How to Run a Dependency Security Scan in Azure Pipelines
Scan dependencies in Azure Pipelines with the OWASP Dependency-Check task, or a lightweight npm audit step.
Use the marketplace dependency-check-build-task for full SCA with a report, or run npm audit directly when you only need a quick gate that fails on high-severity advisories.
Dependency-Check task with a gate
The task scans the workspace and fails the build when findings exceed the CVSS threshold.
azure-pipelines.yml
steps:
- task: dependency-check-build-task@6
displayName: Dependency-Check
inputs:
projectName: 'my-app'
scanPath: '$(Build.SourcesDirectory)'
format: 'HTML,JUNIT'
failOnCVSS: '7'
- script: npm audit --audit-level=high
displayName: npm auditGotchas
- The Dependency-Check task is a marketplace extension - install it into the org before referencing it.
- The first run downloads the NVD database; cache the data directory or the scan is slow every build.
failOnCVSSsets the gate threshold; without it the report is produced but the build never fails.
Related guides
How to Run a Security Scan (CodeQL + Dependencies) in GitHub ActionsRun a SAST and dependency security scan in GitHub Actions with CodeQL and a dependency audit, uploading SARIF…
How to Run SAST and Dependency Scanning in GitLab CIRun SAST and dependency scanning in GitLab CI by including the built-in security templates, which add scanner…