Building Pipelines
- Step Modules
- Pipelines Can Be Steps Too
- Using Dynamic Values in Steps
- Pipeline Variables
- Accessing Variables From Steps
- Passing Data Between Steps
- Accessing Credentials
- Run Steps Conditionally
- Ignoring Step Errors
- Step
each
Loops - Restoring Previous Revisions
- Installing Tools for Step Modules
Step Modules
Sophos Factory provides a drag-and-drop pipeline builder that accelerates the process of creating pipelines.
The action performed at each step of a pipeline is determined by a step module. You can browse or search for step modules in the left sidebar of the pipeline builder. Drag them into the design area to add steps to a pipeline.
For a guided tutorial, see Your First Pipeline.

Each step module has its own settings and properties. To see and edit these fields, drag a step into the design area and then select it.

For a full list of step modules and their properties, see the step module reference.
Pipelines Can Be Steps Too
In addition to the built-in step modules, a pipeline can include another pipeline as one of its steps. For each included pipeline, a new scope is created. The variables from the inner pipeline are exposed to the outer pipeline as step properties, which facilitates passing data from one pipeline to the next.
Reusable component pipelines are a powerful tool for creating pipelines that act as reusable modules.
Using Dynamic Values in Steps
Step properties and some fields can contain expressions. Expressions can be used to compute values dynamically at runtime, as well as read and transform data from previous steps.
In the pipeline builder, fields that support expressions have an toggle button on the right side of the field. Toggling to expression mode switches the input to a code editor where an expression can be entered directly.

For more information about expressions, see the expression reference.
Pipeline Variables
Pipeline variables are inputs that the pipeline receives at runtime.
To add an input variable to a pipeline, open the pipeline builder and select Variables at the top right. Click the Add Variable button.

The variable type, a display name, and a unique key must be specified.
The description of the variable will be displayed to your pipeline’s users in two places:
- In the Run Pipeline form, where users may edit the variable value.
- In the Create Job form, when creating a job for the pipeline.
Pipeline variables may be marked as required, which means that a value must be supplied when running the pipeline.
Pipeline variables may also be marked as hidden, which has two effects:
- The variables are not displayed as form fields in run dialogs. Users running your pipeline will not see these variables.
- When a run is created from Sophos Factory or via the API, hidden variable values are merged into the final variables for the run.
This allows you to provide default values for variables that don’t need to be provided when the pipline is run.
Accessing Variables From Steps
To access a variable from an expression, assuming the variable key is my_var
, use vars.my_var
.
The vars.<var key>
syntax is available from any expression, and contains all variables available in the current scope. For more about variables and scopes, read Core Concepts: Variables.
You cannot access parent variables directly from an included pipeline. Instead, you must define input variables for the child pipeline, and pass values through from the parent pipeline’s step properties.
Passing Data Between Steps
Expressions evaluating within step properties have access to all other steps in the pipeline. To get another step, use steps.<step id>
. This expression evaluates to an object.
All steps have a common set of fields, such as name
, tags
, and properties
. The properties
fields differs for each step module. Properties fields for each step module can be seen in the Step Module Reference.
For example, to retrieve the method of an HTTP Request step module with the ID http
, we can use the this expression:
steps.http.properties.method
After a step executes, it has an additional result
field that contains data about the execution result. The fields available on the result
object differ for each step module, however, all step modules will have a status
field that indicates whether the step execution succeeded or failed.
For example, the following expression evaluates to true
if the step with ID http
succeeded:
steps.http.result.status == 'Succeeded'
Reusable component pipeline steps have one additional field on their result
object containing the evaluated outputs of the pipeline. For example, to retrieve an output with key ipaddress
on an included pipeline step with the ID my_include
, use expression:
steps.my_include.result.outputs.ipaddress
Accessing Credentials
Credentials can be retrieved dynamically by expressions. This is useful in certain cases, for example, when using the HTTP Request module with custom Authorization token headers.
To get credential data, pass the credential ID to the credential()
helper function, like this:
credential('my_cred_id')
This expression evaluates to an object containing one or more data fields associated with the credential type. For example, to retrieve the password field of a Username/Password type of credential, use the following expression:
credential('my_cred_id').password
Because credentials are also a built-in variable type, it’s common to create a top-level variable in a pipeline and then pull the credential data out from an expression, which would look like this:
credential(vars.my_cred_var).password
Run Steps Conditionally
All steps have a condition
field which must be an expression. If this field evaluates to false
, then the step will be skipped.
Step conditions combined with reusable component pipelines can be very powerful for advanced pipeline control flow. When an included pipeline step is skipped, all steps within that pipeline are also skipped.
After a step executes, a result
field is added. This contains data about the execution result. Using the result
field, subsequent steps can be conditionally run based on whether the step succeeded or failed. Other result fields are also available, such as the stdout
and stderr
of script steps.
Ignoring Step Errors
Errors in step execution can be ignored by setting the ignore_errors
field to true
.
Step each
Loops
Most step modules and pipeline include steps support an each
field, which will execute the step multiple times in a “loop”. This field must be an expression that evaluates to an array. For each element of the array, the step is executed, and there will be an additional each
context variable available to step property expressions with the following structure:
{
"index": Number,
"item": Any
}
index
is a 0-indexed number specifying the current loop iteration. item
is the value of the each
array at the current index.
For example, if the each
field evaluates to an array ['a', 'b', 'c']
, then on the second iteration of the loop, the each
context variable will contain the following:
{
"index": 1,
"item": "b"
}
Step loops are executed serially. After a step with an each
field executes, it will contain an additional results
field, which is an array containing the result
object for each iteration of the step execution. The results in this array will be in the same order as the each
array. Steps with an each
loop will also have the normal result
field after execution, which will contain the result of the last iteration of the loop.
If an error occurs in any iteration of the step loop, iteration will be halted. Pipeline execution may continue if the step’s ignore_errors
field is true
.
To configure a step loop from the pipeline builder, see the Advanced Settings section of any step that supports loops:

Restoring Previous Revisions
When you save a pipeline, a new revision is created. Revisions are a linear history, and each revision is given a number. The pipeline revision history allows you to go back in time and restore previous states of a pipeline, as long as the pipeline has not been deleted. The revision history is limited to the pipeline steps and does not include changes to the pipeline name or image.
To restore an old version of a pipeline, open the pipeline in the builder and click the Revisions tab in the right sidebar. Find your desired revision and open it. Then save the pipeline again, bringing that revision to the top of the history.
It’s also sometimes useful to clear a pipeline’s revision history. To do this, clone the pipeline into the same project and then delete the old pipeline.

Installing Tools for Step Modules
Many built-in step modules require an underlying tool, such as a programming language runtime or a CLI program. Supported tools can be automatically installed at a specified version during pipeline execution.
There are two ways to install a tool from a pipeline:
- Using the Tool Version field on a supported pipeline step. Using this method, the tool is only installed for the subprocess run by the step, and will not propagate to other operating system sessions.
- Using a tool installer step module. The step modules install the tool globally on the runner machine by modifying the
PATH
and environment.
Tool installations are cached on the runner for each version of the tool.