GitHub Advanced Security for Azure DevOps brings the secret scanning, dependency scanning and CodeQL code scanning solutions already available for GitHub users and natively integrates them into Azure DevOps to protect your Azure Repos and Pipelines.
Pre-requisites:
- Azure DevOps account
- Enable GitHub advanced Security billing in ADO
- Application code, I am using Java project to scan
How to Set up dependency scanning?
Dependency scanning is a pipeline-based scanning tool. Results are aggregated per repository. It's recommended that you add the dependency scanning task to all the pipelines you'd like to be scanned.
Add the task Advanced Security Dependency Scanning task (AdvancedSecurity-Dependency-Scanning@1) directly to your YAML pipeline file or select the Advanced Security Dependency Scanning task from the task assistant.
How to Set up code scanning
Code scanning is also a pipeline-based scanning tool where results are aggregated per repository.
Add the tasks in the following order:
- Advanced Security Initialize CodeQL (AdvancedSecurity-Codeql-Init@1)
- Your custom build steps
- Advanced Security Perform CodeQL Analysis (AdvancedSecurity-Codeql-Analyze@1)
Pipeline YAML Code for scanning Java code using GitHub Advanced Security
trigger:
- main
resources:
- repo: self
variables:
tag: '$(Build.BuildId)'
stages:
- stage: Build
displayName: Build image
jobs:
- job: Build
displayName: Build
pool:
vmImage: ubuntu-latest
steps:
- task: AdvancedSecurity-Codeql-Init@1
inputs:
languages: 'java'
- task: Maven@4
inputs:
mavenPomFile: 'pom.xml'
goals: 'install'
publishJUnitResults: true
testResultsFiles: '**/surefire-reports/TEST-*.xml'
javaHomeOption: 'JDKVersion'
mavenVersionOption: 'Default'
mavenAuthenticateFeed: false
effectivePomSkip: false
sonarQubeRunAnalysis: false
- task: AdvancedSecurity-Dependency-Scanning@1
- task: AdvancedSecurity-Codeql-Analyze@1
Where to see the Scan resule in Azure DevOps?
No comments:
Post a Comment