Azure DevOps
Integrate Musha into Azure Pipelines to scan every push and pull request.
Pipeline definition
Add to azure-pipelines.yml:
trigger:
branches:
include:
- main
- master
- develop
pr:
branches:
include:
- main
- master
pool:
vmImage: ubuntu-latest
steps:
- checkout: self
fetchDepth: 2
- bash: |
tar -czf scan.tar.gz \
--exclude='.git' \
--exclude='node_modules' \
--exclude='vendor' \
--exclude='.terraform' \
--exclude='target' \
.
displayName: 'Package repository'
- bash: |
curl -fsS -X POST "$(MUSHA_API_URL)/v1/scans" \
-H "Authorization: Bearer $(MUSHA_API_KEY)" \
-F "files=@scan.tar.gz" \
-F "project_id=$(MUSHA_PROJECT_ID)" \
-F "branch=$(Build.SourceBranchName)" \
-F "pr_id=$(System.PullRequest.PullRequestId)" \
-F "commit_hash=$(Build.SourceVersion)" \
-F "scan_type=full"
displayName: 'Upload to Musha'
Variables
Configure in Pipelines → Library → Variable groups or directly in the pipeline variables:
| Variable | Secret | Description |
|---|---|---|
MUSHA_API_URL | No | https://api.mushasec.com |
MUSHA_PROJECT_ID | No | Your project UUID from the Musha dashboard |
MUSHA_API_KEY | Yes | API key created in Settings → API Keys |
Mark MUSHA_API_KEY as a secret variable to prevent it from appearing in logs.
Pull request comments
$(System.PullRequest.PullRequestId) is only populated when the pipeline runs in the context of a pull request. Musha uses this to post a comment to the PR in Azure DevOps.
To ensure the pipeline runs on both pushes and PRs, use the trigger and pr sections as shown above.
Using a variable group
For sharing variables across multiple pipelines:
variables:
- group: musha-security
Then create a variable group named musha-security in Pipelines → Library with the three variables.