Skip to main content
Azure Pipelines is a continuous integration and continuous delivery (CI/CD) service available in Azure DevOps ecosystem. It facilitates continuous integration, continuous testing, and continuous deployment for seamless building, testing, and delivery of software. You can use Azure extension from Endor Labs to include Endor Labs within your Azure pipelines or add steps in your pipeline to manually download and use Endor Labs in your runner.

Complete the prerequisites

Ensure that you complete the following prerequisites before you proceed.

Set up an Endor Labs tenant

You must have an Endor Labs tenant set up for your organization. You can also set up namespaces according to your requirements. See Set up namespaces

Configure Endor Labs authentication

Configure an API key and secret for authentication. See managing API keys for more information on generating an API key for Endor Labs. Store API key and secret as environment variables, ENDOR_API_CREDENTIALS_KEY and ENDOR_API_CREDENTIALS_SECRET.

Enable Advanced Security in Azure

You need to enable Advanced Security in your Azure repository to view results in Azure.
  1. Log in to Azure and open Project Settings.
  2. Navigate to Repos > Repositories in the left navigation panel.
  3. Select your repository.
  4. Enable Advanced Security. Enable Advanced Security

Integrate Endor Labs with Azure pipelines with the Azure extension

To integrate Endor Labs with Azure pipelines, you need to set up the Azure extension. After you set up the extension, you can configure your pipeline to use Endor Labs.
The Endor Labs Azure extension requires code read, build read, and execute permissions.

Set up the Azure extension

  1. Install the Endor Labs extension from the Visual Studio Marketplace.
  2. Log in Azure DevOps and select your project.
  3. Select Project Settings from the left sidebar.
  4. Select Service Connections under Pipelines.
  5. Click Create service connection.
  6. Select Endor Labs and click Next.
  7. Enter https://api.endorlabs.com as the Server URL.
  8. Enter the API Key and API Secret that you created.
  9. Enter the service connection name. The name you enter here is to be used inside the Azure pipeline.
  10. Optionally, you can enter service management reference and description.
  11. Select Grant access permission to all pipelines to provide access to the Endor Labs service connection to your pipelines.
    Ensure that you select this option if you want to use Endor Labs with your pipelines. Unless you enable the service connection, Endor Labs will not be available to your pipelines.
  12. Click Save.

Configure Azure pipeline to use Endor Labs

Important
Azure Pipelines often check out commits in a detached HEAD state, which can lead to fragmented branch tracking in Endor Labs. See Set up branch tracking in Azure Pipelines to configure proper branch context.
  1. Create azure-pipelines.yml file in your project, if it doesn’t exist and enter values according to your requirement.
  2. In the azure-pipelines.yml file, enter the task, EndorLabsScan@0, with the service connection name, Endor Labs namespace, and the SARIF file name. For example: 
    
 steps:
  - task: EndorLabsScan@0
    inputs:
      serviceConnectionEndpoint: 'Endor'
      namespace: 'demo'
      sarifFile: 'scanresults.sarif'
  3. Enter the task, AdvancedSecurity-Publish@1, if you wish to publish the scan results, which you can view under the Advanced Security tab in Azure DevOps. 
    
steps:
  - task: AdvancedSecurity-Dependency-Scanning@1
    displayName: Publish scan dependencies to Advanced Security
    inputs:
      SarifsInputDirectory: $(Build.SourcesDirectory)\
After a successful run of the pipeline, you can view the results in Azure.

Endor Labs scan parameters

You can use the following input parameters in the EndorLabsScan@0 task.
To enable AI SAST analysis, set the additionalArgs parameter to --ai-sast-analysis=agent-fallback.

