Azure DevOps Template

[RubenHalman]

Azure DevOps:

azure-pipelines.yml

trigger:
  - main

pool:
  vmImage: ubuntu-latest

steps:

  # Install Salesforce CLI
  - script: npm install @salesforce/cli --global
    displayName: Install Salesforce CLI
    condition: eq(variables['Agent.OS'], 'Linux')

  # Capture SARIF from stdout → file
  - script: |
      sf flow:scan --sarif > $(Build.ArtifactStagingDirectory)/results.sarif
    displayName: Run Flow Scanner (stdout to SARIF)

  # Upload SARIF and fail on any error/warning
  - task: PublishSecurityAnalysisLogs@1
    displayName: Upload SARIF (Fail on Issues)
    inputs:
      SarifFile: $(Build.ArtifactStagingDirectory)/results.sarif
      FailOnIssues: true

[RubenHalman]

@kknapp1 I’d love to include a ready-to-use Azure DevOps YAML template for the Lightning Flow Scanner, it would be a huge help for teams using ADO!

If you have a moment, could you try the snippet above and let me know if it works (or if anything needs tweaking)?

[kknapp1]

Thanks, @RubenHalman - I'll do my best to get to this before the week's over. I appreciate your assistance in getting this working in our ADO pipeline.

[RubenHalman]

@kknapp1 Thank you for the amazing suggestion, which is a contribution in itself=) I am happy to help improve the CLI plugin for this use case specifically. Please note while our CLI plugin also benefits from standard Salesforce CLI functionality, it will be limited in the sense that it scans the entire branch and it is not able to separate newer changes from existing code. If that is something you want, we could consider building an ADO template using the Core or GitHub action directly