devopsabcs-engineering
diff --git a/‎.azuredevops/pipelines/code-quality-lint-gate.yml‎
Lines changed: 1 addition & 1 deletion b/‎.azuredevops/pipelines/code-quality-lint-gate.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.azuredevops/pipelines/code-quality-scan.yml‎
Lines changed: 25 additions & 52 deletions b/‎.azuredevops/pipelines/code-quality-scan.yml‎
Lines changed: 25 additions & 52 deletions
diff --git a/‎.azuredevops/pipelines/deploy-all.yml‎
Lines changed: 43 additions & 0 deletions b/‎.azuredevops/pipelines/deploy-all.yml‎
Lines changed: 43 additions & 0 deletions
diff --git a/‎.azuredevops/pipelines/scan-and-store.yml‎
Lines changed: 47 additions & 6 deletions b/‎.azuredevops/pipelines/scan-and-store.yml‎
Lines changed: 47 additions & 6 deletions
diff --git a/‎.azuredevops/pipelines/templates/app-repo-scan.yml‎
Lines changed: 111 additions & 0 deletions b/‎.azuredevops/pipelines/templates/app-repo-scan.yml‎
Lines changed: 111 additions & 0 deletions
@@ -12,7 +12,7 @@ steps:
   - checkout: self
 
   - script: |
-      npx mega-linter-runner --flavor dotnetweb -e VALIDATE_ALL_CODEBASE=false -e SARIF_REPORTER=true
+      npx mega-linter-runner -e VALIDATE_ALL_CODEBASE=false -e SARIF_REPORTER=true
     displayName: 'Run MegaLinter (changed files only)'
 
   - script: |
 
@@ -13,55 +13,28 @@ pool:
 variables:
   - template: variables/common.yml
 
-strategy:
-  matrix:
-    app001:
-      appId: '001'
-      repoName: 'cq-demo-app-001'
-    app002:
-      appId: '002'
-      repoName: 'cq-demo-app-002'
-    app003:
-      appId: '003'
-      repoName: 'cq-demo-app-003'
-    app004:
-      appId: '004'
-      repoName: 'cq-demo-app-004'
-    app005:
-      appId: '005'
-      repoName: 'cq-demo-app-005'
-
-steps:
-  - checkout: self
-
-  - task: UsePythonVersion@0
-    inputs:
-      versionSpec: '3.12'
-
-  - script: |
-      pip install lizard
-      pip install jscpd
-    displayName: 'Install scanning tools'
-
-  - script: |
-      npx mega-linter-runner --flavor dotnetweb -e VALIDATE_ALL_CODEBASE=true -e SARIF_REPORTER=true
-    displayName: 'Run MegaLinter on $(repoName)'
-    workingDirectory: $(repoName)
-
-  - script: |
-      lizard --csv $(repoName)/src/ > $(Build.ArtifactStagingDirectory)/lizard-output.csv
-      python src/converters/lizard-to-sarif.py \
-        --input $(Build.ArtifactStagingDirectory)/lizard-output.csv \
-        --output $(Build.ArtifactStagingDirectory)/complexity-$(appId).sarif
-    displayName: 'Run complexity analysis on $(repoName)'
-
-  - task: AdvancedSecurity-Publish@1
-    inputs:
-      SarifFileDirectory: '$(Build.ArtifactStagingDirectory)'
-    displayName: 'Publish SARIF to Advanced Security'
-
-  - task: PublishBuildArtifacts@1
-    inputs:
-      PathtoPublish: '$(Build.ArtifactStagingDirectory)'
-      ArtifactName: 'sarif-results-$(appId)'
-    displayName: 'Publish SARIF artifacts'
+# This orchestrator triggers the per-app scan pipelines.
+# Each app pipeline runs in its own repo context so that
+# AdvancedSecurity-Publish@1 associates SARIF with the correct repo.
+
+jobs:
+  - job: TriggerScans
+    displayName: 'Trigger per-repo code quality scans'
+    steps:
+      - checkout: none
+
+      - script: |
+          set -euo pipefail
+          for APP in 001 002 003 004 005; do
+            PIPELINE_NAME="Code Quality Scan - cq-demo-app-${APP}"
+            echo "Triggering pipeline: ${PIPELINE_NAME}"
+            az pipelines run \
+              --name "${PIPELINE_NAME}" \
+              --branch main \
+              --org "https://dev.azure.com/$(adoOrg)" \
+              --project "$(adoProject)" \
+              --output table || echo "⚠️ Failed to trigger ${PIPELINE_NAME} — it may not exist yet."
+          done
+        displayName: 'Trigger all app scan pipelines'
+        env:
+          AZURE_DEVOPS_EXT_PAT: $(System.AccessToken)
@@ -7,8 +7,51 @@ variables:
   - template: variables/common.yml
 
