Azure DevOps
Frogbot integrates with Azure DevOps through Azure Pipelines.
Step 1: Set Pipeline Variables
In your Azure DevOps project, go to Pipelines > Library and create a variable group (or set variables directly in the pipeline) with:
| Variable | Value | Secret |
|---|---|---|
JF_URL | Your JFrog Platform URL | No |
JF_ACCESS_TOKEN | JFrog Platform access token | Yes |
JF_GIT_TOKEN | Azure DevOps personal access token with Code (Read & Write) scope | Yes |
Step 2: Create the PR Scan Pipeline
Create azure-pipelines-frogbot-pr.yml:
pr:
branches:
include:
- '*'
trigger: none
pool:
vmImage: ubuntu-latest
variables:
# [Mandatory] Set these in Azure DevOps: Pipelines > Library > Variable Groups
# or Pipeline > Edit > Variables
JF_URL: $(JF_URL)
JF_ACCESS_TOKEN: $(JF_ACCESS_TOKEN)
JF_GIT_TOKEN: $(JF_GIT_TOKEN)
# [Mandatory] Azure DevOps organization or project name
JF_GIT_OWNER: '<YOUR_AZURE_DEVOPS_ORG_OR_PROJECT>'
# [Mandatory if NOT using Azure Repos]
# JF_GIT_PROVIDER: '<YOUR_GIT_PROVIDER>'
# JF_GIT_API_ENDPOINT: '<YOUR_API_ENDPOINT>'
# [Mandatory if using Bitbucket with Azure Pipelines]
# Note: PR auto-detection only works for Azure Repos and GitHub.
# For Bitbucket PRs, you must manually set:
# JF_GIT_PULL_REQUEST_ID: '<PR_ID>'
# JF_GIT_BASE_BRANCH: '<TARGET_BRANCH>'
jobs:
- job: FrogbotScanPullRequest
displayName: 'Frogbot Scan Pull Request'
steps:
- task: CmdLine@2
displayName: 'Download and Run Frogbot'
env:
JF_URL: $(JF_URL)
JF_ACCESS_TOKEN: $(JF_ACCESS_TOKEN)
JF_GIT_TOKEN: $(JF_GIT_TOKEN)
JF_GIT_OWNER: $(JF_GIT_OWNER)
inputs:
script: |
curl -fL "https://releases.jfrog.io/artifactory/frogbot/v3/[RELEASE]/getFrogbot.sh" | sh
./frogbot scan-pull-requestStep 3: Create the Commit Scan Pipeline
Create azure-pipelines-frogbot-scan.yml:
# Frogbot Scan Repository - Azure DevOps Pipeline
# Triggered on schedule to scan the repository for vulnerabilities
schedules:
- cron: '0 0 * * *'
displayName: Daily midnight scan
branches:
include:
- main
# Disable PR and push triggers - this pipeline is for scheduled scans only
pr: none
trigger: none
pool:
vmImage: ubuntu-latest
variables:
# [Mandatory] Set these in Azure DevOps: Pipelines > Library > Variable Groups
# or Pipeline > Edit > Variables
JF_URL: $(JF_URL)
JF_ACCESS_TOKEN: $(JF_ACCESS_TOKEN)
JF_GIT_TOKEN: $(JF_GIT_TOKEN)
# [Mandatory] Azure DevOps organization or project name
JF_GIT_OWNER: '<YOUR_AZURE_DEVOPS_ORG_OR_PROJECT>'
# [Mandatory if NOT using Azure Repos]
# JF_GIT_PROVIDER: '<YOUR_GIT_PROVIDER>'
# JF_GIT_API_ENDPOINT: '<YOUR_API_ENDPOINT>'
jobs:
- job: FrogbotScanRepository
displayName: 'Frogbot Scan Repository'
steps:
- task: CmdLine@2
displayName: 'Download and Run Frogbot'
env:
JF_URL: $(JF_URL)
JF_ACCESS_TOKEN: $(JF_ACCESS_TOKEN)
JF_GIT_TOKEN: $(JF_GIT_TOKEN)
JF_GIT_OWNER: $(JF_GIT_OWNER)
inputs:
script: |
curl -fL "https://releases.jfrog.io/artifactory/frogbot/v3/[RELEASE]/getFrogbot.sh" | sh
./frogbot scan-repositoryStep 4: Set Branch Policies
To ensure PRs are scanned before merge:
- Go to Repos > Branches and select your target branch (e.g.,
main). - Under Branch Policies, add a Build Validation policy pointing to the PR scan pipeline.
- Set the policy to Required so PRs cannot be merged without a passing Frogbot scan.
Azure DevOps-Specific Variables
| Variable | Description |
|---|---|
JF_GIT_PROVIDER | Must be set to azureRepos |
JF_GIT_OWNER | Azure DevOps project name (use $(System.TeamProject)) |
JF_GIT_REPO | Repository name (use $(Build.Repository.Name)) |
JF_GIT_BASE_BRANCH | Target branch for PR scans ($(System.PullRequest.TargetBranch)) |
JF_GIT_PULL_REQUEST_ID | PR ID ($(System.PullRequest.PullRequestId)) |
Updated 15 days ago