Skip to content
Documentation
CI/CD Integration
Azure DevOps

Azure DevOps

Integrate netbobr firewall rule analysis into Azure DevOps Pipelines. The CLI exit codes cause the pipeline to fail when findings exceed your severity threshold.

Basic Pipeline

A minimal azure-pipelines.yml that fails on high or critical findings:

trigger:
  - main

pool:
  vmImage: 'ubuntu-latest'

steps:
  - task: NodeTool@0
    inputs:
      versionSpec: '20.x'
    displayName: 'Install Node.js'

  - script: npx @netbobr/cli analyze firewall-rules.json --fail-on high
    displayName: 'Analyze Firewall Rules'

Azure DevOps treats any non-zero exit code as a failure, so the pipeline stops when high or critical findings are detected.

With SARIF Output

Generate a SARIF report and publish it as a build artifact:

trigger:
  - main

pool:
  vmImage: 'ubuntu-latest'

steps:
  - task: NodeTool@0
    inputs:
      versionSpec: '20.x'
    displayName: 'Install Node.js'

  - script: npx @netbobr/cli analyze firewall-rules.json --output sarif > $(Build.ArtifactStagingDirectory)/results.sarif
    displayName: 'Analyze Firewall Rules (SARIF)'
    continueOnError: true

  - task: PublishBuildArtifacts@1
    inputs:
      pathToPublish: '$(Build.ArtifactStagingDirectory)/results.sarif'
      artifactName: 'sarif-report'
    displayName: 'Publish SARIF Report'
    condition: always()
Note on SARIF in Azure DevOps
Azure DevOps does not natively import SARIF into a security dashboard. To view SARIF results within Azure DevOps, use the SARIF SAST Scans Tab extension. Alternatively, export the SARIF artifact to external tools that support the format.

With Configuration and PDF Report

Load a browser-exported netbobr configuration and generate a PDF compliance report:

  - script: |
      npx @netbobr/cli analyze rules.json \
        --config netbobr-config.json \
        --output pdf \
        --output-file $(Build.ArtifactStagingDirectory)/report.pdf
    displayName: 'Generate PDF Report'

  - task: PublishBuildArtifacts@1
    inputs:
      pathToPublish: '$(Build.ArtifactStagingDirectory)/report.pdf'
      artifactName: 'compliance-report'
    displayName: 'Publish PDF Report'

Export your configuration from the netbobr web app using Session Control > Save and commit the JSON file to your repository.

Severity Gating

Control which severity levels fail the pipeline using --fail-on:

  # Fail only on critical findings
  - script: npx @netbobr/cli analyze rules.json --fail-on critical
    displayName: 'Analyze (critical only)'

  # Fail on high or critical findings
  - script: npx @netbobr/cli analyze rules.json --fail-on high
    displayName: 'Analyze (high+)'

  # Fail on any finding
  - script: npx @netbobr/cli analyze rules.json --fail-on low
    displayName: 'Analyze (all findings)'

Exit Code Reference

Exit CodeSeverityMeaning
0Low / NoneAll flows are low risk or clean
1MediumAt least one medium-severity finding
2HighAt least one high-severity finding
3CriticalAt least one critical-severity finding

Use --fail-on <severity> to set the threshold. Severities below the threshold are treated as passing (exit code 0).

GitHub ActionsGitLab CI