 stages:
+  - stage: DeployStorage
+    displayName: 'Deploy ADLS Gen2 Storage'
+    jobs:
+      - job: DeployADLS
+        displayName: 'Deploy ADLS Gen2 for scan results'
+        steps:
+          - checkout: self
+
+          - task: AzureCLI@2
+            displayName: 'Create Storage Resource Group'
+            inputs:
+              azureSubscription: '$(serviceConnection)'
+              scriptType: 'bash'
+              scriptLocation: 'inlineScript'
+              inlineScript: |
+                az group create --name $(storageResourceGroup) --location $(location)
+
+          - task: AzureCLI@2
+            displayName: 'Deploy ADLS Gen2 (uniqueString naming)'
+            name: storage
+            inputs:
+              azureSubscription: '$(serviceConnection)'
+              scriptType: 'bash'
+              scriptLocation: 'inlineScript'
+              inlineScript: |
+                outputs=$(az deployment group create \
+                  --resource-group $(storageResourceGroup) \
+                  --name "deploy-storage-$(Build.BuildId)" \
+                  --template-file infra/storage.bicep \
+                  --query 'properties.outputs' -o json)
+                STORAGE_NAME=$(echo $outputs | jq -r '.storageAccountName.value')
+                CONTAINER=$(echo $outputs | jq -r '.containerName.value')
+                DFS_ENDPOINT=$(echo $outputs | jq -r '.dfsEndpoint.value')
+                echo "##vso[task.setvariable variable=storageAccountName;isoutput=true]$STORAGE_NAME"
+                echo "##vso[task.setvariable variable=containerName;isoutput=true]$CONTAINER"
+                echo "##vso[task.setvariable variable=dfsEndpoint;isoutput=true]$DFS_ENDPOINT"
+                echo "Storage Account: $STORAGE_NAME"
+                echo "Container: $CONTAINER"
+                echo "DFS Endpoint: $DFS_ENDPOINT"
+
   - stage: Deploy
     displayName: 'Deploy All Demo Apps'
+    dependsOn: DeployStorage
+    variables:
+      storageAccountName: $[ stageDependencies.DeployStorage.DeployADLS.outputs['storage.storageAccountName'] ]
     jobs:
       - job: DeployApp001
         displayName: 'Deploy cq-demo-app-001'
 
@@ -13,6 +13,9 @@ pool:
 variables:
   - template: variables/common.yml
 
+# Scan and Store orchestrator: triggers per-app scan pipelines then
+# collects and uploads SARIF artifacts to ADLS Gen2 for Power BI.
+
 strategy:
   matrix:
     app001:
@@ -34,6 +37,20 @@ strategy:
 steps:
   - checkout: self
 
+  - task: AzureCLI@2
+    displayName: 'Resolve ADLS Gen2 storage account name'
+    name: resolveStorage
+    inputs:
+      azureSubscription: '$(serviceConnection)'
+      scriptType: 'bash'
+      scriptLocation: 'inlineScript'
+      inlineScript: |
+        STORAGE_NAME=$(az storage account list \
+          --resource-group $(storageResourceGroup) \
+          --query "[0].name" -o tsv)
+        echo "Resolved storage account: $STORAGE_NAME"
+        echo "##vso[task.setvariable variable=storageAccountName]$STORAGE_NAME"
+
   - task: UsePythonVersion@0
     inputs:
       versionSpec: '3.12'
@@ -42,17 +59,32 @@ steps:
       pip install lizard
     displayName: 'Install scanning tools'
 
