chore:SP-3775 Adds ADO PAT to settings options

CHANGELOG.md

@@ -7,9 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-## [1.3.1] - 2025-11-25
+## [1.4.0] - 2025-11-27
 ### Changed
 - Updated security permission documentation
+### Added
+- Added `adoPat` setting option
+- Updated setup documentation
 
 ## [1.3.0] - 2025-11-21
 ### Changed
@@ -36,4 +39,4 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [1.1.0]: https://github.com/scanoss/ado-code-scan/compare/v1.0.3...v1.1.0
 [1.2.0]: https://github.com/scanoss/ado-code-scan/compare/v1.1.0...v1.2.0
 [1.3.0]: https://github.com/scanoss/ado-code-scan/compare/v1.2.0...v1.3.0
-[1.3.1]: https://github.com/scanoss/ado-code-scan/compare/v1.3.0...v1.3.1
+[1.4.0]: https://github.com/scanoss/ado-code-scan/compare/v1.3.0...v1.4.0

OVERVIEW.md

@@ -56,9 +56,18 @@ A) Allow Pull Request Contribute Access:
   2. Select the repository Build Service account under the 'Users' group.
   3. Set the `Contribute to pull requests` and `Contribute" permissions` to `Allow`.
 
-
 ![Ado-setup-pull-request-contribution-access](https://github.com/scanoss/integration-azure-DevOps/blob/main/.github/assets/ADO-setup-2.png?raw=true)
 
+**Personal Access Token (PAT) Configuration**
+
+A Personal Access Token (PAT) is **only required** when the setting `Limit job authorization scope to current project for non-release pipelines` is set to **OFF** (as shown below). If this setting is **ON**, no PAT is needed.
+
+![Ado-setup-limit-job-authorization](https://github.com/scanoss/integration-azure-DevOps/blob/main/.github/assets/ADO-setup-4.png?raw=true)
+
+
+Create a PAT with the following minimum permissions:
+![ADO-PAT-permissions](https://github.com/scanoss/integration-azure-DevOps/blob/main/.github/assets/ADO-PAT-permissions.png?raw=true)
+
 
 B) Add Build Validation Policy to the integration branch:
   1. Open the 'Policies' tab.
@@ -169,6 +178,7 @@ When the pipeline is manually triggered or runs on a schedule, the results are u
 | scanossSettings          | Settings file to use for scanning. See the SCANOSS settings [documentation](https://scanoss.readthedocs.io/projects/scanoss-py/en/latest/#settings-file) | Optional       | `true`                               |
 | settingsFilepath         | Filepath of the SCANOSS settings to be used for scanning                                                                                                 | Optional       | `scanoss.json`                       |
 | debug                    | Enable debugging                                                                                                                                         | Optional       | `false`                              |
+| adoPat                   | ADO Personal Access Token                                                                                                                                | Optional       | -                                    |
 
 ## Policy Checks
 The SCANOSS Code Scan Task includes three configurable policies:

codescantask/app.input.ts

@@ -41,7 +41,7 @@ export const SCANOSS_SETTINGS = tl.getInput('scanossSettings') === 'true';
 export const SETTINGS_FILE_PATH = tl.getInput('settingsFilepath') || 'scanoss.json';
 export const EXECUTABLE = 'docker';
 export const DEBUG = tl.getInput('debug') === 'true';
-
+export const PAT = tl.getInput('adoPat') || "";
 // ============================================================================
 // Dependency Track Configuration
 // ============================================================================

codescantask/package.json

@@ -1,6 +1,6 @@
 {
   "name": "azure-devops-integration",
-  "version": "1.3.1",
+  "version": "1.4.0",
   "description": "",
   "main": "index.js",
   "scripts": {

codescantask/policies/policy-check.ts

@@ -22,7 +22,7 @@
  */
 
 import * as tl from 'azure-pipelines-task-lib';
-import { POLICIES_HALT_ON_FAILURE } from '../app.input';
+import {PAT, POLICIES_HALT_ON_FAILURE } from '../app.input';
 import axios from 'axios';
 import path from 'path';
 import fs from 'fs';
@@ -43,7 +43,7 @@ export abstract class PolicyCheck {
     private readonly buildReason: string | undefined;
     constructor(checkName: string) {
         this.checkName = checkName;
-        this.accessToken = tl.getVariable('System.AccessToken');
+        this.accessToken = PAT ? PAT : tl.getVariable('System.AccessToken');
         this.orgUrl = tl.getVariable('System.TeamFoundationCollectionUri') || '';
         this.project = tl.getVariable('System.TeamProjectId') || '';
         this.repositoryId = tl.getVariable('Build.Repository.Id') || '';

codescantask/task.json

@@ -9,8 +9,8 @@
   "author": "SCANOSS",
   "version": {
     "Major": 1,
-    "Minor": 3,
-    "Patch": 1
+    "Minor": 4,
+    "Patch": 0
   },
   "instanceNameFormat": "SCANOSS Code Scan",
   "inputs": [
@@ -205,6 +205,14 @@
       "defaultValue": false,
       "required": false,
       "helpMarkDown": "Enable runtime container debugging"
+    },
+    {
+      "name": "adoPat",
+      "type": "string",
+      "label": "ADO Personal Access token",
+      "defaultValue": "",
+      "required": false,
+      "helpMarkDown": "ADO Personal Access token"
     }
   ],
   "execution": {

vss-extension-dev.json

@@ -2,7 +2,7 @@
   "manifestVersion": 1,
   "id": "scanoss-code-scan-dev",
   "name": "SCANOSS Code Scan DEV",
-  "version": "1.3.1",
+  "version": "0.21.68",
   "publisher": "SCANOSS",
   "public": false,
   "targets": [

vss-extension.json

@@ -2,7 +2,7 @@
   "manifestVersion": 1,
   "id": "scanoss-code-scan",
   "name": "SCANOSS Code Scan",
-  "version": "1.3.1",
+  "version": "1.4.0",
   "publisher": "SCANOSS",
   "public": true,
   "targets": [