azure-templates.md

December 11, 2025 ยท View on GitHub

Azure Pipelines Templates

These samples show two common ways to run the Lightning Flow Scanner from Azure DevOps. Each template installs the Salesforce CLI inside the official salesforce/cli:latest-slim container, adds the lightning-flow-scanner plugin, executes sf flow:scan, and uploads a SARIF report as a build artifact so violations can be reviewed with the SARIF Results Viewer extension.

Included templates

  • azure-pipelines-flow-FullScan.yml Runs the scanner across the entire repo (or the default metadata folder) every time the pipeline triggers. The job is intentionally small: check out the code, ensure the plugin is available, run sf flow:scan --sarif, and publish results.sarif via PublishBuildArtifacts@1. Add additional stages (tests, packaging) by extending this template.

  • azure-pipelines-flow-changedFiles.yml
    Optimizes for pull requests by scanning only files that change relative to a target branch (default origin/main). It persists Git credentials so it can git fetch and uses a bash step to copy added/modified files into $(Build.ArtifactStagingDirectory)/diff. The scanner is then pointed at that folder to shorten runtimes while still producing a SARIF artifact.

How to use these templates

  1. Copy the desired YAML file into your Azure DevOps repo (commonly under .azure-pipelines/ or at the root).
  2. In Azure DevOps, create a new pipeline and reference the YAML path when prompted.
  3. For the changed-files variant, update the variables block if your default branch is not origin/main, or if you want to store diffs elsewhere.
  4. (Optional) Install the SARIF SAST Scans Tab extension so teams can review results.sarif directly within the pipeline summary.
  • Salesforce CLI: Provided by the salesforce/cli:latest-slim container. If you switch containers/VMs, ensure sf is installed and on the PATH.
  • Lightning Flow Scanner plugin: Installed via sf plugins install lightning-flow-scanner. See the main Lightning Flow Scanner README for configuration options such as custom rule sets.
  • Git (changed-files pipeline): Requires fetch permissions on the target branch to build the diff. Azure Pipelines handles this automatically when persistCredentials: true and fetchDepth: 1 are set.
  • SARIF tooling: Pipelines emit CodeAnalysisLogs/results.sarif. Use Azure DevOps extensions or downstream tooling (GitHub Advanced Security, VS Code SARIF viewer, etc.) to visualize the findings.

Adapt these templates as needed: add caching, integrate test stages, or call other CLI commands before/after the flow scan to match your organization's release process.