feat(azure_pipelines): allow custom file names via CHECKOV_AZURE_PIPELINES_FILE_NAMES (#7525)

[ChrisJr404]

Closes #7525.

Why

The Azure Pipelines runner currently only recognizes the canonical names `azure-pipelines.yml` / `azure-pipelines.yaml`. Teams in the field (and the issue reporter @julianterenol) keep their pipelines under custom names — `ci.yml`, `pr-pipeline.yaml`, `/pipelines/`, `.azuredevops/` — and there's no way to make the runner scan them. Forcing `--framework azure_pipelines` doesn't help because `is_workflow_file()` rejects the file before the runner even reads it.

What

New opt-in environment variable:

CHECKOV_AZURE_PIPELINES_FILE_NAMES="pr-pipeline.yaml,ci.yml"

(Comma- or whitespace-separated. With or without leading dot.)

When the variable is set, those suffixes are appended to the default set in Runner.is_workflow_file(). Unset (the default) preserves today's behavior exactly.

DEFAULT_AZURE_PIPELINES_FILE_NAMES = (
    'azure-pipelines.yml',
    'azure-pipelines.yaml',
)

def _extra_pipelines_file_names() -> tuple[str, ...]:
    raw = os.environ.get('CHECKOV_AZURE_PIPELINES_FILE_NAMES')
    if not raw:
        return ()
    return tuple(part.strip() for part in re.split(r'[,\\s]+', raw) if part.strip())

# in Runner:
@staticmethod
def is_workflow_file(file_path: str) -> bool:
    suffixes = DEFAULT_AZURE_PIPELINES_FILE_NAMES + _extra_pipelines_file_names()
    return file_path.endswith(suffixes)

Tests

7 new unit tests in `tests/azure_pipelines/test_is_workflow_file.py` covering: defaults still recognised; unrelated YAMLs still rejected; comma separator; whitespace separator; empty env var; env var with only separators; env var doesn't leak across unset.

Existing test suite (`tests/azure_pipelines/`) — 17 tests — still passes:

```
$ pytest tests/azure_pipelines/ -v
======================== 17 passed, 6 warnings in 2.91s ========================
```

(My 7 new ones are inside that 17 total — the suite previously had 10.)

End-to-end

```
$ cat /tmp/checkov-e2e/pr-pipeline.yaml
trigger:

• master
  jobs:
• job: BadJob
  pool:
  vmImage: 'ubuntu-18.04'
  container: 'ubuntu:latest'
  steps:
  • script: printenv

Without the env var: 0 findings (file silently skipped)

$ checkov --file /tmp/checkov-e2e/pr-pipeline.yaml --framework azure_pipelines -o json | head -3
{
"passed": 0,
"failed": 0,

With it: full Azure Pipelines scan, CKV_AZUREPIPELINES_* checks fire

$ CHECKOV_AZURE_PIPELINES_FILE_NAMES="pr-pipeline.yaml" checkov --file /tmp/checkov-e2e/pr-pipeline.yaml --framework azure_pipelines -o json | head -10
{
"check_type": "azure_pipelines",
"results": {
"passed_checks": [...]
}
}
```

Notes

• Pure-additive: defaults unchanged, no existing config or runner contract changes.
• The env var was chosen over a CLI flag because the runner discovery path goes through `is_workflow_file()` as a static method, and a CLI flag would need to thread through `RunnerFilter` and the AzurePipelines runner constructor; an env var keeps the surface area minimal.
• Followed the suffix-matching approach already used in the existing implementation (`str.endswith(tuple)`) so user-supplied names like `pr-pipeline.yaml` match anywhere in the path.