The Azure Pipelines is a CI/CD module of the Azure Devops platform. Through this module, it is possible to create automation routines with various tasks that are available on Azure's marketplace. Currently, the integration with Conviso consists of a Bash-type task that will be run using a docker container and a CLI-type application. The FlowCLI PyPi tool knowledge is highly recommended.
The integration of continuous code review analysis with Azure Pipeline aims to create a direct connector with the development pipeline so that code review of each deploy is carried out.
This integration with Conviso Platform will make it easier to track revisions of each piece of source code without impacting the development process.
Deploy review status checks are one of the benefits Conviso Platform makes available to the customer to manage deploys, and if a vulnerability is identified in the deploy code, a notification will automatically be generated for the person responsible for the vulnerability correction.
In order for the experience with Conviso's services to be complete, it is necessary to meet all the requirements below:
Hosted Agent Pool (Ubuntu 18.04 or higher) with Docker installed or Agent Cloud Azure;
External access (may be limited to Conviso's registry for SAST, Dockerhub and Conviso Platform).
Given an Azure Devops project, to create a Welcome Pipeline you can follow the steps below:
At the DevOps Project root, click at Pipelines;
At the upper right menu, click at New Pipeline;
At the Connect step, select the platform where your code is hosted;
At Select, connect to the wanted repository code;
At Configure, if you don't have or don't want to associate it with an existing pipeline, select the Starter Pipeline option;
At the opened Azure Devops text editor, paste the code snippet below:
Throughout the document, trigger, pool and job settings are proposed. The only requirement is the jobs associated to FlowCLI are performed at the
convisoappsec/flowcli image, available at DockerHub.
Authentication between the FlowCLI tool and the platform takes place through an API key. For this to happen in a safe way, it is recommended to use the Variables of Pipeline. They can be defined in an already created pipeline following the step by step presented below:
At the DevOps Project root, click at Pipelines;
Select the wanted pipeline at the pipelines list;
Click at Edit at the upper right menu;
at the upper right menu again, click at Variables;
Click at the + button at the upper right corner;
Label the variable as
FLOW_API_KEYand add the API key available at your Conviso Platform Profile;
Check the option Keep this value secret, then click Ok.
Before proceeding, we recommend reading the following guide to understand the different strategies/approaches for deploying Code Review.
After choosing the strategy used to send deploys to Code Review, it is possible to create a specific Pipeline for this action as well as integrate with other existing pipelines. The requirements for executing this functionality are the settings of the
FLOW_API_KEY variables (previously set in the desired pipeline variables) and the
FLOW_PROJECT_CODE variable (identified as the Project Key at Conviso Platform) that can be defined in each of the pipelines.
Below are the code snippets that can be at the
azure-pipelines.yml file (or any other custom file):
With TAGS, sorted by timestamp
With TAGS, sorted by versioning-style
Without TAGS, sorted by GIT Tree
In addition to deploying for code review, it is also possible to integrate a SAST-type scan into the development pipeline, which will automatically perform a scan for potential vulnerabilities, treated at Conviso Platform as findings.
The requirements for running the job are the same as already practiced:
FLOW_PROJECT_CODE, defined as environment variables for the Agent Pool.
In the above pipeline, we didn't use any options to the
flow sast run command. In this case, the default behavior is to perform the analysis of the entire repository. This is because the default values used for the
--end-commit options use first commit and current commit (HEAD), respectively.
Alternatively, we can specify the diff range manually. In the example below, we scan between the current commit and the immediately previous one on the current branch:
The SAST analysis can be complementary to the code review carried out by the professional at Conviso, even serving as input for the analyst. The job below will perform the deploy for code review of the code and will use the same diff identifiers to perform the SAST analysis, forming a complete solution in the pipeline. An example of a complete pipeline with both solutions can be seen in the snippet below:
If authentication is not performed even by loading the FLOW_API_KEY variable, make sure it is loaded in the env session of all tasks that use the FlowCLI.