# llm-security — Azure DevOps pipeline
# Deterministic security scanning for AI/LLM projects.
# No LLM calls. No data leaves your pipeline. Fully Schrems II compatible.
#
# See docs/ci-cd-guide.md for configuration options and detailed setup.
#
# Alternative (without npx): replace the scan script with:
#   script: node bin/llm-security.mjs scan . --fail-on high --format sarif --output-file $(Build.ArtifactStagingDirectory)/results.sarif

trigger:
  branches:
    include:
      - main

pool:
  vmImage: ubuntu-latest

steps:
  - task: NodeTool@0
    displayName: Install Node.js 18
    inputs:
      versionSpec: '18.x'

  - script: npx llm-security scan . --fail-on high --format sarif --output-file $(Build.ArtifactStagingDirectory)/results.sarif
    displayName: Run llm-security scan

  - task: PublishBuildArtifacts@1
    condition: always()
    displayName: Publish SARIF results
    inputs:
      pathToPublish: $(Build.ArtifactStagingDirectory)/results.sarif
      artifactName: llm-security-scan

# For Azure DevOps Advanced Security (if enabled):
# Replace PublishBuildArtifacts with:
#   - task: AdvancedSecurity-Publish@1
#     condition: always()
#     displayName: Publish to Advanced Security
#
# Configuration:
#   --fail-on <critical|high|medium|low>  Exit 1 if findings at or above severity
#   --compact                              One-liner per finding (reduced log noise)
#   --format sarif                         OASIS SARIF 2.1.0 output
#
# Or configure via .llm-security/policy.json:
#   { "ci": { "failOn": "high", "compact": true } }