Static code analysis is a mechanism to find and fix security vulnerabilities in source code without running the software. This blog explains how to integrate Microsoft Security DevOps to a build pipeline, which installs and configures static code analysis tools against your source code.
Pre-requisites:
- Azure DevOps build pipeline
- Build agent which has .NET 6 (for MicrosoftSecurityDevOps build task) and NET 3.1 (CredScan analyzer) installed.
Go to Azure DevOps marketplace and install following extensions.
- Microsoft Security DevOps
- SARIF SAST Scans Tab - This will add new tab to build result page to display scan results.
Once above extensions are installed, go to the Azure DevOps build pipeline and add Microsoft Security DevOps task. Run the pipeline to get scan results.
Once build pipeline run completed, go to scan tab to get scan results. Also, you can see the results in the build log.
You would be able to see scan results from several tools such as eslint, terrascan etc.
No comments:
Post a Comment