Azure DevOps Cloud Integration
PREREQUISITES
Access to the Azure Portal (opens in a new tab) with a valid Subscription.
Access to the Azure DevOps Portal (opens in a new tab) with a organization Owner/Admin.
Access to the Azure Microsoft Entra ID (Azure AD) permissions (typically Global Administrator)
App Registration
Before starting the integration, ensure you are logged in to the Azure Portal.
Click on Cloud Shell (opens in a new tab) in navbar and type
az login
If you are new to Azure, you might see a popup prompting you to select an environment. Choose Bash.
You will then be prompted to select a subscription. Choose Mount storage account if you wish to store data; otherwise, proceed with No storage account required.
After entering the az login
command, you will be able to see the below and follow the steps as shown.
Cloud Shell is automatically authenticated under the initial account signed-in with. Run 'az login' only if you need to use a different account
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code E******S to authenticate.
Follow the provided link: https://microsoft.com/devicelogin (opens in a new tab) and enter the code displayed in Cloud Shell to complete the login process.
After completing the validation, you will get the details that are specific to tenant.
Download flyingduck-azure-integration
script on azure terminal using the following commands.
wget https://awosasins-fd-artifacts.s3.us-east-1.amazonaws.com/azure-devops/app/setup.sh
chmod +x setup.sh
sh setup.sh --enable devops
- Flyingduck app will be downloaded in to your azure.
- You will be asked for app registration permission either
yes
orno
. - If you pass
yes
, enter the nameexample-name
for the app registration so that app will be created with that name.
Custom role FlyingduckAzureDevopsRole
will be created, this role will be assigned to the app registration with the application id.
You wil get some details like :
Application Name
: [app name]Application ID (Client ID)
: [some Id]Tenant ID
: [some Id]Client Secret
: [some Id]Subscription id
: [some Id]
Secret values cannot be viewed again after you leave the page. Store them securely.
App Permissions
Login to your Azure DevOps Portal (opens in a new tab) and go to organization settings.
After opening the organization settings click on Users.
In the Users tab click on Add User.
In the Add new users section, enter the name example-name that you provided during App registration in the Azure terminal. Select all the options as shown in the image below, under Add to projects select the projects you want to integrate and then click on Add.
Note: Ensure that all the necessary projects are selected for the user; otherwise, the desired outcome won't be achieved.
If a project was created after the user was set up, you can still assign it to that user. Simply click on the three dots, choose Manage Access.
A list of all available projects in the organization will be displayed in the Projects section, select the necessary projects.
Click on Save.
Note: If you need to integrate multiple organizations, must follow the same App Permissions
steps for each.
Events Configuration
To capture continuous events from azure devops, need to perform two steps Function App
and Service Hooks
.
Function App
- Click on Cloud Shell (opens in a new tab) to open azure terminal.
In the terminal run the below commands.
wget https://awosasins-fd-artifacts.s3.us-east-1.amazonaws.com/azure-devops/function-app/fd-azure-function-app.sh
chmod +x fd-azure-function-app.sh
sh fd-azure-function-app.sh
After running this command, you will be prompted to provide certain details, as shown in the below.
- Enter Resource Group name [FlyingduckRG]:
- Enter Location [eastus]:
- Enter Storage Account name [flyingduckstorage827]:
- Enter Storage Queue name [flyingduckqueue]:
- Enter Function App name [flyingduckfunction22631]:
If no input is provided for the above details, default values will be used and pass the Flyingduck API Key.
- Enter Flyingduck API Key []:
The message "Azure Function App created successfully!" will be displayed after completing the function app step.
Service Hooks
- Click on Cloud Shell (opens in a new tab) to open azure terminal.
To automatically configure service hooks, a personal access token (PAT) must be entered during the process.
wget https://awosasins-fd-artifacts.s3.us-east-1.amazonaws.com/azure-devops/service-hooks/fd-azure-service-hooks.sh
chmod +x fd-azure-service-hooks.sh
sh fd-azure-service-hooks.sh
After entering sh fd-azure-service-hooks.sh
command, you will be prompted to provide details
- Enter your Azure DevOps organization names (comma-separated if multiple):
- Enter your Azure DevOps project names (comma-separated if multiple; leave blank for all projects):
- Enter your Azure DevOps Personal Access Token:
Install App
After completing all the required steps, go to the Flyingduck portal (opens in a new tab) and go to integrations page.
On the Integrations page, click on Azure DevOps to start integration.
After completing the App Registration
and App Permissions
, select the checkbox that you have completed required steps and click the Continue button.
Enter the specified details: Client ID, Tenant ID, Client secret, and Organization Name (the name of your Azure DevOps organization), then click the Continue button.
Active Branches
Under active branches, specify the branch name as shown in the image.
By clicking on the Save & Continue button, the branch name that you gave will be saved.
API Key
If you've created API Key previously you can click on Skip or else you can create a new API Key.
Provide a name to your API Key that your about to create and click on Generate API key
A new API Key will be generated that will be shown once, so store it with you confidentially.
Clicking on Next step will take you to code scan section.
