Azure DevOps¶
Scanning steps can be added to your Azure DevOps pipelines by installing the BoostSecurity extension.
To do so:
- Navigate to the Marketplace App.
- Click Get it free.
- Select your organization and click Install.
Additionally, it would help if you made the Boost API Token available in your Variables. If you do not already have an API token created, you may create one on the dashboard Settings Page.
Once everything is ready, a scanning step can be added, for example:
- stage: Run Security Scanners
variables:
- group: boostsecurity
- name: boostApiToken
value: $[variables.BOOST_API_TOKEN]
jobs:
- job:
steps:
- task: BoostSecurityScan@1
inputs:
apiToken: $(boostApiToken)
registryModule: boostsecurityio/semgrep
BoostSecurityScan is the BoostSecurity pipeline task enabling running scanners and uploading results to the BoostSecurity service.
The input apiToken configures the API key for authenticating the scanner.
The keyword registry_module specifies the scanner module to use. The example above configures the Semgrep scanner with the id boostsecurityio/semgrep.
Azure DevOps for Source Scanning¶
This configuration is appropriate for scanner modules for SAST scanning or SBOM inventory from source code.
Note: Even if the pipeline is configured to run the SBOM scanner on pull requests, the SBOM scanner does not collect components inventory on pull requests.
- stage: Run Security Scanners
variables:
- group: boostsecurity
- name: boostApiToken
value: $[variables.BOOST_API_TOKEN]
- name: isMainBranch
value: $[eq(variables['Build.SourceBranch'], 'refs/heads/main')]
jobs:
- job:
steps:
- task: BoostSecurityScan@1
inputs:
apiToken: $(boostApiToken)
registryModule: boostsecurityio/semgrep
- task: BoostSecurityScan@1
condition: eq(variables.isMainBranch, 'true')
inputs:
apiToken: $(boostApiToken)
registryModule: boostsecurityio/trivy-sbom
Azure DevOps for scanning generated artifacts¶
This configuration is appropriate for scanner modules that scan artifacts generated from the build process. For example, scanner modules that generate SBOM from container images or scan for vulnerabilities need to generate the container image first.
Add the BoostSecurity scanner module-related stanza to your build pipeline, for example:
- stage: Build Step
variables:
- group: boostsecurity
- name: boostApiToken
value: $[variables.BOOST_API_TOKEN]
jobs:
- job:
steps:
- task: Bash@3
displayName: Build Image
inputs:
targetType: "inline"
script: |
docker build . -t acme-analytics
- task: BoostSecurityScan@1
env:
BOOST_IMAGE_NAME: acme-analytics # set image name to scan
inputs:
apiToken: $(boostApiToken)
registryModule: boostsecurityio/trivy-image
In the example above, the container image name set in the environment variable BOOST_IMAGE_NAME is static. If your image name needs to be created dynamically, a step can be inserted prior to the scan step, to set the environment variable. i.e., replace.
steps:
- task: Bash@3
displayName: Build Image
inputs:
targetType: "inline"
script: |
docker build . -t acme-analytics
- task: BoostSecurityScan@1
env:
BOOST_IMAGE_NAME: acme-analytics # set image name to scan
inputs:
apiToken: $(boostApiToken)
registryModule: boostsecurityio/trivy-image
steps:
- task: Bash@3
displayName: Build Image
inputs:
targetType: "inline"
script: |
docker build . -t acme-analytics
echo "##vso[task.setvariable variable=BOOST_IMAGE_NAME]my_image_name_and_tag"
- task: BoostSecurityScan@1
inputs:
apiToken: $(boostApiToken)
registryModule: boostsecurityio/trivy-image
Note
The task.setvariable step sets the environment variable, and the key env is removed from step BoostSecurityScan.