How can I ensure that a particular scan is run at the end of an Azure Pipeline? The user should not be able to delete/modify this task. I cannot use decorators because they inject jobs across all pipelines in the Azure Organization, or I will need to filter using project names, which is not possible. Is there some other way to make this mandatory?

CodePudding user response：

From your requirement, the pipeline decorators can directly meet your requirement.

Pipeline decorators also supports to filter using project name.

You can define the if expression in decorator YAML file to filter the projects.

Here is an example:

my-decorator.yml

steps:
- ${{ if in(variables['System.TeamProject'], '123', 'azure', 'ProjectC') }}:

  - task: CmdLine@2
    displayName: 'Run my script (injected from decorator)'
    inputs:
      script: 'echo "test"'

Result:

When the project name meets the filter, it will run the pipeline decorator task.

For example:

If no, it will not run the pipeline decorator task.

For example:

For more detailed info, you can refer to this doc: Use a decorator to inject steps into a pipeline