Azure DevOps

Azure DevOps Integration

App Registration

Before starting the integration, ensure you are logged in to the Azure website.

Click on Cloud Shell (opens in a new tab) in navbar and type az login in the terminal. If you are new to Azure, you might see a popup prompting you to select an environment. Choose Bash.

New user

You will then be prompted to select a subscription. Choose Mount storage account if you wish to store data; otherwise, proceed with No storage account required.

New user subscription

After entering the az login command, you will be able to see the below and follow the steps as shown.

Cloud Shell is automatically authenticated under the initial account signed-in with. Run 'az login' only if you need to use a different account
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code E******S to authenticate.

Follow the provided link: https://microsoft.com/devicelogin (opens in a new tab) and enter the code displayed in Cloud Shell to complete the login process.

After completing the validation, you will get the details that are specific to tenant.

Download flyingduck-azure-integration script on azure terminal using the following command.

wget https://awosasins-artifacts.s3.amazonaws.com/flyingduck-azure-integration/setup.sh

Run the script using the command

sh setup.sh --enable devops
  • FlyingDuck app will be downloaded in to your azure.
  • You will be asked for app registration permission either yes or no.
  • If you pass yes, enter the name example-name for the app registration so that app will be created with that name.

Custom role FlyingDuckAzureDeveopsRole will be created, this role will be assigned to the app registration with the application id. You wil get some details like :

  • Application Name: [app name]
  • Application ID (Client ID): [some Id]
  • Tenant ID: [some Id]
  • Client Secret: [some Id]
  • Subscription id: [some Id]

App Permissions

Login to your Azure DevOps and go to organisation settings.

Organization settings

After opening the organisation settings click on Users.

Users

In the Users tab click on Add User.

Add user

In the Add new users section, enter the name example-name that you provided during App registration in the Azure terminal. Select all the options as shown in the image below, under Add to projects select the projects you want to integrate and then click on Add.

Add App

Note: Ensure that all the necessary projects are selected for the user; otherwise, the desired outcome won't be achieved.

If a project was created after the user was set up, you can still assign it to that user. Simply click on the three dots, choose Manage Access.

Edit User

A list of all available projects in the organization will be displayed in the Projects section, select the necessary projects.

Manage Access

Click on Save.

Events Configuration

To capture continuous events from azure devops, need to perform two steps.

Click on Cloud Shell (opens in a new tab) to open azure terminal.

Function App

In the terminal run the below commands.

wget https://awosasins-artifacts.s3.amazonaws.com/flyingduck-azure-integration/fd-azure-function-app.sh
chmod +x fd-azure-function-app.sh
sh fd-azure-function-app.sh

After running this command, you will be prompted to provide certain details, as shown in the below.

  • Enter Resource Group name [FlyingDuckRG]:
  • Enter Location [eastus]:
  • Enter Storage Account name [flyingduckstorage827]:
  • Enter Storage Queue name [flyingduckqueue]:
  • Enter Function App name [flyingduckfunction22631]:

If no input is provided for the above details, default values will be used and pass the FlyingDuck API Key.

  • Enter FlyingDuck API Key []:

The message "Azure Function App created successfully!" will be displayed after completing the function app step.

Service Hooks

To automatically configure service hooks, a personal access token (PAT) must be entered during the process.

wget https://awosasins-artifacts.s3.amazonaws.com/flyingduck-azure-integration/fd-azure-service-hooks.sh
chmod +x fd-azure-service-hooks.sh
sh fd-azure-service-hooks.sh

After entering sh fd-azure-service-hooks.sh command, you will be prompted to provide details

  • Enter your Azure DevOps organization names (comma-separated if multiple):
  • Enter your Azure DevOps project names (comma-separated if multiple; leave blank for all projects):
  • Enter your Azure DevOps Personal Access Token:

Install App

After completing all the required steps, go to the FlyingDuck portal and go to integrations page.

On the Integrations page, click on Azure DevOps to start integration.

Integrations home

After completing the App Registration and App Permissions, select the checkbox that you have completed required steps and click the Continue button.

click Continue

Enter the specified details: Client ID, Tenant ID, Client secret, and Organization Name (the name of your Azure DevOps organization), then click the Continue button.

click Continue

Active Branches

Under active branches, specify the branch name as shown in the image.

Integration successful

By clicking on the Save & Continue button, the branch name that you gave will be saved.

Integration successful

API Key

If you've created API Key previously you can click on Skip or else you can create a new API Key.

Provide a name to your API Key that your about to create and click on Generate API key

Integration successful

A new API Key will be generated that will be shown once, so store it with you confidentially.

Integration successful

Clicking on Next step will take you to code scan section.

Code Scan

The code scan can be done in two ways

  • Workflows
  • On-premise runner

Azure DevOps code scan

Azure DevOps workflow

Select Azure DevOps workflow to configure DuckDefender in Azure DevOps by adding the yml file, that you need to download from the flyingduck portal for Libraries and Secrets information.

Azure Devops code scan

After selecting Azure DevOps workflow, then click the Download. This will download the azure-pipelines.yml file, which is configured to perform SBOM and SCA. Here in the yaml file, under the "branches -> include" add names of the branches commonly utilized for development within your environment. These are the branches for which you wish to conduct code scan.

