [PATCH] Use ADO Library variable group for credentials; harden jq install Two small improvements based on end-to-end testing in Azure DevOps: Variable group for credentials - All three top-level pipelines now reference an ADO Library variable group named 'cycode-credentials' via 'variables: - group: ...' instead of expecting CYCODE_CLIENT_ID / CYCODE_CLIENT_SECRET as bare secret pipeline variables. Single source of truth for credential rotation (ideally backed by Key Vault) and fewer pipelines to update when the service account changes. jq install hardening - The 'apt-get || true' form silently masked failures on agents without apt-get (macOS, RHEL, Windows, distroless). Now: detect apt-get, fall back to brew, and fail loudly with a clear 'Preinstall jq on the agent' message if neither is available. --- azure-pipelines-api-gate.yml | 22 ++++++++++++++++++---- azure-pipelines-publish-results.yml | 6 +++++- azure-pipelines-template-consumer.yml | 5 +++++ templates/cycode-scan.yml | 9 ++++++++- 4 files changed, 36 insertions(+), 6 deletions(-) diff --git a/azure-pipelines-api-gate.yml b/azure-pipelines-api-gate.yml index 69dc86d..f42d121 100644 --- a/azure-pipelines-api-gate.yml +++ b/azure-pipelines-api-gate.yml @@ -4,7 +4,8 @@ # Fails the build if any match the filters below. # # Prereqs (one-time in Azure DevOps): -# - Secret pipeline variables CYCODE_CLIENT_ID and CYCODE_CLIENT_SECRET +# - Library variable group 'cycode-credentials' with CYCODE_CLIENT_ID and +# CYCODE_CLIENT_SECRET (both marked secret). # - Agent pool 'Default' (self-hosted) or change to 'ubuntu-latest' # # Run manually: Pipelines → this pipeline → Run @@ -15,16 +16,29 @@ pool: name: Default variables: + # Pulls CYCODE_CLIENT_ID and CYCODE_CLIENT_SECRET from ADO Library. + - group: cycode-credentials # Must match the repo name shown in Cycode's Violations UI. # Bare repo name as stored in Cycode's RIG — NOT "owner/repo". - REPO_NAME: "vectorvictor" + - name: REPO_NAME + value: "vectorvictor" steps: - checkout: self - script: | - if ! command -v jq >/dev/null 2>&1; then - sudo apt-get update -qq && sudo apt-get install -y -qq jq || true + set -e + if command -v jq >/dev/null 2>&1; then + jq --version + exit 0 + fi + if command -v apt-get >/dev/null 2>&1; then + sudo apt-get update -qq && sudo apt-get install -y -qq jq + elif command -v brew >/dev/null 2>&1; then + brew install jq + else + echo "##vso[task.logissue type=error]jq is not installed and no supported package manager (apt-get, brew) was found. Preinstall jq on the agent." + exit 1 fi jq --version displayName: "Ensure jq is available" diff --git a/azure-pipelines-publish-results.yml b/azure-pipelines-publish-results.yml index 56904da..66262a3 100644 --- a/azure-pipelines-publish-results.yml +++ b/azure-pipelines-publish-results.yml @@ -15,7 +15,11 @@ pool: name: Default variables: - SCAN_PATH: "./vulnerable_apps/" + # Pulls CYCODE_CLIENT_ID and CYCODE_CLIENT_SECRET from ADO Library. + # Create via Pipelines → Library → + Variable group → 'cycode-credentials'. + - group: cycode-credentials + - name: SCAN_PATH + value: "./vulnerable_apps/" steps: - checkout: self diff --git a/azure-pipelines-template-consumer.yml b/azure-pipelines-template-consumer.yml index 9be7938..8d61dc5 100644 --- a/azure-pipelines-template-consumer.yml +++ b/azure-pipelines-template-consumer.yml @@ -21,6 +21,11 @@ trigger: none pr: none +variables: + # Pulls CYCODE_CLIENT_ID and CYCODE_CLIENT_SECRET from ADO Library. + # Create via Pipelines → Library → + Variable group → 'cycode-credentials'. + - group: cycode-credentials + extends: template: templates/cycode-scan.yml parameters: diff --git a/templates/cycode-scan.yml b/templates/cycode-scan.yml index 9afbf64..2b117d2 100644 --- a/templates/cycode-scan.yml +++ b/templates/cycode-scan.yml @@ -66,7 +66,14 @@ stages: python3 -m pip install --upgrade pip pip install cycode if ! command -v jq >/dev/null 2>&1; then - sudo apt-get update -qq && sudo apt-get install -y -qq jq || true + if command -v apt-get >/dev/null 2>&1; then + sudo apt-get update -qq && sudo apt-get install -y -qq jq + elif command -v brew >/dev/null 2>&1; then + brew install jq + else + echo "##vso[task.logissue type=error]jq is not installed and no supported package manager (apt-get, brew) was found. Preinstall jq on the agent." + exit 1 + fi fi displayName: "Install Cycode CLI + jq"