Security hotspot on azure-pipelines.yml (azurepipelines:S7637)

milbrandt · April 8, 2026, 1:34pm

ALM Azure DevOps Services
CI system used: Azure DevOps Pipelines
Scanner command used when applicable (private details masked) SonarCloudPrepare@4.2.0
Languages of the repository
Error observed (wrap logs/code around with triple quotes ``` for proper formatting)
For SonarCloudPrepare and VisualStudioTestPlatformInstaller a specific version is demanded. You don’t trust your own pipeline task
Steps to reproduce
In the pipeline, following tasks are marked as Securtity Hotspots

    - task: SonarCloudPrepare@4
      # Use complete version number for the task instead of "4".
       displayName: 'Prepare the SonarQube Cloud analysis'
             condition: ne(variables['Build.Reason'], 'Schedule')
             inputs:
               SonarCloud: $(SonarQubeServiceConnection)
               organization: $(SonarQubeOrganization)

    - task: VisualStudioTestPlatformInstaller@1
      # Use complete version number for the task instead of "1".
            inputs:
              packageFeedSelector: 'nugetOrg'
              versionSelector: 'specificVersion'
              testPlatformVersion: '17.9.0'

Topic		Replies	Views
Azure Devops - SonarCloudPrepare@3 Node version (16) EOL SonarQube Cloud	27	2865	August 7, 2025
SonarQube task causes vs test platform installer task Azure Pipeline to fail SonarQube Server / Community Build scanner , dotnet , pipeline , azuredevops	5	1414	March 25, 2022
How to update Azure Pipeline for Sonar scanner to use Java 17 SonarQube Cloud java , scanner , bump	31	2002	March 4, 2024
SonarCloud* version 3 does not work in Azure DevOps Pipelines (YAML) SonarQube Cloud azuredevops , sonarqube-cloud	5	708	February 7, 2025
Using SonarCloudAnalyze@2 instead SonarCloudAnalyze@1 SonarQube Cloud	6	1035	August 29, 2024

Security hotspot on azure-pipelines.yml (azurepipelines:S7637)

Related topics