Example Workflow

The following example workflow initiates a scan where all dependencies are scanned along with secrets. The findings are tagged with Azure. The scan generates a SARIF file and uploads to GitHub Advanced Security. 

trigger:
- none

pool:
  name: Azure Pipelines
  vmImage: "windows-latest"

steps:
- task: EndorLabsScan@0
  inputs:
    serviceConnectionEndpoint: 'endorlabs-service-connection'
    namespace: 'endor'
    sarifFile: 'scanresults.sarif'
    scanSecrets: 'true'
    tags: `Azure`

- task: AdvancedSecurity-Publish@1
  displayName: Publish 'scanresults.sarif' to Advanced Security
  inputs:
   SarifsInputDirectory: $(Build.SourcesDirectory)\

View scan results in Azure

After the pipeline runs, you can view the scan results in Azure.
  1. Log in to Azure and navigate to your projects.
  2. Select Repos > Advanced Security to view the scan results. View Azure advanced security
  3. Click an alert to view more details. View Azure alert
  4. If you ran endorctl with --secrets flag, you can view if there are any secret leaks. View Azure secret leak Click the entry to view more details. View Azure secret leak expanded

Download and use endorctl in Azure pipeline

You can also choose to set up your pipeline to download endorctl and scan using Endor Labs without using the Azure extension.

Configure Endor Labs variables in the pipeline

You can manage Endor Labs variables centrally by configuring them within your Azure project. You can assign these variables to various pipelines.
  1. Log in to Azure and select Pipelines > Library.
  2. Click +Variable Group to add a new variable group for Endor Labs.
  3. Enter a name for the variable group, for example, tenant-variables, and click Add under Variables.
  4. Add the following variables.
    • ENDOR_API_CREDENTIALS_KEY
    • ENDOR_API_CREDENTIALS_SECRET
    • NAMESPACE Create Variables
  5. Select the variable group that you created. Create Variables
  6. Click Pipeline Permissions.
  7. Click + to add the pipelines in which you want to use the variable group. Create Variables

Configure your Azure pipeline

  1. Create azure-pipelines.yml file in your project, if it doesn’t exist.
  2. In the azure-pipelines.yml file, customize the job configuration based on your project’s requirements.
  3. Adjust the image field to use the necessary build tools for constructing your software packages, and align your build steps with those of your project. For example, update the node pool settings based on your operating system.
pool:
  name: Default
  vmImage: "windows-latest"
  1. Update your default branch from main if you do not use main as the default branch name.
  2. Modify any dependency or artifact caches to align with the languages and caches used by your project.
  3. Enter the following steps in the azure-pipelines.yml file to download endorctl. 
- bash: |
    echo "Downloading latest version of endorctl"
    VERSION=$(curl https://api.endorlabs.com/meta/version | grep -o '"Version":"[^"]*"' | sed 's/.*"Version":"\([^"]*\)".*/\1/')
    curl https://api.endorlabs.com/download/endorlabs/"$VERSION"/binaries/endorctl_"$VERSION"_windows_amd64.exe -o endorctl.exe
    echo "$(curl -s https://api.endorlabs.com/sha/latest/endorctl_windows_amd64.exe)  endorctl" | sha256sum -c
    if [ $? -ne 0 ]; then
      echo "Integrity check failed"
      exit 1
    fi
  1. Enter the steps to build your project if your project needs building and setup steps.
  2. Enter the following step in the azure-pipelines.yml file to run endorctl scan to generate the SARIF file. You can run endorctl scan with options according to your requirement, but you must include the -s option to generate the SARIF file. For example, use the --secrets flag to scan for secrets. 
- script: |
    .\endorctl.exe scan -n $(NAMESPACE) -s scanresults.sarif
  env:
    ENDOR_API_CREDENTIALS_KEY: $(ENDOR_API_CREDENTIALS_KEY)
    ENDOR_API_CREDENTIALS_SECRET: $(ENDOR_API_CREDENTIALS_SECRET)
  1. Enter the following task in the azure-pipelines.yml to publish the scan results.
- task: AdvancedSecurity-Publish@1
    displayName: Publish '.\sarif\scanresults.sarif' to Advanced Security
    inputs:
      SarifsInputDirectory: $(Build.SourcesDirectory)\
After a successful run of the pipeline, you can view the results in Azure.

