Azure Pipelines

Qodana Scan is an Azure Pipelines task packed inside the Qodana Azure Pipelines extension to analyze your code within existing pipelines using Qodana.

Before you start

All configuration examples in this section use a project token generated by Qodana Cloud. This token is required for the paid Qodana linters and optional for use with the Community linters. You can see these sections to learn how to generate the project token in the Qodana Cloud UI:
- The project setup section explains how to generate a project token when first working with Qodana Cloud.
- The Manage a project section explains how to create a project token within an existing Qodana Cloud Cloud organization.
Once you obtain the project token, go to your pipeline UI, create the QODANA_TOKEN secret variable, and save the project token as its value.
If you are using a Qodana Cloud instance other than https://qodana.cloud/, override it by setting the QODANA_ENDPOINT environment variable.
In your Azure DevOps organization, install the Qodana Azure Pipelines extension.

If you are using any VCS other than Azure Repos Git, you may need an additional step in your pipeline with Git credential configuration before the Qodana step. For example, if you are using GitHub, the following step can be used:

- script: |
      git remote set-url origin https://$(GITHUB_TOKEN)@github.com/your-org/your-repo
    displayName: 'Set git permissions'

Basic configuration

You can run the Qodana Scan task on any OS and x86_64/arm64 CPUs, but it requires the agent to have Docker installed. Additionally, since most Qodana Docker images are Linux-based, the Docker daemon must support running Linux containers.

You can configure this task using either a YAML-formatted file or the Classic interface. The detailed description of all configuration options is available in the Configuration chapter.

Below are basic configuration examples that will be expanded in the subsequent chapters of this section.

         # Start with a minimal pipeline that you can customize to build and deploy your code.
         # Add steps that build, run tests, deploy, and more:
         # https://aka.ms/yaml
          
         trigger:
           - main
          
         pool:
           vmImage: ubuntu-latest
          
         steps:
           - checkout: self 
             persistCredentials: true
           - task: Cache@2
             inputs:
               key: '"$(Build.Repository.Name)" | "$(Build.SourceBranchName)" | "$(Build.SourceVersion)"'
               path: '$(Agent.TempDirectory)/qodana/cache'
               restoreKeys: |
                 "$(Build.Repository.Name)" | "$(Build.SourceBranchName)"
                 "$(Build.Repository.Name)"
           - task: QodanaScan@2025
             inputs:
               uploadResult: true
             env:
               QODANA_TOKEN: $(QODANA_TOKEN)
           

Here, the persistCredentials: true line lets you reuse credentials for Git-related actions like pull request analyses or running Quick-Fixes.

The Cache task lets you open projects faster using cache.

The uploadResult: true line tells Qodana to produce a qodana-report artifact. After running Qodana, navigate to the log directory to see logs.

The QODANA_TOKEN variable refers to the project token generated by Qodana Cloud.

Add the Qodana Scan task to the pipeline configuration and then configure it as shown below.

To have access to the system token during pull request analyses, follow the instructions from the Microsoft website.

Using input arguments

         # Start with a minimal pipeline that you can customize to build and deploy your code.
         # Add steps that build, run tests, deploy, and more:
         # https://aka.ms/yaml
          
         trigger:
           - main
          
         pool:
           vmImage: ubuntu-latest
          
         steps:
           - checkout: self
             persistCredentials: true
           - task: Cache@2
             inputs:
               key: '"$(Build.Repository.Name)" | "$(Build.SourceBranchName)" | "$(Build.SourceVersion)"'
               path: '$(Agent.TempDirectory)/qodana/cache'
               restoreKeys: |
                 "$(Build.Repository.Name)" | "$(Build.SourceBranchName)"
                 "$(Build.Repository.Name)"
           - task: QodanaScan@2025
             inputs:
               uploadResult: true
               args: -e,AUSERNAME=$(AUSERNAME),-e,APASSWORD=$(APASSWORD)
             env:
               QODANA_TOKEN: $(QODANA_TOKEN)
           

Here, the -e option adds input arguments. If an argument has a value, you can use the notation like -i,frontend,-e,param=value.

Use the Qodana CLI arguments field to specify input arguments in the -i,frontend,-e,param=value notation.

