Integrating software composition analysis checks into pipelines in Azure DevOps

Integrating software composition analysis checks into pipelines in Azure DevOps

Integrating Software Composition Analysis (SCA) checks into Azure DevOps pipelines, especially for pull request validation, build and release definitions, is essential for ensuring the security and compliance of your software, especially with open-source dependencies. To achieve this, you can integrate several SCA tools like Mend, Checkmarx, Veracode, and Black Duck by Synopsys into your Azure DevOps pipelines.

In this guide, I'll explain how to integrate these SCA tools for pull request validation, build and release definitions using Azure DevOps pipelines. These tools can be installed via Azure Marketplace extensions or via custom script-based installations.

1. Overview of Integration with SCA Tools

Here are the key tasks you'll be performing for each SCA tool:

1. Install and Configure the Tool in Azure DevOps via a pipeline.

2. Configure the Pipeline for Pull Request Validation (Pre-merge SCA checks).

3. Configure SCA Scans in Build and Release Pipelines.

4. Visualize and Monitor Results.

5. Fail Pipeline for Critical Vulnerabilities (optional).

2. Choosing Your SCA Tools

Here are a few widely used SCA tools you can integrate:

1. Mend (formerly WhiteSource): Provides deep scanning for open-source vulnerabilities and license compliance.

2. Checkmarx: Primarily focuses on static application security testing (SAST) and software composition analysis.

3. Veracode: A cloud-based platform offering both SCA and SAST capabilities.

4. Black Duck by Synopsys: A popular SCA tool for managing open-source security and license risks.

Each tool has its own extension or integration method in Azure DevOps, and I'll explain the integration process for each of them.

3. Integrating SCA Tools into Azure DevOps Pipelines

3.1 Mend (formerly WhiteSource) Integration

Steps to Integrate Mend (WhiteSource) into Azure DevOps Pipelines:

1. Install the WhiteSource Bolt Extension:

• Go to the Azure DevOps Marketplace and search for WhiteSource Bolt.

• Install the extension for your Azure DevOps Organization.

2. Add WhiteSource Bolt to Your Pipeline:

Once installed, you can add WhiteSource Bolt to your pipeline YAML:

xxxxxxxxxx
13
1
trigger:
2
  branches:
3
    include:
4
      - main  # Adjust as needed
5
pool:
6
  vmImage: 'ubuntu-latest'
7
steps:
8
- task: WhiteSourceBolt@20
9
  inputs:
10
    licenseKey: $(WHITE_SOURCE_API_KEY)  # Use pipeline variables to store keys securely
11
    projectName: '$(Build.DefinitionName)-$(Build.BuildId)'
12
    projectVersion: '$(Build.BuildId)'
13
    orgToken: $(WHITE_SOURCE_ORG_TOKEN)  # Set token as a pipeline variable

3. Configure Pull Request Validation:

To scan pull requests, use a pr trigger in your pipeline:

xxxxxxxxxx
5
1
pr:
2
  branches:
3
    include:
4
      - main
5
      - feature/

4. Set Up API Tokens:

You'll need to configure your Mend API keys in Azure DevOps pipeline environment variables (i.e., WHITE_SOURCE_API_KEY).

5. Failure on Critical Vulnerabilities:

You can configure the tool to fail the pipeline if high-severity vulnerabilities are found by adding the following in the WhiteSourceBolt task:

xxxxxxxxxx
1
1
failOnHighSeverity: true

3.2 Checkmarx Integration

Steps to Integrate Checkmarx into Azure DevOps Pipelines:

1. Install Checkmarx Extension:

• Go to the Azure DevOps Marketplace and search for Checkmarx.

• Install the Checkmarx extension into your Azure DevOps organization.

2. Configure the Checkmarx Task in Your Pipeline:

Once installed, you can use Checkmarx for SCA and SAST scans.

xxxxxxxxxx
15
1
trigger:
2
  branches:
3
    include:
4
      - main
5
pool:
6
  vmImage: 'ubuntu-latest'
7
steps:
8
- task: CheckmarxCxScan@5
9
  inputs:
10
    projectName: '$(Build.DefinitionName)'
11
    team: '$(CHECKMARX_TEAM_NAME)'  # Set in Azure Pipeline variables
12
    scanType: 'SCA'
13
    sourceCodeLocation: '$(Build.SourcesDirectory)'
14
    cxServer: $(CHECKMARX_SERVER)
15
    apiKey: $(CHECKMARX_API_KEY)

3. Configure Pull Request Validation:

Enable the pull request trigger in your YAML to scan PRs for vulnerabilities.

xxxxxxxxxx
5
1
pr:
2
  branches:
3
    include:
4
      - main
5
      - feature/

4. Failure on Critical Vulnerabilities:

If you want to fail the build based on critical vulnerabilities, you can adjust the failOnCritical parameter:

xxxxxxxxxx
1
1
failOnCritical: true

3.3 Veracode Integration

Steps to Integrate Veracode into Azure DevOps Pipelines:

1. Install Veracode Extension:

• Go to the Azure DevOps Marketplace and search for Veracode.

