An extension for Azure DevOps that contributes a build task to run the Microsoft Security DevOps CLI.
Add the MicrosoftSecurityDevOps
build task to your pipeline's yaml:
steps:
- task: MicrosoftSecurityDevOps@1
Name | Language | License |
---|---|---|
AntiMalware | code, artifacts | - |
Bandit | python | Apache License 2.0 |
BinSkim | binary - Windows, ELF | MIT License |
ESlint | JavaScript | MIT License |
IaCFileScanner | Terraform, CloudFormation, ARM Template, Bicep | - |
Template Analyzer | Infrastructure-as-code (IaC), ARM templates, Bicep files | MIT License |
Terrascan | Infrastructure-as-Code (IaC), Terraform (HCL2), Kubernetes (JSON/YAML), Helm v3, Kustomize, Dockerfiles, CloudFormation | Apache License 2.0 |
Trivy | Container Images, Infrastructure as Code (Iac) | Apache License 2.0 |
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
Make sure to have a supported version of node and npm installed in your system. After cloning the repo, you can install all dependencies by running this command.
npm install
Note: If you run into 401 - Unauthorized
error, then you will need to login to the https://npm.pkg.github.com/
by running this command -
npm login --registry=https://npm.pkg.github.com
More info here.
All other commands are specified in the package.json
file.
"scripts": {
"build": "dotnet build ./build.proj",
"compile": "dotnet build ./build.proj /t:Compile",
"compile-tests": "dotnet build ./build.proj /t:CopyTestHelpers",
"compile-and-test": "dotnet build ./build.proj /t:Test /p:RunTests=true",
"test": "npx mocha **/*.tests.js"
}
You can execute them by using npm run
commands.
For example: npm run build
will execute the dotnet build ./build.proj
command and generate a vsix file with your changes for testing.
To test the extension after making changes in an ADO pipeline run -
1) Make the changes and compile the code. If no errors, a vsix file will be generated. Eg:
PS C:\Users\larohra\source\repos\security-devops-azdevops> npm run build
> microsoft-security-devops-azdevops@1.11.1 build
> dotnet build ./build.proj
MSBuild version 17.9.6+a4ecab324 for .NET
...
=== Completed operation: create extension ===
- VSIX: C:\Users\larohra\source\repos\security-devops-azdevops\bin\debug\microsoft-security-devops-azdevops-debug.1.11.0.2.vsix
- Extension ID: microsoft-security-devops-azdevops-larohra
- Extension Version: 1.11.0.2
- Publisher: ms-secdevops-test
Build succeeded.
0 Warning(s)
0 Error(s)
Time Elapsed 00:00:12.94
2) Publish the vsix in your marketplace account (Create a new publisher account if you dont have one) - https://marketplace.visualstudio.com/manage/
3) Share the debug extension with your organization - https://learn.microsoft.com/en-us/azure/devops/extend/publish/overview?view=azure-devops#share-your-extension
4) Install the extension in your org - https://learn.microsoft.com/en-us/azure/devops/extend/publish/overview?view=azure-devops#install-your-extension
5) Add it to the pipeline run and run the build. Sample:
- task: MicrosoftSecurityDevOps@1
displayName: 'Test Container Mapping End'
timeoutInMinutes: 2
condition: always()
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.