Pull requests

This is how you can enable Qodana analysis for pull requests:

         pr:
           branches:
             include:
               - '*'
          
         pool:
           vmImage: ubuntu-latest
          
         steps:
           - checkout: self
             fetchDepth: 0
             persistCredentials: true
           - task: QodanaScan@2025
             env:
               QODANA_TOKEN: $(QODANA_TOKEN)
             inputs:
               prMode: true
           

Here, QODANA_TOKEN refers to the project token generated by Qodana Cloud.

In the classic interface editor, check the PR Mode option.

Quality gate and baseline

You can also configure the quality gate and baseline features as shown below.

In this configuration, the args: block configures the quality gate and baseline features using comma-separated options.

         # Start with a minimal pipeline that you can customize to build and deploy your code.
         # Add steps that build, run tests, deploy, and more:
         # https://aka.ms/yaml
          
         trigger:
           - main
          
         pool:
           vmImage: ubuntu-latest
          
         steps:
           - checkout: self
             persistCredentials: true
           - task: Cache@2
               key: '"$(Build.Repository.Name)" | "$(Build.SourceBranchName)" | "$(Build.SourceVersion)"'
               path: '$(Agent.TempDirectory)/qodana/cache'
               restoreKeys: |
                 "$(Build.Repository.Name)" | "$(Build.SourceBranchName)"
                 "$(Build.Repository.Name)"
           - task: QodanaScan@2025
             env:
               QODANA_TOKEN: $(QODANA_TOKEN)
             inputs:
               args: '--baseline,qodana.sarif.json,--fail-threshold,5'
           

Use the Qodana CLI arguments field to configure the baseline and quality gate features using comma-separated options, for example:

The Qodana Scan task UI config for baseline and quality gate

Quick-Fixes

Configure a Quick-Fix strategy using either of the following configuration methods:
# Possible values: --apply-fixes | --cleanup args: --apply-fixes
Use the Qodana CLI arguments field to configure the Quick-Fix feature, for example:
# Possible values: apply | cleanup fixesStrategy: apply
Depending on your needs, configure the pushFixes property:
Use this configuration to create a new branch with fixes and a pull request to the original branch:
pushFixes: pull-request
Use the Push Quick-fixes field to configure the Quick-Fix feature.
Use this configuration to push fixes to the original branch:
pushFixes: branch
Use the Push Quick-Fixes field to configure the Quick-Fix feature.
Set permissions to your job. In the Azure Pipelines UI, for the Qodana for Azure Pipelines Build Service user enable the following repository permissions:
- Contribute
- Bypass policies when pushing if they may fail the push of Quick-Fixes
- Create branch if you use the pull-request setting

SARIF SAST Scans Tab

To display Qodana report summary in Azure DevOps UI on the Scans tab, install Microsoft DevLabs’ SARIF SAST Scans Tab extension and set the uploadSarif/Upload SARIF option in your pipeline configuration to true.

Configuration

This table contains the list of configuration options corresponding to the inputs block of a pipeline configuration and their analogs in the classic interface.

YAML option	UI element of the classic interface	Description	Default Value
`args`	Qodana CLI arguments	Additional Qodana CLI `scan` command arguments, split the arguments with commas (`,`), for example `-i,frontend`. If an argument has a value, you can pass it using `=`, for example `-e,param=value`. Optional.	None
`resultsDir`	Results Directory	Directory to store the analysis results. Optional.	`$(Agent.TempDirectory)/qodana/results`
`uploadResult`	Upload Result	Upload Qodana results as an artifact to the job. Optional.	`false`
`uploadSarif`	Upload SARIF	Upload qodana.sarif.json as an qodana.sarif artifact to the job. Optional.	`true`
`artifactName`	Artifact Name	Specify Qodana results artifact name used for result uploading. Optional.	`qodana-report`
`cacheDir`	Cache Directory	Directory to store Qodana caches. Optional.	`$(Agent.TempDirectory)/qodana/cache`
`useNightly`	Use unstable Qodana CLI nightly	Enable using an unstable version of Qodana CLI. Optional.	`false`
`prMode`	PR Mode	Enable pull request analyses	`true`
`postPrComment`	Post PR comment	Post a comment with the Qodana results summary to the pull request. Optional.	`true`
`pushFixes`	Push Quick-Fixes	Push Qodana fixes to the repository, can be `none`, `branch` to the current branch, or `pull-request`. Optional.	`none`
`commitMessage`	Commit Message	Commit message used when Quick-Fixes are applied	`🤖 Apply Quick-Fixes by Qodana`

26 November 2025