Azure DevOps - Check out current repo in PR triggered SecretScan pipeline

Question

We would like to do SecretScan as part of PRs when feature branches are merged / PRed into dev.

I was thinking to have the SecretScan pipeline yaml stored in a shared Azure DevOps Project/Repository.

Add the SecretScan pipeline in each of our projects.

And add this as required pipeline for PRs. Instead of having the YAML defining SecretScan in each and every repository.

What I am wondering is, how to check out the current repo (where PR was triggered) during the SecretScan.

The SecretScan at the moment looks like this, but when triggered - it only scans itself - and not the triggering repository.

stages:

- stage: SecretScan
  displayName: Scan project for secrets
  jobs:
  - job: Secret_Scan
    displayName: Secret Scan
    pool:
      vmImage: 'windows-latest'
    steps:
    - checkout: self
    - task: UseDotNet@2
      displayName: 'Use dotnet'
      inputs:
        version: 3.1.x
    - task: UseDotNet@2
      displayName: 'Use dotnet'
      inputs:
        version: 5.0.x
    - task: UseDotNet@2
      displayName: 'Use dotnet'
      inputs:
        version: 6.0.x
    - task: MicrosoftSecurityDevOps@1
      displayName: 'Microsoft Security DevOps'
      inputs:
          categories: 'secrets'
          break: true

score 1 · Accepted Answer · answered Jan 10 '23 at 06:04

According to your expectation, you may consider using the SecretScan YAML as a template which can be kept in other repositories from AnotherProject.

In my case, I created the pipelineX referencing the azure-pipelines.yml pipeline definition in the TestRepo of ProjectX. This YAML definition had used the SecretScanRepo from AnotherProject as the repository resource, whose symbolic alias was TemplateRepo. To use the SecretScan.yml in the TemplateRepo, I added the template expression of - template: SecretScan.yml@TemplateRepo.

azure-pipelines.yml in TestRepoof ProjectX

trigger:
- none
pool:
  vmImage: windows-latest
resources:
  repositories:
  - repository: TemplateRepo
    name: AnotherProject/SecretScanRepo
    type: git
stages:
- template: SecretScan.yml@TemplateRepo
- stage: StageX
  jobs:
  - job: JobX
    steps:
    - script: echo StageX

When pipelineX was triggered by a PR, the -checkout: self step would check out the code from TestRepo@refs/pull/{PRId}/merge onto the agent. If you want to use the source code from TemplateRepo as well, you can add another checkout step -checkout: TemplateRepo. See more information on Check out multiple repositories in your pipeline - Azure Pipelines | Microsoft Learn.

SecretScan.yml in SecretScanRepo of AnotherProject

stages:
- stage: SecretScan
  displayName: Scan project for secrets
  jobs:
  - job: Secret_Scan
    displayName: Secret Scan
    pool:
      vmImage: 'windows-latest'
    steps:
    - checkout: self
    - checkout: TemplateRepo
    - task: UseDotNet@2
      displayName: 'Use dotnet'
      inputs:
        version: 3.1.x
    - task: UseDotNet@2
      displayName: 'Use dotnet'
      inputs:
        version: 5.0.x
    - task: UseDotNet@2
      displayName: 'Use dotnet'
      inputs:
        version: 6.0.x
    - task: MicrosoftSecurityDevOps@1
      displayName: 'Microsoft Security DevOps'
      inputs:
          categories: 'secrets'
          break: true

Azure DevOps - Check out current repo in PR triggered SecretScan pipeline

1 Answers1