+  # Free disk space — the MegaLinter Docker image is large
   - script: |
-      npx mega-linter-runner --flavor dotnetweb -e VALIDATE_ALL_CODEBASE=true -e SARIF_REPORTER=true
+      sudo rm -rf /usr/share/dotnet /usr/local/lib/android /opt/ghc /usr/local/share/boost
+      sudo docker image prune -af
+      df -h /
+    displayName: 'Free disk space'
+
+  - script: |
+      npx mega-linter-runner -e VALIDATE_ALL_CODEBASE=true -e SARIF_REPORTER=true
     displayName: 'Run MegaLinter on $(repoName)'
     workingDirectory: $(repoName)
+    continueOnError: true
+
+  - script: |
+      cp $(repoName)/megalinter-reports/sarif/*.sarif \
+        $(Build.ArtifactStagingDirectory)/ 2>/dev/null || true
+    displayName: 'Collect MegaLinter SARIF'
+    continueOnError: true
 
   - script: |
-      lizard --csv $(repoName)/src/ > $(Build.ArtifactStagingDirectory)/lizard-output.csv
+      lizard --csv $(repoName)/src/ > $(Build.ArtifactStagingDirectory)/lizard-output.csv 2>/dev/null || true
       python src/converters/lizard-to-sarif.py \
         --input $(Build.ArtifactStagingDirectory)/lizard-output.csv \
         --output $(Build.ArtifactStagingDirectory)/complexity-$(appId).sarif
     displayName: 'Run complexity analysis'
+    continueOnError: true
 
   - task: AzureCLI@2
     inputs:
@@ -66,7 +98,16 @@ steps:
         -AppId $(appId)
     displayName: 'Upload SARIF results to ADLS Gen2'
 
