Variable group for credentials; harden jq install

azure-pipelines-api-gate.yml

@@ -4,7 +4,8 @@
 # Fails the build if any match the filters below.
 #
 # Prereqs (one-time in Azure DevOps):
-#   - Secret pipeline variables CYCODE_CLIENT_ID and CYCODE_CLIENT_SECRET
+#   - Library variable group 'cycode-credentials' with CYCODE_CLIENT_ID and
+#     CYCODE_CLIENT_SECRET (both marked secret).
 #   - Agent pool 'Default' (self-hosted) or change to 'ubuntu-latest'
 #
 # Run manually: Pipelines → this pipeline → Run
@@ -15,16 +16,29 @@ pool:
   name: Default
 
 variables:
+  # Pulls CYCODE_CLIENT_ID and CYCODE_CLIENT_SECRET from ADO Library.
+  - group: cycode-credentials
   # Must match the repo name shown in Cycode's Violations UI.
   # Bare repo name as stored in Cycode's RIG — NOT "owner/repo".
-  REPO_NAME: "vectorvictor"
+  - name: REPO_NAME
+    value: "vectorvictor"
 
 steps:
   - checkout: self
 
   - script: |
-      if ! command -v jq >/dev/null 2>&1; then
-        sudo apt-get update -qq && sudo apt-get install -y -qq jq || true
+      set -e
+      if command -v jq >/dev/null 2>&1; then
+        jq --version
+        exit 0
+      fi
+      if command -v apt-get >/dev/null 2>&1; then
+        sudo apt-get update -qq && sudo apt-get install -y -qq jq
+      elif command -v brew >/dev/null 2>&1; then
+        brew install jq
+      else
+        echo "##vso[task.logissue type=error]jq is not installed and no supported package manager (apt-get, brew) was found. Preinstall jq on the agent."
+        exit 1
       fi
       jq --version
     displayName: "Ensure jq is available"

azure-pipelines-publish-results.yml

@@ -15,7 +15,11 @@ pool:
   name: Default
 
 variables:
-  SCAN_PATH: "./vulnerable_apps/"
+  # Pulls CYCODE_CLIENT_ID and CYCODE_CLIENT_SECRET from ADO Library.
+  # Create via Pipelines → Library → + Variable group → 'cycode-credentials'.
+  - group: cycode-credentials
+  - name: SCAN_PATH
+    value: "./vulnerable_apps/"
 
 steps:
   - checkout: self

azure-pipelines-template-consumer.yml

@@ -21,6 +21,11 @@
 trigger: none
 pr: none
 
+variables:
+  # Pulls CYCODE_CLIENT_ID and CYCODE_CLIENT_SECRET from ADO Library.
+  # Create via Pipelines → Library → + Variable group → 'cycode-credentials'.
+  - group: cycode-credentials
+
 extends:
   template: templates/cycode-scan.yml
   parameters:

templates/cycode-scan.yml

@@ -66,7 +66,14 @@ stages:
               python3 -m pip install --upgrade pip
               pip install cycode
               if ! command -v jq >/dev/null 2>&1; then
-                sudo apt-get update -qq && sudo apt-get install -y -qq jq || true
+                if command -v apt-get >/dev/null 2>&1; then
+                  sudo apt-get update -qq && sudo apt-get install -y -qq jq
+                elif command -v brew >/dev/null 2>&1; then
+                  brew install jq
+                else
+                  echo "##vso[task.logissue type=error]jq is not installed and no supported package manager (apt-get, brew) was found. Preinstall jq on the agent."
+                  exit 1
+                fi
               fi
             displayName: "Install Cycode CLI + jq"