Azure DevOps AST Orchestrator
The Conviso Platform Azure DevOps AST Orchestrator centralizes AST scanning in a single Azure Pipeline. Instead of maintaining a pipeline in every repository, Conviso triggers one orchestrator pipeline with the target repository and commit information after PR merges.
Overview
The Orchestrator model provides:
- Centralized management: Maintain scanning logic in one pipeline.
- Consistency: Apply the same scan behavior to all mapped repositories.
- Simple onboarding: Add repository mappings without duplicating CI configuration.
Execution costs: Scans run in your Azure Pipelines environment and consume your Azure Pipeline runtime.
Prerequisites
Before you start:
- Azure DevOps integration is configured in Conviso Platform.
- AST Scans is enabled in the integration.
- You have an Azure Pipeline that will act as the orchestrator.
- The pipeline has access to a Variable Group with:
ADO_GIT_PAT(Code Read permission for target repositories)CONVISO_API_KEY(Conviso API key for the target environment)
Configure the Orchestrator in Conviso
Step 1 - Open Azure DevOps integration
In Conviso Platform, go to Integrations, filter by Application Lifecycle Management, and open Azure DevOps.
Step 2 - Configure Orchestrator settings
In Integrations > Azure DevOps > Orchestrator configuration, fill:
- Orchestrator organization: Azure DevOps organization name (e.g.
my-org) - Orchestrator project: Project where the orchestrator pipeline is defined
- Orchestrator pipeline ID: Numeric pipeline ID in Azure DevOps
- Orchestrator ref: Branch/tag where the YAML is stored (recommended:
main)
Then click Save configuration.
Step 3 - Create a PAT in Azure DevOps
In Azure DevOps, create a Personal Access Token with Code (Read) scope for repositories that will be scanned.
Step 4 - Configure Variable Group secrets
In Azure DevOps Pipelines > Library > conviso-group, add:
ADO_GIT_PATCONVISO_API_KEY
Both must be stored as secret variables.
Configure Merge Trigger
After enabling AST Scans and saving Orchestrator settings, Conviso automatically triggers the orchestrator pipeline on eligible PR merges for mapped assets.
Pipeline Template (Azure DevOps)
Use this orchestrator pipeline template:
trigger: none
pr: none
parameters:
- name: repo_full_name
type: string
default: REPLACE/REPLACE
- name: branch
type: string
default: replace-me
- name: commit_sha
type: string
default: replace-me
- name: pr_number
type: string
default: ""
- name: api_url
type: string
default: "https://api.convisoappsec.com"
variables:
- group: conviso-group
pool:
vmImage: ubuntu-latest
jobs:
- job: ast
container: convisoappsec/convisoast:latest
steps:
- checkout: none
- bash: |
set -euo pipefail
REPO_FULL='${{ parameters.repo_full_name }}'
BRANCH='${{ parameters.branch }}'
SHA='${{ parameters.commit_sha }}'
case "$REPO_FULL" in ''|REPLACE/REPLACE) echo "##vso[task.logissue type=error]repo_full_name inválido"; exit 1;; esac
case "$SHA" in ''|replace-me) echo "##vso[task.logissue type=error]commit_sha inválido"; exit 1;; esac
test -n "${ADO_GIT_PAT:-}" || { echo "##vso[task.logissue type=error]ADO_GIT_PAT ausente"; exit 1; }
test -n "${CONVISO_API_KEY:-}" || { echo "##vso[task.logissue type=error]CONVISO_API_KEY ausente"; exit 1; }
PROJECT="${REPO_FULL%%/*}"
REPO="${REPO_FULL#*/}"
ORG="${SYSTEM_COLLECTIONURI#https://dev.azure.com/}"
ORG="${ORG%/}"
WORKDIR="$(Build.SourcesDirectory)"
rm -rf "${WORKDIR:?}"/* && mkdir -p "$WORKDIR" && cd "$WORKDIR"
git init -q
git remote add origin "https://:${ADO_GIT_PAT}@dev.azure.com/${ORG}/${PROJECT}/_git/${REPO}"
git fetch origin "$SHA"
git checkout -B "$BRANCH" "$SHA"
PREV="$(git rev-parse "${SHA}^1")"
export CONVISO_API_URL='https://api.convisoappsec.com'
conviso ast run --asset-name "${ORG}/${REPO}" --current-commit "$SHA" --previous-commit "$PREV" --vulnerability-auto-close
env:
ADO_GIT_PAT: $(ADO_GIT_PAT)
CONVISO_API_KEY: $(CONVISO_API_KEY)
SYSTEM_COLLECTIONURI: $(System.CollectionUri)
Step 5 - Save pipeline YAML
Open your orchestrator pipeline in Azure DevOps and save the YAML.
How the flow works
- User merges a PR in Azure DevOps.
- Conviso triggers the configured orchestrator pipeline with repository and commit parameters.
- Pipeline clones the target repository and runs
conviso ast run. - Findings are sent to the mapped asset in Conviso Platform.
Step 6 - Validate a successful run
After a PR merge, confirm the pipeline run is created and finished successfully.
Troubleshooting
| Problem | What to check |
|---|---|
| PR merged but no pipeline run is created | Confirm AST Scans is enabled, the asset mapping is active for the merged branch, and Orchestrator configuration (organization/project/pipeline ID/ref) is correct. |
Pipeline trigger fails with Unexpected parameter 'api_url' | Keep api_url declared in pipeline parameters for compatibility with worker payload. |
| Git clone fails with repository not found/permission denied | Validate ADO_GIT_PAT scopes and access to cross-project repositories. |
Invalid API key in AST | Confirm CONVISO_API_KEY belongs to the same environment used by CONVISO_API_URL. |
| Pipeline runs but no findings are created | Confirm the asset naming (organization/repository) is mapped correctly and review pipeline logs for conviso ast run errors. |
Support
If you need help validating orchestrator settings, repository access, or pipeline permissions, contact Conviso Support.
Contribute to the Docs
Found something outdated or missing? Help us improve the documentation with a quick suggestion or edit.
How to contributeResources
By exploring our content, you'll find resources that will enhance your understanding of the importance of a Security Application Program.
Conviso Blog: Explore our blog, which offers a collection of articles and posts covering a wide range of AppSec topics. The content on the blog is primarily in English.
Conviso's YouTube Channel: Access a wealth of informative videos covering various topics related to AppSec. Please note that the content is primarily in Portuguese.