azure-templates.md
December 11, 2025 ยท View on GitHub
Azure Pipelines Templates
These samples show two common ways to run the Lightning Flow Scanner from Azure DevOps. Each template installs the Salesforce CLI inside the official salesforce/cli:latest-slim container, adds the lightning-flow-scanner plugin, executes sf flow:scan, and uploads a SARIF report as a build artifact so violations can be reviewed with the SARIF Results Viewer extension.
Included templates
-
azure-pipelines-flow-FullScan.ymlRuns the scanner across the entire repo (or the default metadata folder) every time the pipeline triggers. The job is intentionally small: check out the code, ensure the plugin is available, runsf flow:scan --sarif, and publishresults.sarifviaPublishBuildArtifacts@1. Add additional stages (tests, packaging) by extending this template. -
azure-pipelines-flow-changedFiles.yml
Optimizes for pull requests by scanning only files that change relative to a target branch (defaultorigin/main). It persists Git credentials so it cangit fetchand uses a bash step to copy added/modified files into$(Build.ArtifactStagingDirectory)/diff. The scanner is then pointed at that folder to shorten runtimes while still producing a SARIF artifact.
How to use these templates
- Copy the desired YAML file into your Azure DevOps repo (commonly under
.azure-pipelines/or at the root). - In Azure DevOps, create a new pipeline and reference the YAML path when prompted.
- For the changed-files variant, update the
variablesblock if your default branch is notorigin/main, or if you want to store diffs elsewhere. - (Optional) Install the SARIF SAST Scans Tab extension so teams can review
results.sarifdirectly within the pipeline summary.
Dependencies and related docs
- Salesforce CLI: Provided by the
salesforce/cli:latest-slimcontainer. If you switch containers/VMs, ensuresfis installed and on thePATH. - Lightning Flow Scanner plugin: Installed via
sf plugins install lightning-flow-scanner. See the main Lightning Flow Scanner README for configuration options such as custom rule sets. - Git (changed-files pipeline): Requires fetch permissions on the target branch to build the diff. Azure Pipelines handles this automatically when
persistCredentials: trueandfetchDepth: 1are set. - SARIF tooling: Pipelines emit
CodeAnalysisLogs/results.sarif. Use Azure DevOps extensions or downstream tooling (GitHub Advanced Security, VS Code SARIF viewer, etc.) to visualize the findings.
Adapt these templates as needed: add caching, integrate test stages, or call other CLI commands before/after the flow scan to match your organization's release process.