Azure DevOps Integration
App Registration
Before starting the integration, ensure you are logged in to the Azure website.
Click on Cloud Shell (opens in a new tab) in navbar and type az login
in the terminal. If you are new to Azure, you might see a popup prompting you to select an environment. Choose Bash.
You will then be prompted to select a subscription. Choose Mount storage account if you wish to store data; otherwise, proceed with No storage account required.
After entering the az login
command, you will be able to see the below and follow the steps as shown.
Cloud Shell is automatically authenticated under the initial account signed-in with. Run 'az login' only if you need to use a different account
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code E******S to authenticate.
Follow the provided link: https://microsoft.com/devicelogin (opens in a new tab) and enter the code displayed in Cloud Shell to complete the login process.
After completing the validation, you will get the details that are specific to tenant.
Download flyingduck-azure-integration
script on azure terminal using the following command.
wget https://awosasins-artifacts.s3.amazonaws.com/flyingduck-azure-integration/setup.sh
Run the script using the command
sh setup.sh --enable devops
- FlyingDuck app will be downloaded in to your azure.
- You will be asked for app registration permission either
yes
orno
. - If you pass
yes
, enter the nameexample-name
for the app registration so that app will be created with that name.
Custom role FlyingDuckAzureDeveopsRole
will be created, this role will be assigned to the app registration with the application id.
You wil get some details like :
Application Name
: [app name]Application ID (Client ID)
: [some Id]Tenant ID
: [some Id]Client Secret
: [some Id]Subscription id
: [some Id]
App permissions
Login to your Azure DevOps and go to organisation settings.
After opening the organisation settings click on Users.
In the Users tab click on Add User.
In the Add new users section, enter the name example-name that you provided during App registration in the Azure terminal. Select all the options as shown in the image below, under Add to projects select the projects you want to integrate and then click on Add.
After completing all the required steps, go to the FlyingDuck portal and go to integrations page.
Install App
On the Integrations page, click on Azure DevOps to start integration.
After completing the App Registration
and App Permissions
, select the checkbox that you have completed required steps and click the Continue button.
Enter the specified details: Client ID, Tenant ID, Client secret, and Organization Name (the name of your Azure DevOps organization), then click the Continue button.
Active Branches
Under active branches, specify the branch name as shown in the image.
By clicking on the Save & Continue button, the branch name that you gave will be saved.
API Key
If you've created API Key previously you can click on Skip or else you can create a new API Key.
Provide a name to your API Key that your about to create and click on Generate API key
A new API Key will be generated that will be shown once, so store it with you confidentially.
Clicking on Next step will take you to code scan section.
Code Scan
The code scan can be done in two ways
- Workflows
- On-premise runner
Azure DevOps workflow
Select Azure DevOps workflow to configure DuckDefender in Azure DevOps by adding the yml file, that you need to download from the flyingduck portal for Libraries and Secrets information.
After selecting Azure DevOps workflow, then click the Download. This will download the azure-pipelines.yml
file, which is configured to perform SBOM and SCA.
SBOM and SCA in pipelines
trigger:
branches:
include:
- main
- master
- develop
- release
pool:
vmImage: 'ubuntu-latest'
variables:
imageName: flyingduckio/duckdefender:latest
steps:
- script: |
docker pull ${{ variables.imageName }}
displayName: 'Pull Duckdefender Docker Image'
- script: |
docker run \
-e AZURE_DEVOPS_REPO_NAME="$(Build.Repository.Name)" \
-e AZURE_DEVOPS_BRANCH=$(Build.SourceBranch) \
-e AZURE_DEVOPS_COMMIT=$(Build.SourceVersion) \
-e FD_API_KEY=$(FD_API_KEY) \
-v $(Build.SourcesDirectory):/src ${{ variables.imageName }}
displayName: 'Run Duckdefender Container'
SBOM, SCA and SAST in Pipelines
trigger:
branches:
include:
- main
- master
- develop
- release
pool:
vmImage: 'ubuntu-latest'
variables:
imageName: flyingduckio/duckdefender:latest
steps:
- script: |
docker pull ${{ variables.imageName }}
displayName: 'Pull Duckdefender Docker Image'
- script: |
docker run \
-e AZURE_DEVOPS_REPO_NAME="$(Build.Repository.Name)" \
-e AZURE_DEVOPS_BRANCH=$(Build.SourceBranch) \
-e AZURE_DEVOPS_COMMIT=$(Build.SourceVersion) \
-e FD_API_KEY=$(FD_API_KEY) \
-v $(Build.SourcesDirectory):/src \
--entrypoint /bin/sh ${{ variables.imageName }} -c "duckdefender code --all"
displayName: 'Run Duckdefender Container'
Due to insufficient resources in the default pipelines, the SAST scan might not run. In such cases, configure an agent pool (Self-hosted Build agent).
