2

we are trying to build an Azure Devops pipeline (yaml based pipeline) where the build is triggered on a pull request but what we want to do is we only want to execute a step (security scanning thru veracode extension) on the incremental changes i.e. lets say I have base code with version "X" and I make few changes to it (modify couple of files, add couple of files, etc) and now whenever I execute a pull-request I want a build to be triggered but as part of the build the security scan step should be executed only on the incremental changes instead of the entire code base of the build. I am not sure how we can achieve this as part of the YAML pipeline (step) where some filter value is automatically applied (may be some REST API to get incremental changes in that build) so the step only executes on those changed files.

I have tried the git diff HEAD command with following script just to output changes from last build but this is not returning me anything

steps:
    - task: AzurePowerShell@5
      displayName: 'Check changed files'
      inputs:
        azureSubscription:  'mysubscription'
        scriptType: 'InlineScript'
        Inline: |
          $url = "https://dev.azure.com/xxxx/KKKK/_apis/build/latest/2083?apir-version=6.0-preview.1&branchName=myevbrnch"
          $response = (Invoke-RestMethod -Uri $url -Method GET -Headers $AzureDevOpsAuthenicationHeader)
          $files = (git diff HEAD $response.sourceVersion --name-only)
          $temp=$files -split ' '
          $count=$temp.Length
          echo "Total changed $count files"
          For ($i=0; $i -lt $temp.Length; $i++)
          {
            $name=$temp[$i]
            echo "this is $name file"
            if ($name -like "SecOpsTest/*")
              {
                Write-Host "##vso[task.setvariable variable=MicroserviceAUpdated]True"
              }
          }
        azurePowerShellVersion: 'latestVersion'
        pwsh: true

Any help on how we can achieve this thru the YAML pipeline?

Thank you

user42012
  • 722
  • 12
  • 33

1 Answers1

0

I was able to get the differences between the last build and the current change, I had to enable tagging on the build and with that enabled I introduced the following powershell script to check for changes between build (found this tag comparison code written by Shamrai Alexander:

steps:
    - task: AzurePowerShell@5
      displayName: 'Check changed files'
      inputs:
        azureSubscription:  'mysubscription'
        scriptType: 'InlineScript'
         Inline: |
      $last_tag = git describe --tags --abbrev=0 --match "[0-9]*"
      $changes = git diff --name-only --relative --diff-filter AMR $last_tag HEAD .
      if ($changes -is [string]){ 
        echo "Nothing changed $changes" }
      else
      {
          if ($changes -is [array])
          {       
              foreach ($change in $changes){
                 if ($change -like '*Azure.Infra/SecOpsTest/*') { 
                  echo "this is changed file $change"
                }
               
                }
          }
      }
          
        azurePowerShellVersion: 'latestVersion'
        pwsh: true
user42012
  • 722
  • 12
  • 33