Azure Pipelines Graph Mode Integration
Introduction​
Integrate the Conviso Platform seamlessly into your Azure DevOps Pipelines to automate and streamline your security processes. This integration ensures thorough security assessments for your applications throughout the development lifecycle.
The Azure Pipelines is a CI/CD module of the Azure Devops platform. Through this module, it is possible to create automation routines with various tasks that are available on Azure's marketplace. Currently, the integration with Conviso consists of Bash-type tasks. Among the tasks are: the CLI command line interface (CLI available at PyPi).
Requirements​
In order for the experience with Conviso's services to be complete, it is necessary to meet all the requirements below:
-
Hosted Agent Pool (Ubuntu 22.04 or higher) with Docker installed or Agent Cloud Azure;
- External access (can be limited to Conviso's registry for AST, Dockerhub and Conviso Platform).
First Steps​
Given an Azure Devops project, to create a Welcome Pipeline you can follow the steps below:
-
At the DevOps Project root, click at Pipelines;
-
At the upper right menu, click at New Pipeline;
-
Select the Use the classic editor to create a pipeline without YAML option;
-
At Select your Repository step, select the platform where your code is hosted, the repository and the branch for pipeline execution and click at Continue;
-
Select the Start with an Empty Job option;
-
Rename the Agent Job 1 to Conviso Agent, selecting Agent Pool option as Azure Pipelines and Agent Specification option as ubuntu-latest;
-
At Conviso Agent, click at the + icon to add a new task;
-
Add a Bash type task, rename the Display Name to Install Conviso CLI and modify its type to Inline;
-
You need to define an environment variable for CONVISO_API_KEY and set the value from Conviso Platform. It is important to set this variable as a secret.
-
To configure Conviso AST, within the script field, add the code snippet presented below:
- Windows Agent
- Linux Agent
echo "Installing Conviso CLI..."
pip3 install conviso-cli
conviso -k $(CONVISO_API_KEY) ast run
echo "Installing Conviso CLI..."
sudo pip3 install conviso-cli
conviso -k $(CONVISO_API_KEY) ast run
-
Click at Save & Queue. The pipeline execution will begin in a few moments.
-
The resulsts will be sent to Conviso Platform.
Troubleshooting​
Configuring API Key​
If authentication is not performed even when loading the CONVISO_API_KEY variable, make sure it is provided as environment variables for all tasks that use the CLI.
Ensuring Git is added to PATH Environment Variable​
If you encounter the error below, ensure that the PATH environment variable includes C:\Program Files\Git\bin:
Unable to locate executable file: 'bash'. Please verify either the file path exists or the file can be found within a directory specified by the PATH environment variable.
Follow these steps to verify and update it:
- Access your project in Azure;
- Navigate to Agent pools:
- In the Capabilities tab, search for the Path environment variable:
- Add
C:\Program Files\Git\binto the environment variable.
- Restart the agent service.
Allowing Script Access to the OAuth Token​
If you encounter the following error, it indicates that the script does not have access to the OAuth token:
Error: Cmd('git') failed due to: exit code(128)
cmdline: git fetch --unshallow
stderr: 'fatal: could not read user Password for 'https://organization@dev.azure.com': terminal prompts disabled'
To resolve this issue, follow these steps:
-
Open the Agent job configuration in your pipeline settings.
-
Under Additional options, select the checkbox labeled Allow scripts to access the OAuth token:
- Save the changes and rerun the pipeline.