Add the azure-pipelines.yml file in the root directory of the repository.

SBOM and SCA in pipelines

This azure-pipelines.yml file runs the scan for SBOM, SCA and secrets only.

azure-pipelines.yml
trigger:
  branches:
    include:
      - main
      - master
      - develop
      - release
      
pool:
  vmImage: 'ubuntu-latest'
 
variables:
  imageName: flyingduckio/duckdefender:latest
 
steps:
  - script: |
      docker pull ${{ variables.imageName }}
    displayName: 'Pull Duckdefender Docker Image'
 
  - script: |
      docker run \
      -e AZURE_DEVOPS_REPO_NAME="$(Build.Repository.Name)" \
      -e AZURE_DEVOPS_BRANCH=$(Build.SourceBranch) \
      -e AZURE_DEVOPS_COMMIT=$(Build.SourceVersion) \
      -e FD_API_KEY=$(FD_API_KEY) \
      -v $(Build.SourcesDirectory):/src  ${{ variables.imageName }} 
    displayName: 'Run Duckdefender Container'

SBOM, SCA and SAST in Pipelines

To run scans for SBOM, SCA, and SAST, add the highlighted command to the azure-pipelines.yml file.

azure-pipelines.yaml
trigger:
  branches:
    include:
      - main
      - master
      - develop
      - release
      
pool:
  vmImage: 'ubuntu-latest'
 
variables:
  imageName: flyingduckio/duckdefender:latest
 
steps:
  - script: |
      docker pull ${{ variables.imageName }}
    displayName: 'Pull Duckdefender Docker Image'
 
  - script: |
      docker run \
      -e AZURE_DEVOPS_REPO_NAME="$(Build.Repository.Name)" \
      -e AZURE_DEVOPS_BRANCH=$(Build.SourceBranch) \
      -e AZURE_DEVOPS_COMMIT=$(Build.SourceVersion) \
      -e FD_API_KEY=$(FD_API_KEY) \
      -v $(Build.SourcesDirectory):/src  \
      --entrypoint /bin/sh ${{ variables.imageName }} -c "duckdefender code --all"
    displayName: 'Run Duckdefender Container'
💡

Due to insufficient resources in the default pipelines, the SAST scan might not run. In such cases, configure an agent pool (Self-hosted Build agent).
For more info, please refer to Self-hosted Build agent (opens in a new tab).

If the agent pool is configured, update the pool name in the azure-pipelines.yaml file.

From:

pool:
  vmImage: 'ubuntu-latest'

To:

pool:
  name: configuredPoolName

Add API Key and pipeline to the Repository

Navigate to Azure Devops pipelines (Azure Devops -> projects -> pipelines) click on New pipeline.


azure agent

You've to complete 4 stages. Under connect tab select Azure Repos Git.


azure agent

Select your Repo


azure agent

Under configure click on existing Azure pipelines yaml file if you added the azure-pipelines.yml file in the root directory of repository. Otherwise click on starter pipeline and add the azure-pipelines.yml snippet.


azure agent

Give your branch name, select file name and click on continue


azure agent

You will be able to see the file that you selected and click on variables.


azure agent

Click new variable button.


azure agent

Provide the API key name FD_API_KEY and paste the API key value. Make sure to select Keep this value secret, then click the OK button.


azure agent


click on save button.

azure agent


click on run button.

azure agent


In pipelines a new job will be runned.

azure agent

After adding the file you should commit. Based on which branch you've commited, if the branch is included in the given file, the respective data like libraries, secrets will be sent to FlyingDuck portal.

Custom Branch

If you want to commit to the custom branch like feature/* or bug/* and to check the findings of that branch then include that specific branch into the branches in azure-pipelines.yml file.

azure-pipelines.yaml
trigger:
  branches:
    include:
      - main
      - master
      - develop
      - release
      - feature/*
      - bug/*

Troubleshoot

The debug option is used to understand what is happening within a particular command. If you need to troubleshoot, include this command LOG_LEVEL="debug" in the file.

azure-pipelines.yml
trigger:
  branches:
    include:
      - main
      - master
      - develop
      - release
      
pool:
  vmImage: 'ubuntu-latest'
 
variables:
  imageName: flyingduckio/duckdefender:latest
 
steps:
  - script: |
      docker pull ${{ variables.imageName }}
    displayName: 'Pull Duckdefender Docker Image'
 
  - script: |
      docker run \
      -e AZURE_DEVOPS_REPO_NAME="$(Build.Repository.Name)" \
      -e AZURE_DEVOPS_BRANCH=$(Build.SourceBranch) \
      -e AZURE_DEVOPS_COMMIT=$(Build.SourceVersion) \
      -e FD_API_KEY=$(FD_API_KEY) \
      -e LOG_LEVEL="debug" \
      -v $(Build.SourcesDirectory):/src  ${{ variables.imageName }}
    displayName: 'Run Duckdefender Container'

On-premise Runner

Grant Read Access to the workspace

Refer this for On-premise Runner

Automated Scan

After selecting the scanning option, enable the checkbox to automatically scan the code upon each commit. This functionality is available only when a runner is configured and active.

configure buttonon github