Azure Pipeline Examples

trigger:
- none

pool:
  name: Azure Pipelines
  vmImage: "windows-latest"

variables:
- group: tenant-variables

steps:
# All steps related to building of the project should be before this step.
# Implement and scan with Endor Labs after your build is complete.
- bash: |
    - bash: |
        echo "Downloading latest version of endorctl"
        VERSION=$(curl https://api.endorlabs.com/meta/version | grep -o '"Version":"[^"]*"' | sed 's/.*"Version":"\([^"]*\)".*/\1/')
        curl https://api.endorlabs.com/download/endorlabs/"$VERSION"/binaries/endorctl_"$VERSION"_windows_amd64.exe -o endorctl.exe
       echo "$(curl -s https://api.endorlabs.com/sha/latest/endorctl_windows_amd64.exe)  endorctl" | sha256sum -c
        if [ $? -ne 0 ]; then
          echo "Integrity check failed"
          exit 1
        fi

  displayName: 'Downloading latest version of endorctl'
  continueOnError: false

- script: |
    .\endorctl.exe scan -n $(NAMESPACE) -s scanresults.sarif
  displayName: 'Run a scan against the repository using your API key & secret pair'
  env:
    ENDOR_API_CREDENTIALS_KEY: $(ENDOR_API_CREDENTIALS_KEY)
    ENDOR_API_CREDENTIALS_SECRET: $(ENDOR_API_CREDENTIALS_SECRET)

- task: AdvancedSecurity-Publish@1
  displayName: Publish '.\sarif\scanresults.sarif' to Advanced Security
  inputs:
   SarifsInputDirectory: $(Build.SourcesDirectory)\

Set up branch tracking in Azure Pipelines

In Git, a detached HEAD state occurs when the repository checks out a specific commit instead of a branch reference. In this state, Git points the HEAD directly to a commit hash, without associating it with a named branch. As a result, actions performed, such as creating new commits or running automated scans, do not carry branch identity unless explicitly specified. Proper branch context enables Endor Labs to:
  • Associate scans with the correct branch
  • Identify scans on the monitored default branch
  • Track findings and display metrics accurately across branches
Without proper branch configuration, Endor Labs may create multiple branch entries for the same logical branch, leading to fragmented reporting and inaccurate metrics. Project with multiple branch entries Azure Pipelines often check out commits by their SHA instead of the branch name, which creates a detached HEAD state.

Automatic branch tracking

When you use the Endor Labs Azure extension, branch tracking is automated. The enableDetachedRefName parameter is set to true by default, which automatically detects the branch name from your Azure pipeline and appends the --detached-ref-name flag during scans. This ensures that scans display the actual branch name instead of the commit SHA. 
steps:
  - task: EndorLabsScan@0
    inputs:
      namespace: 'demo'
      sarifFile: 'scanresults.sarif'
      serviceConnectionEndpoint: 'Endor'
To disable automatic branch tracking and use the commit SHA instead, explicitly set enableDetachedRefName to false. 
steps:
  - task: EndorLabsScan@0
    inputs:
      enableDetachedRefName: false
      namespace: 'demo'
      sarifFile: 'scanresults.sarif'
      serviceConnectionEndpoint: 'Endor'

Manual branch tracking with endorctl

When you use endorctl, specify the branch name using the --detached-ref-name flag. Use --detached-ref-name only to specify the branch name for a commit in detached HEAD state. This associates the commit with the correct branch without setting it as the default branch. 
- script: |
    BRANCH_NAME=$(Build.SourceBranchName)
    ./endorctl scan -n $(NAMESPACE) \
    --detached-ref-name="$BRANCH_NAME" \
    -s scanresults.sarif
Use both --detached-ref-name and --as-default-branch together when you want to associate the commit with a branch and set it as the default branch scan. 
- script: |
    BRANCH_NAME=$(Build.SourceBranchName)
    ./endorctl scan -n $(NAMESPACE) \
    --as-default-branch \
    --detached-ref-name="$BRANCH_NAME" \
    -s scanresults.sarif