rorix
Sign In

Azure DevOps

Run Rorix vulnerability scans as part of your Azure DevOps build and release pipelines.

Marketplace Extension

The easiest way to integrate Rorix is with the Rorix Security Scanner extension from the Azure DevOps Marketplace. Install it into your organization, then use the RorixScan task directly in your pipelines:

steps:
  - task: RorixScan@0
    inputs:
      apiKey: $(RORIX_API_KEY)
      command: scan
      format: sarif

The extension handles CLI installation and authentication automatically. See the available inputs (command, format, policyFile, path) in the extension's marketplace listing.

Manual CLI Setup

If you prefer to install the CLI yourself, use the script-based approach below.

Basic Scan

trigger:
  - main
 
pool:
  vmImage: 'ubuntu-latest'
 
steps:
  - task: UseDotNet@2
    inputs:
      packageType: 'sdk'
      version: '8.x'
 
  - script: |
      dotnet tool install -g Rorix.Cli
      rorix login $(RORIX_API_KEY)
      rorix scan
    displayName: 'Rorix Vulnerability Scan'

Policy Enforcement

trigger:
  - main
 
pool:
  vmImage: 'ubuntu-latest'
 
steps:
  - task: UseDotNet@2
    inputs:
      packageType: 'sdk'
      version: '8.x'
 
  - script: |
      dotnet tool install -g Rorix.Cli
      rorix login $(RORIX_API_KEY)
      rorix scan --policy .rorix.yml --exit-code
    displayName: 'Rorix Policy Check'

When --exit-code is set, the pipeline step fails if any policy violations are found, blocking the build.

Setting Up the API Key

Store your Rorix API key securely using Azure DevOps Variable Groups:

  1. Go to Pipelines then Library in your Azure DevOps project
  2. Create a new Variable Group or use an existing one
  3. Add a variable named RORIX_API_KEY
  4. Click the lock icon to mark it as a secret
  5. Link the Variable Group to your pipeline:
variables:
  - group: 'Rorix'

SBOM Generation

Generate an SBOM artifact as part of your build:

steps:
  - script: |
      dotnet tool install -g Rorix.Cli
      rorix login $(RORIX_API_KEY)
      rorix sbom --format cyclonedx --output $(Build.ArtifactStagingDirectory)/sbom.json
    displayName: 'Generate SBOM'
 
  - task: PublishBuildArtifacts@1
    inputs:
      pathToPublish: '$(Build.ArtifactStagingDirectory)/sbom.json'
      artifactName: 'sbom'
GitHub ActionsDocker