Code Scan
The code scan can be done in two ways
- Workflows
- On-premise runner
Azure DevOps workflow
Select Azure DevOps workflow to configure DuckDefender in Azure DevOps by adding the yml file, that you need to download from the flyingduck portal for Libraries and Secrets information.
After selecting Azure DevOps workflow, then click the Download. This will download the azure-pipelines.yml
file, which is configured to perform SBOM and SCA.
Here in the yaml file, under the "branches -> include" add names of the branches commonly utilized for development within your environment. These are the branches for which you wish to conduct code scan.
Add the azure-pipelines.yml
file in the root directory of the repository.
SBOM and SCA in pipelines
This azure-pipelines.yml
file runs the scan for SBOM, SCA and secrets only.
trigger:
branches:
include:
- main
- master
- develop
- release
pool:
vmImage: 'ubuntu-latest'
variables:
imageName: flyingduckio/duckdefender:latest
steps:
- script: |
docker pull ${{ variables.imageName }}
displayName: 'Pull Duckdefender Docker Image'
- script: |
docker run \
-e AZURE_DEVOPS_REPO_NAME="$(Build.Repository.Name)" \
-e AZURE_DEVOPS_BRANCH=$(Build.SourceBranch) \
-e AZURE_DEVOPS_COMMIT=$(Build.SourceVersion) \
-e FD_API_KEY=$(FD_API_KEY) \
-v $(Build.SourcesDirectory):/src ${{ variables.imageName }}
displayName: 'Run Duckdefender Container'
SBOM, SCA and SAST in Pipelines
To run scans for SBOM, SCA, and SAST, add the highlighted command to the azure-pipelines.yml
file.
trigger:
branches:
include:
- main
- master
- develop
- release
pool:
vmImage: 'ubuntu-latest'
variables:
imageName: flyingduckio/duckdefender:latest
steps:
- script: |
docker pull ${{ variables.imageName }}
displayName: 'Pull Duckdefender Docker Image'
- script: |
docker run \
-e AZURE_DEVOPS_REPO_NAME="$(Build.Repository.Name)" \
-e AZURE_DEVOPS_BRANCH=$(Build.SourceBranch) \
-e AZURE_DEVOPS_COMMIT=$(Build.SourceVersion) \
-e FD_API_KEY=$(FD_API_KEY) \
-v $(Build.SourcesDirectory):/src \
--entrypoint /bin/sh ${{ variables.imageName }} -c "duckdefender code --all"
displayName: 'Run Duckdefender Container'
Due to insufficient resources in the default pipelines, the SAST scan might not run. In such cases, configure an agent pool (Self-hosted Build agent).
For more info, please refer to Self-hosted Build agent (opens in a new tab).
If the agent pool is configured, update the pool name in the azure-pipelines.yaml
file.
From:
pool:
vmImage: 'ubuntu-latest'
To:
pool:
name: configuredPoolName
Add API Key and pipeline to the Repository
Navigate to Azure Devops pipelines (Azure Devops -> projects -> pipelines) click on New pipeline.
You've to complete 4 stages. Under connect tab select Azure Repos Git.
Select your Repo
Under configure click on existing Azure pipelines yaml file if you added the azure-pipelines.yml
file in the root directory of repository. Otherwise click on starter pipeline and add the azure-pipelines.yml
snippet.
Give your branch name, select file name and click on continue
You will be able to see the file that you selected and click on variables.
Click new variable button.
Provide the API key name FD_API_KEY and paste the API key value. Make sure to select Keep this value secret, then click the OK button.
click on save button.
click on run button.
In pipelines a new job will be runned.
After adding the file you should commit. Based on which branch you've commited, if the branch is included in the given file, the respective data like libraries, secrets will be sent to Flyingduck portal.
Custom Branch
If you want to commit to the custom branch like feature/* or bug/*
and to check the findings of that branch then include that specific branch into the branches in azure-pipelines.yml
file.
trigger:
branches:
include:
- main
- master
- develop
- release
- feature/*
- bug/*
Troubleshoot
The debug option is used to understand what is happening within a particular command. If you need to troubleshoot, include this command LOG_LEVEL="debug"
in the file.
trigger:
branches:
include:
- main
- master
- develop
- release
pool:
vmImage: 'ubuntu-latest'
variables:
imageName: flyingduckio/duckdefender:latest
steps:
- script: |
docker pull ${{ variables.imageName }}
displayName: 'Pull Duckdefender Docker Image'
- script: |
docker run \
-e AZURE_DEVOPS_REPO_NAME="$(Build.Repository.Name)" \
-e AZURE_DEVOPS_BRANCH=$(Build.SourceBranch) \
-e AZURE_DEVOPS_COMMIT=$(Build.SourceVersion) \
-e FD_API_KEY=$(FD_API_KEY) \
-e LOG_LEVEL="debug" \
-v $(Build.SourcesDirectory):/src ${{ variables.imageName }}
displayName: 'Run Duckdefender Container'
On-premise Runner
This step can also be configured prior to starting the integration process.
Automated Scan
After selecting the scanning option, enable the checkbox to automatically scan the code upon each commit. This functionality is available only when a runner is configured and active.