Skip to main content

Build Type: Azure Pipelines

This is a SLSA Provenance buildType that describes the execution of an Azure Pipeline workflow.

This build type was inspired by the GitHub Actions build type described here.


"buildType": ""

This buildType describes the execution of an Azure Pipelines workflow that builds a software artifact.

Only the following trigger types are supported:

Supported event typeEvent description
ManualA user manually queued the build.
IndividualCICI triggered by a Git push or a TFVC check-in.
BatchedCICI triggered by a Git push or a TFVC check-in, and the Batch changes was selected.
ScheduleStarts your pipeline based on a schedule, such as a nightly build.
ResourceTriggerThe build was triggered by a resource trigger or it was triggered by another build.

A list of all event type values can be found on the variables page under the Build.Reason variable.

Build Definition

External parameters

All external parameters are REQUIRED unless empty.

workflowobjectThe workflow that was run
workflow.namestringThe pipeline name for the workflow
workflow.repositorystringURI of the git repository
workflow.refstringA git reference to the commit
workflow.filePathstringPath to the workflow YAML file
jobobjectThe job definition for the build
job.jobNamestringThe name of the job
job.jobIdstringUUID defining job ID
buildobjectThe specific build that generated the provenance
build.buildRunstringThe build ID
build.buildRunAttemptstringNumber attempt for the specified build ID
build.buildUrlstringThe full web URL for the build


"externalParameters": {
"workflow": {
"name": "Azure Test Pipeline",
"repository": "",
"ref": "refs/pull/582/merge",
"filePath": "azure-pipelines.yml"
"job": {
"jobName": "Build Job",
"jobId": "5b694ae9-86cc-5057-d72a-30cde2f12d73"
"build": {
"buildRun": "836",
"buildRunAttempt": "1",
"buildUrl": ""

Internal parameters

All internal parameters are OPTIONAL.

This build type doesn't use internal parameters.

Resolved dependencies

The resolvedDependencies SHOULD contain an entry identifying the resolved git commit ID corresponding to externalParameters.workflow. The dependency's URI MUST be in SPDX Download Location format, i.e., "git+" + workflow.uri + "@" + workflow.ref.


"resolvedDependencies": [
"uri": "git+",
"digest": {
"gitCommit": "bc93e6f8e6721d802678219af080a8559bc058b0"

Run details


The MUST represent the entity that generated the provenance, as per the SLSA Provenance documentation. In practice, this is the workflow reference such as <server_url> + <job_workflow_ref>.


"builder": {
"id": ""


The invocationId SHOULD be set to <server_url> + "/azure/runs/" + <azure.run_id> + "/attempts/" + <azure.run_attempt>. The startedOn MAY contain the time when the build started.


"metadata": {
"invocationID": "",
"startedOn": "2023-07-10T14:07:36Z"