2026-04-10 14:59:05 +02:00 · 2026-04-10 14:59:05 +02:00 · 2c33e9cc64
commit 2c33e9cc64
parent d642203991
15 changed files with 599 additions and 17 deletions
--- a/plugins/llm-security/ci/azure-pipelines.yml
+++ b/plugins/llm-security/ci/azure-pipelines.yml
@ -0,0 +1,46 @@
+# llm-security — Azure DevOps pipeline
+# Deterministic security scanning for AI/LLM projects.
+# No LLM calls. No data leaves your pipeline. Fully Schrems II compatible.
+#
+# See docs/ci-cd-guide.md for configuration options and detailed setup.
+#
+# Alternative (without npx): replace the scan script with:
+#   script: node bin/llm-security.mjs scan . --fail-on high --format sarif --output-file $(Build.ArtifactStagingDirectory)/results.sarif
+
+trigger:
+  branches:
+    include:
+      - main
+
+pool:
+  vmImage: ubuntu-latest
+
+steps:
+  - task: NodeTool@0
+    displayName: Install Node.js 18
+    inputs:
+      versionSpec: '18.x'
+
+  - script: npx llm-security scan . --fail-on high --format sarif --output-file $(Build.ArtifactStagingDirectory)/results.sarif
+    displayName: Run llm-security scan
+
+  - task: PublishBuildArtifacts@1
+    condition: always()
+    displayName: Publish SARIF results
+    inputs:
+      pathToPublish: $(Build.ArtifactStagingDirectory)/results.sarif
+      artifactName: llm-security-scan
+
+# For Azure DevOps Advanced Security (if enabled):
+# Replace PublishBuildArtifacts with:
+#   - task: AdvancedSecurity-Publish@1
+#     condition: always()
+#     displayName: Publish to Advanced Security
+#
+# Configuration:
+#   --fail-on <critical|high|medium|low>  Exit 1 if findings at or above severity
+#   --compact                              One-liner per finding (reduced log noise)
+#   --format sarif                         OASIS SARIF 2.1.0 output
+#
+# Or configure via .llm-security/policy.json:
+#   { "ci": { "failOn": "high", "compact": true } }