-  - task: AdvancedSecurity-Publish@1
-    inputs:
-      SarifFileDirectory: '$(Build.ArtifactStagingDirectory)'
-    displayName: 'Publish SARIF to Advanced Security'
+  - script: |
+      set -euo pipefail
+      PIPELINE_NAME="Code Quality Scan - $(repoName)"
+      echo "Triggering pipeline: ${PIPELINE_NAME}"
+      az pipelines run \
+        --name "${PIPELINE_NAME}" \
+        --branch main \
+        --org "https://dev.azure.com/$(adoOrg)" \
+        --project "$(adoProject)" \
+        --output table || echo "⚠️ Failed to trigger ${PIPELINE_NAME}"
+    displayName: 'Trigger per-app scan for Advanced Security'
+    env:
+      AZURE_DEVOPS_EXT_PAT: $(System.AccessToken)
@@ -0,0 +1,111 @@
+# Code Quality Scan pipeline for individual app repos.
+# This pipeline runs in the context of the app repo so that
+# AdvancedSecurity-Publish@1 associates SARIF with this repo.
+#
+# Triggered manually or by the orchestrator pipeline in the scanner repo.
+#
+# Set pipeline variable 'megalinterFlavor' to the MegaLinter flavor for this
+# app's language (e.g. javascript, python, dotnet, java, go). Falls back to
+# the cupcake flavor if not set.
+
+trigger: none
+
+pool:
+  vmImage: 'ubuntu-latest'
+
+resources:
+  repositories:
+    - repository: scanner
+      type: git
+      name: CodeQuality/code-quality-scan-demo-app
+      ref: main
+
+steps:
+  - checkout: self
+    path: 'app'
+
+  - checkout: scanner
+    path: 'scanner'
+
+  - task: UsePythonVersion@0
+    inputs:
+      versionSpec: '3.12'
+
+  # Free disk space — the MegaLinter Docker image is large
+  - script: |
+      sudo rm -rf /usr/share/dotnet /usr/local/lib/android /opt/ghc /usr/local/share/boost
+      sudo docker image prune -af
+      df -h /
+    displayName: 'Free disk space'
+
+  - script: |
+      pip install lizard
+    displayName: 'Install scanning tools'
+
+  - script: |
+      npx mega-linter-runner --flavor $(megalinterFlavor) \
+        -e VALIDATE_ALL_CODEBASE=true \
+        -e SARIF_REPORTER=true
+    displayName: 'Run MegaLinter ($(megalinterFlavor))'
+    workingDirectory: '$(Pipeline.Workspace)/app'
+    continueOnError: true
+
+  - script: |
+      mkdir -p $(Build.ArtifactStagingDirectory)
+      # Copy MegaLinter SARIF and fix paths from Docker container (/tmp/lint/)
+      # to be relative to the repo root so Scans tab links work
+      for f in $(Pipeline.Workspace)/app/megalinter-reports/sarif/*.sarif; do
+        [ -f "$f" ] || continue
+        sed 's|/tmp/lint/||g' "$f" > $(Build.ArtifactStagingDirectory)/$(basename "$f")
+      done
+    displayName: 'Collect MegaLinter SARIF'
+    continueOnError: true
+
+  - script: |
+      SRC_DIR="$(Pipeline.Workspace)/app/src"
+      if [ ! -d "$SRC_DIR" ]; then
+        SRC_DIR="$(Pipeline.Workspace)/app"
+      fi
+      lizard --csv "$SRC_DIR" \
+        > $(Build.ArtifactStagingDirectory)/lizard-output.csv 2>/dev/null || true
+      # Fix absolute paths in lizard CSV to be repo-relative before conversion
+      sed -i "s|$(Pipeline.Workspace)/app/||g" \
+        $(Build.ArtifactStagingDirectory)/lizard-output.csv 2>/dev/null || true
+      python $(Pipeline.Workspace)/scanner/src/converters/lizard-to-sarif.py \
+        --input $(Build.ArtifactStagingDirectory)/lizard-output.csv \
+        --output $(Build.ArtifactStagingDirectory)/complexity.sarif
+    displayName: 'Run complexity analysis'
+    continueOnError: true
+
+  # Fix all SARIF uris to be repo-relative (strip any remaining absolute paths)
+  - script: |
+      cd $(Build.ArtifactStagingDirectory)
+      for f in *.sarif; do
+        [ -f "$f" ] || continue
+        # Remove any absolute path prefix, keep repo-relative paths
+        sed -i "s|$(Pipeline.Workspace)/app/||g" "$f"
+        sed -i 's|/home/vsts/work/[^/]*/s/[^/]*/||g' "$f"
+      done
+    displayName: 'Normalize SARIF paths'
+    continueOnError: true
+
+  # Copy SARIF to the directory AdvancedSecurity-Publish@1 actually reads from
+  - script: |
+      ADVSEC_DIR="$(Agent.TempDirectory)/.advsec"
+      mkdir -p "$ADVSEC_DIR"
+      cp $(Build.ArtifactStagingDirectory)/*.sarif "$ADVSEC_DIR/" 2>/dev/null || true
+      echo "SARIF files in $ADVSEC_DIR:"
+      ls -la "$ADVSEC_DIR/"*.sarif 2>/dev/null || echo "  (none)"
+    displayName: 'Stage SARIF for Advanced Security'
+    condition: always()
+
+  - task: AdvancedSecurity-Publish@1
+    displayName: 'Publish SARIF to Advanced Security'
+    condition: always()
+
+  - task: PublishBuildArtifacts@1
+    inputs:
+      PathtoPublish: '$(Build.ArtifactStagingDirectory)'
+      ArtifactName: 'CodeAnalysisLogs'
+    displayName: 'Publish SARIF artifacts'
+    condition: always()