First published on MSDN on Sep 26, 2018
Run security analysis tools in Azure DevOps Pipelines
Secure Development Lifecycle (SDL) Guidelines
recommend that teams perform static analysis during the implementation phase of your development cycle.
The Microsoft Security Code Analysis extension empowers you to do so, easily integrating the running of static analysis tools in your Azure DevOps pipelines.
The private preview is currently under NDA and “Invitation Only” so only select customer will be provided access.
Security Static Analysis Tools Available
The Microsoft Security Code Analysis extension makes readily available to you, the latest versions of important static analysis tools. The extension includes both Microsoft Internal and Open Source tools. The tools get automatically downloaded on the cloud-hosted agent once you configure & run the pipeline using the corresponding build task. Below is the list of tools that are available in the extension today.
Passwords and other secrets stored in source code is currently a big problem. Credential Scanner is a static analysis tool that detects credentials, secrets, certificates, and other sensitive content in your source code and your build output.
Microsoft Security Risk Detection
Security Risk Detection is Microsoft's unique cloud-based fuzz testing service for identifying exploitable security bugs in software.
BinSkim is a Portable Executable (PE) light-weight scanner that validates compiler/linker settings and other security-relevant binary characteristics. The build task provides a command line wrapper around the BinSkim.exe application. BinSkim is an open source tool.
TSLint is an extensible static analysis tool that checks TypeScript code for readability, maintainability, and functionality errors. It is widely supported across modern editors and build systems and can be customized with your own lint rules, configurations, and formatters. TSLint is an open source tool.
More Information on Github
The Anti-Malware Scanner build task is now included in the Microsoft Security Code Analysis Extension. It must be run on a build agent which has Windows Defender already installed.
For more details and to signup for the private preview visit