Skip to content
Latchkey

How to Run a Dependency Security Scan in Azure Pipelines

Scan dependencies in Azure Pipelines with the OWASP Dependency-Check task, or a lightweight npm audit step.

Use the marketplace dependency-check-build-task for full SCA with a report, or run npm audit directly when you only need a quick gate that fails on high-severity advisories.

Dependency-Check task with a gate

The task scans the workspace and fails the build when findings exceed the CVSS threshold.

azure-pipelines.yml
steps:
  - task: dependency-check-build-task@6
    displayName: Dependency-Check
    inputs:
      projectName: 'my-app'
      scanPath: '$(Build.SourcesDirectory)'
      format: 'HTML,JUNIT'
      failOnCVSS: '7'
  - script: npm audit --audit-level=high
    displayName: npm audit

Gotchas

  • The Dependency-Check task is a marketplace extension - install it into the org before referencing it.
  • The first run downloads the NVD database; cache the data directory or the scan is slow every build.
  • failOnCVSS sets the gate threshold; without it the report is produced but the build never fails.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →