Azure DevOps Integration
App Registration
Before starting the integration, ensure you are logged in to the Azure website.
Click on Cloud Shell (opens in a new tab) in navbar and type az login
in the terminal. If you are new to Azure, you might see a popup prompting you to select an environment. Choose Bash.
You will then be prompted to select a subscription. Choose Mount storage account if you wish to store data; otherwise, proceed with No storage account required.
After entering the az login
command, you will be able to see the below and follow the steps as shown.
Cloud Shell is automatically authenticated under the initial account signed-in with. Run 'az login' only if you need to use a different account
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code E******S to authenticate.
Follow the provided link: https://microsoft.com/devicelogin (opens in a new tab) and enter the code displayed in Cloud Shell to complete the login process.
After completing the validation, you will get the details that are specific to tenant.
Download flyingduck-azure-integration
script on azure terminal using the following command.
wget https://awosasins-artifacts.s3.amazonaws.com/flyingduck-azure-integration/setup.sh
Run the script using the command
sh setup.sh --enable devops
- FlyingDuck app will be downloaded in to your azure.
- You will be asked for app registration permission either
yes
orno
. - If you pass
yes
, enter the nameexample-name
for the app registration so that app will be created with that name.
Custom role FlyingDuckAzureDeveopsRole
will be created, this role will be assigned to the app registration with the application id.
You wil get some details like :
Application Name
: [app name]Application ID (Client ID)
: [some Id]Tenant ID
: [some Id]Client Secret
: [some Id]Subscription id
: [some Id]
App Permissions
Login to your Azure DevOps and go to organisation settings.
After opening the organisation settings click on Users.
In the Users tab click on Add User.
In the Add new users section, enter the name example-name that you provided during App registration in the Azure terminal. Select all the options as shown in the image below, under Add to projects select the projects you want to integrate and then click on Add.
Note: Ensure that all the necessary projects are selected for the user; otherwise, the desired outcome won't be achieved.
If a project was created after the user was set up, you can still assign it to that user. Simply click on the three dots, choose Manage Access.
A list of all available projects in the organization will be displayed in the Projects section, select the necessary projects.
Click on Save.
Events Configuration
To capture continuous events from azure devops, need to perform two steps.
Click on Cloud Shell (opens in a new tab) to open azure terminal.
Function App
In the terminal run the below commands.
wget https://awosasins-artifacts.s3.amazonaws.com/flyingduck-azure-integration/fd-azure-function-app.sh
chmod +x fd-azure-function-app.sh
sh fd-azure-function-app.sh
After running this command, you will be prompted to provide certain details, as shown in the below.
- Enter Resource Group name [FlyingDuckRG]:
- Enter Location [eastus]:
- Enter Storage Account name [flyingduckstorage827]:
- Enter Storage Queue name [flyingduckqueue]:
- Enter Function App name [flyingduckfunction22631]:
If no input is provided for the above details, default values will be used and pass the FlyingDuck API Key.
- Enter FlyingDuck API Key []:
The message "Azure Function App created successfully!" will be displayed after completing the function app step.
Service Hooks
To automatically configure service hooks, a personal access token (PAT) must be entered during the process.
wget https://awosasins-artifacts.s3.amazonaws.com/flyingduck-azure-integration/fd-azure-service-hooks.sh
chmod +x fd-azure-service-hooks.sh
sh fd-azure-service-hooks.sh
After entering sh fd-azure-service-hooks.sh
command, you will be prompted to provide details
- Enter your Azure DevOps organization names (comma-separated if multiple):
- Enter your Azure DevOps project names (comma-separated if multiple; leave blank for all projects):
- Enter your Azure DevOps Personal Access Token:
Install App
After completing all the required steps, go to the FlyingDuck portal and go to integrations page.
On the Integrations page, click on Azure DevOps to start integration.
After completing the App Registration
and App Permissions
, select the checkbox that you have completed required steps and click the Continue button.
Enter the specified details: Client ID, Tenant ID, Client secret, and Organization Name (the name of your Azure DevOps organization), then click the Continue button.
Active Branches
Under active branches, specify the branch name as shown in the image.
By clicking on the Save & Continue button, the branch name that you gave will be saved.
API Key
If you've created API Key previously you can click on Skip or else you can create a new API Key.
Provide a name to your API Key that your about to create and click on Generate API key
A new API Key will be generated that will be shown once, so store it with you confidentially.
Clicking on Next step will take you to code scan section.
Code Scan
The code scan can be done in two ways
- Workflows
- On-premise runner
Azure DevOps workflow
Select Azure DevOps workflow to configure DuckDefender in Azure DevOps by adding the yml file, that you need to download from the flyingduck portal for Libraries and Secrets information.
After selecting Azure DevOps workflow, then click the Download. This will download the azure-pipelines.yml
file, which is configured to perform SBOM and SCA.
Here in the yaml file, under the "branches -> include" add names of the branches commonly utilized for development within your environment. These are the branches for which you wish to conduct code scan.
Add the azure-pipelines.yml
file in the root directory of the repository.
SBOM and SCA in pipelines
This azure-pipelines.yml
file runs the scan for SBOM, SCA and secrets only.
trigger:
branches:
include:
- main
- master
- develop
- release
pool:
vmImage: 'ubuntu-latest'
variables:
imageName: flyingduckio/duckdefender:latest
steps:
- script: |
docker pull ${{ variables.imageName }}
displayName: 'Pull Duckdefender Docker Image'
- script: |
docker run \
-e AZURE_DEVOPS_REPO_NAME="$(Build.Repository.Name)" \
-e AZURE_DEVOPS_BRANCH=$(Build.SourceBranch) \
-e AZURE_DEVOPS_COMMIT=$(Build.SourceVersion) \
-e FD_API_KEY=$(FD_API_KEY) \
-v $(Build.SourcesDirectory):/src ${{ variables.imageName }}
displayName: 'Run Duckdefender Container'
SBOM, SCA and SAST in Pipelines
To run scans for SBOM, SCA, and SAST, add the highlighted command to the azure-pipelines.yml
file.
trigger:
branches:
include:
- main
- master
- develop
- release
pool:
vmImage: 'ubuntu-latest'
variables:
imageName: flyingduckio/duckdefender:latest
steps:
- script: |
docker pull ${{ variables.imageName }}
displayName: 'Pull Duckdefender Docker Image'
- script: |
docker run \
-e AZURE_DEVOPS_REPO_NAME="$(Build.Repository.Name)" \
-e AZURE_DEVOPS_BRANCH=$(Build.SourceBranch) \
-e AZURE_DEVOPS_COMMIT=$(Build.SourceVersion) \
-e FD_API_KEY=$(FD_API_KEY) \
-v $(Build.SourcesDirectory):/src \
--entrypoint /bin/sh ${{ variables.imageName }} -c "duckdefender code --all"
displayName: 'Run Duckdefender Container'
Due to insufficient resources in the default pipelines, the SAST scan might not run. In such cases, configure an agent pool (Self-hosted Build agent).
For more info, please refer to Self-hosted Build agent (opens in a new tab).
If the agent pool is configured, update the pool name in the azure-pipelines.yaml
file.
From:
pool:
vmImage: 'ubuntu-latest'
To:
pool:
name: configuredPoolName
Add API Key and pipeline to the Repository
Navigate to Azure Devops pipelines (Azure Devops -> projects -> pipelines) click on New pipeline.
You've to complete 4 stages. Under connect tab select Azure Repos Git.
Select your Repo
Under configure click on existing Azure pipelines yaml file if you added the azure-pipelines.yml
file in the root directory of repository. Otherwise click on starter pipeline and add the azure-pipelines.yml
snippet.
Give your branch name, select file name and click on continue
You will be able to see the file that you selected and click on variables.
Click new variable button.
Provide the API key name FD_API_KEY and paste the API key value. Make sure to select Keep this value secret, then click the OK button.
click on save button.
click on run button.
In pipelines a new job will be runned.
After adding the file you should commit. Based on which branch you've commited, if the branch is included in the given file, the respective data like libraries, secrets will be sent to FlyingDuck portal.
Custom Branch
If you want to commit to the custom branch like feature/* or bug/*
and to check the findings of that branch then include that specific branch into the branches in azure-pipelines.yml
file.
trigger:
branches:
include:
- main
- master
- develop
- release
- feature/*
- bug/*
Troubleshoot
The debug option is used to understand what is happening within a particular command. If you need to troubleshoot, include this command LOG_LEVEL="debug"
in the file.
trigger:
branches:
include:
- main
- master
- develop
- release
pool:
vmImage: 'ubuntu-latest'
variables:
imageName: flyingduckio/duckdefender:latest
steps:
- script: |
docker pull ${{ variables.imageName }}
displayName: 'Pull Duckdefender Docker Image'
- script: |
docker run \
-e AZURE_DEVOPS_REPO_NAME="$(Build.Repository.Name)" \
-e AZURE_DEVOPS_BRANCH=$(Build.SourceBranch) \
-e AZURE_DEVOPS_COMMIT=$(Build.SourceVersion) \
-e FD_API_KEY=$(FD_API_KEY) \
-e LOG_LEVEL="debug" \
-v $(Build.SourcesDirectory):/src ${{ variables.imageName }}
displayName: 'Run Duckdefender Container'
On-premise Runner
Refer this for
On-premise Runner
Automated Scan
After selecting the scanning option, enable the checkbox to automatically scan the code upon each commit. This functionality is available only when a runner is configured and active.