For more info, please refer to Self-hosted Build agent (opens in a new tab).
If the agent pool is configured, update the pool name in the azure-pipelines.yaml
file.
From:
pool:
vmImage: 'ubuntu-latest'
To:
pool:
name: configuredPoolName
Add API Key to the Repository
Navigate to Azure Devops pipelines (Azure Devops -> projects -> pipelines) click on New pipeline.
You've to complete 4 stages. Under connect tab select Azure Repos Git.
Select your Repo
Under configure click on existing Azure pipelines yaml file.
Give your branch name, select file name and click on continue
You will be able to see the file that you selected and click on variables.
Click new variable button.
Provide the API key name FD_API_KEY and paste the API key value. Make sure to select Keep this value secret, then click the OK button.
click on save button.
click on run button.
In pipelines a new job will be runned.
After adding the file you should commit. Based on which branch you've commited, if the branch is included in the given file, the respective data like libraries, secrets will be sent to FlyingDuck portal.
Custom Branch
If you want to commit to the custom branch like feature/* or bug/*
and to check the findings of that branch then include that specific branch into the branches in azure-pipelines.yml
file.
trigger:
branches:
include:
- main
- master
- develop
- release
- feature/*
- bug/*
Build Block
To block the build, add the .fd.config.yaml file to the root directory.
To block the build for secrets and SAST, specify the severity levels (critical
, high
, medium
, and low
) in the .fd.config.yaml
file.
fail-build-on:
sast:
- high
Ensure the azure-pipelines.yaml
file includes the -e EXIT_ON_ERROR=true
variable to block the build if any issues are encountered.
trigger:
branches:
include:
- main
- master
- develop
- release
pool:
vmImage: 'ubuntu-latest'
variables:
imageName: flyingduckio/duckdefender:latest
steps:
- script: |
docker pull ${{ variables.imageName }}
displayName: 'Pull Duckdefender Docker Image'
- script: |
docker run \
-e EXIT_ON_ERROR=true \
-e AZURE_DEVOPS_REPO_NAME="$(Build.Repository.Name)" \
-e AZURE_DEVOPS_BRANCH=$(Build.SourceBranch) \
-e AZURE_DEVOPS_COMMIT=$(Build.SourceVersion) \
-e FD_API_KEY=$(FD_API_KEY) \
-v $(Build.SourcesDirectory):/src \
--entrypoint /bin/sh ${{ variables.imageName }} -c "duckdefender code --all"
displayName: 'Run Duckdefender Container'
Troubleshoot
The debug option is used to understand what is happening within a particular command. If you need to troubleshoot, include this command LOG_LEVEL="debug"
in the file.
trigger:
branches:
include:
- main
- master
- develop
- release
pool:
vmImage: 'ubuntu-latest'
variables:
imageName: flyingduckio/duckdefender:latest
steps:
- script: |
docker pull ${{ variables.imageName }}
displayName: 'Pull Duckdefender Docker Image'
- script: |
docker run \
-e AZURE_DEVOPS_REPO_NAME="$(Build.Repository.Name)" \
-e AZURE_DEVOPS_BRANCH=$(Build.SourceBranch) \
-e AZURE_DEVOPS_COMMIT=$(Build.SourceVersion) \
-e FD_API_KEY=$(FD_API_KEY) \
-e LOG_LEVEL="debug" \
-v $(Build.SourcesDirectory):/src ${{ variables.imageName }}
displayName: 'Run Duckdefender Container'
On-premise Runner
Refer this for
On-premise Runner