• Install the extension into your Azure DevOps organization.

2. Configure Veracode Task in Pipeline:

Add the Veracode task to your build pipeline YAML:

xxxxxxxxxx
14
1
trigger:
2
  branches:
3
    include:
4
      - main
5
pool:
6
  vmImage: 'ubuntu-latest'
7
steps:
8
- task: Veracode@1
9
  inputs:
10
    apiKeyID: $(VERACODE_API_KEY_ID)
11
    apiKeySecret: $(VERACODE_API_KEY_SECRET)
12
    scanType: 'SCA'
13
    appName: '$(Build.DefinitionName)'
14
    fileName: '$(Build.ArtifactStagingDirectory)/your-code.zip'

3. Configure Pull Request Validation:

Similar to the other tools, configure a PR validation trigger:

xxxxxxxxxx
5
1
pr:
2
  branches:
3
    include:
4
      - main
5
      - feature/

4. Failure on Critical Vulnerabilities:

If Veracode finds critical issues, you can configure the build to fail automatically:

xxxxxxxxxx
1
1
failBuildOnCritical: true

3.4 Black Duck by Synopsys Integration

Steps to Integrate Black Duck by Synopsys into Azure DevOps Pipelines:

1. Install Black Duck Extension:

• Go to the Azure DevOps Marketplace and search for Black Duck.

• Install the Black Duck extension.

2. Configure the Black Duck Task in Pipeline:

After installation, you can add Black Duck tasks for SCA scans in your pipeline YAML:

xxxxxxxxxx
13
1
trigger:
2
  branches:
3
    include:
4
      - main
5
pool:
6
  vmImage: 'ubuntu-latest'
7
steps:
8
- task: BlackDuckScan@3
9
  inputs:
10
    hubUrl: $(BLACKDUCK_HUB_URL)
11
    apiKey: $(BLACKDUCK_API_KEY)
12
    projectName: '$(Build.DefinitionName)'
13
    projectVersion: '$(Build.BuildId)'

3. Configure Pull Request Validation:

Add a pull request trigger in your YAML to ensure that PRs are scanned:

xxxxxxxxxx
5
1
pr:
2
  branches:
3
    include:
4
      - main
5
      - feature/

4. Failure on Critical Vulnerabilities:

You can configure Black Duck to fail the pipeline based on severity thresholds.

xxxxxxxxxx
1
1
failOnCritical: true

4. Configuring Build and Release Pipelines for SCA Scans

In Azure DevOps, both build and release pipelines can be used to run these SCA checks.

The general steps are:

1. Build Pipeline:

Add the SCA tool scan tasks (e.g., WhiteSource, Checkmarx, Veracode, Black Duck) to your build pipeline YAML to scan for vulnerabilities and license issues in your dependencies.

2. Release Pipeline:

Similarly, you can add SCA scans in the release pipeline to scan the final artifacts or deployed code to catch any vulnerabilities introduced during the deployment process.

xxxxxxxxxx
13
1
# Sample Build Pipeline YAML with SCA Check
2
trigger:
3
  branches:
4
    include:
5
      - main
6
pool:
7
  vmImage: 'ubuntu-latest'
8
steps:
9
- task: SCA_Tool_Name@Version # Choose your tool extension
10
  inputs:
11
    projectName: '$(Build.DefinitionName)'
12
    apiKey: $(SCA_TOOL_API_KEY)
13
    failOnCritical: true

5. Visualize and Monitor Results

Once integrated, you can:

1. Monitor the Results:

After a scan, results will appear in the pipeline logs or as build artifacts.

2. Custom Dashboards:

You can use Azure DevOps dashboards to visualize SCA scan results and monitor trends in vulnerability findings over time.

Summary

Integrating Software Composition Analysis (SCA) tools like Mend, Checkmarx, Veracode, and Black Duck into Azure DevOps pipelines ensures continuous security and compliance monitoring for your open-source dependencies.

This process can be tailored to include both build and release pipelines as well as pull request validation pipelines, giving you full control over when and how vulnerabilities are detected.