Skip to content

Azure DevOps Pipelines

Integration with Azure DevOps Pipelines

ShiftLeft Scan has a best-in-class integration for Azure Pipelines with our dedicated extension. Below are the steps for integration with a yaml based pipeline:

  • Install the extension to your Azure DevOps Organization. Ask your administrator for help if you do not have this permission.

  • Simply add the following snippet to your build configuration YAML file (Usually azure-pipelines.yml).

- script: |
    docker run \
      -v "$(Build.SourcesDirectory):/app" \
      -v "$(Build.ArtifactStagingDirectory):/reports" \
      shiftleft/sast-scan scan --src /app --build \
      --out_dir /reports/CodeAnalysisLogs
  displayName: "Perform ShiftLeft Scan"
  continueOnError: "true"

- task: PublishBuildArtifacts@1
  displayName: "Publish analysis logs"
  inputs:
    PathtoPublish: "$(Build.ArtifactStagingDirectory)/CodeAnalysisLogs"
    ArtifactName: "CodeAnalysisLogs"
    publishLocation: "Container"
  • Trigger a build as normal and wait for it to complete.

  • From the Pipelines page, select the most recent run. You should see a tab called ShiftLeft Scan as shown below.

Scan Tab

  • Individual scan reports are shown as tabs as seen below. You can click on any tab to view and audit the different reports

Reports

  • Summary would also be available in the build console logs for easy reference

Console logs

Container jobs based pipelines

By default, jobs run on the host machine where the agent is installed. This is convenient and typically well-suited for projects that are just beginning to adopt Azure Pipelines. On Linux and Windows agents, jobs may be run on the host or in a container. ShiftLeft scan support such container jobs based pipelines. Use container: shiftleft/sast-scan:latest as shown.

pool:
  vmImage: "ubuntu-latest"
container: shiftleft/sast-scan:latest
steps:
  # This integrates ShiftLeft Scan with automatic build
  - script: scan --build --out_dir $(Build.ArtifactStagingDirectory)/CodeAnalysisLogs
    env:
      WORKSPACE: https://github.com/prabhu/HelloShiftLeft/blob/$(Build.SourceVersion)
      GITHUB_TOKEN: $(GITHUB_TOKEN)
    displayName: "Perform ShiftLeft scan"
    continueOnError: "true"

  # To integrate with the ShiftLeft Scan Extension it is necessary to publish the CodeAnalysisLogs folder
  # as an artifact with the same name
  - task: PublishBuildArtifacts@1
    displayName: "Publish analysis logs"
    inputs:
      PathtoPublish: "$(Build.ArtifactStagingDirectory)/CodeAnalysisLogs"
      ArtifactName: "CodeAnalysisLogs"
      publishLocation: "Container"

Further, by adding --build argument with scan command supported projects such as java, csharp, go or node.js can also be built on the fly thus speeding up the analysis. Please use container job based pipelines if your organization supports.

Advanced configuration

You can improve the quality of the dependency scan (--type depscan) by passing a GITHUB_TOKEN as an environment variable. This token should have the following scopes:

  • read:packages
- script: |
    docker run \
      -e "GITHUB_TOKEN=$(GITHUB_TOKEN)" \
      -v "$(Build.SourcesDirectory):/app" \
      -v "$(Build.ArtifactStagingDirectory):/reports" \
      shiftleft/sast-scan scan --src /app \
      --out_dir /reports/CodeAnalysisLogs
  displayName: "Perform ShiftLeft Scan"
  continueOnError: "true"

Refer to this configuration as an example.


Last update: July 3, 2020