# Puma Scan Professional Azure DevOps Extension Puma Scan analyzes your source code for vulnerabilities identified in the OWASP Top 10, SANS/CWE Top 25, and other common insecure coding patterns as you write code in Visual Studio. The vulnerability categories covered by Puma Scan include: Insecure Application Configuration, SQL Injection, LDAP Injection, Command Injection, Path Tampering, Weak Password Configuration, Unvalidated Redirects, Cross-Site Scripting, Cross-Site Request Forgery, Weak Input Validation, Insecure Cryptography, and Insecure Object Deserialization. The Puma Scan Professional Azure DevOps Extension enables the following features in an Azure Build Pipeline: - Security analyzers run on application source code during each build - Export vulnerability data to HTML, JSON, and MSBuild formatted reports - Download vulnerability reports from the build's artifacts - View the number of Puma Scan vulnerabilities by severity on the build summary screen - View the Puma Scan vulnerability details on the Puma Scan Pro screen. ## Installation Instructions ### Order a Puma Scan Azure DevOps License - Create a Puma Scan Account (if you do not already have one) - Sign In to the Puma Scan web site. - Press the **Buy Now** button and purchase a **Puma Scan Pro: Azure DevOps License** - Browse to the My Profile screen to view your license(s) - Copy your Azure DevOps license information to the clipboard by pressing the **Copy** button.

### Configure Your Azure DevOps Pipeline - Edit the build pipeline variables and add a new variable: - Set the value of the variable name to **PumaLicense**. - Paste the license information on the clipboard into the Value field. - Press the lock icon to protect the secret value.

- Edit the build steps and add a new Puma Scan Professional task: - Add a new task to the agent by pressing the plus button.

- Search for the Puma Scan Professional build task and press the **Add** button.

- Configure the Puma Scan Professional Build Task by setting the following values: - **Path to Solution File**: Relative path to the solution or project file to scan. - **Scan Results Format**: Select one or more output result formats. Options include HTML, JSON, and MSBuild. - **Path to Output File**: Relative path and base name of the output files. The extension will be automatically added based on the formats selected above. - **Path to Settings file**: Relative path to the .pumafile (settings file) in the source control repository. This file includes the scanner configuration, custom sources, cleanse methods, and exceptions for the given application. - **Puma Scan License**: Reference the name of the pipeline variable containing your license information. If you followed the instructions above, this value should be **$(PumaLicense)**. - **Verbose**: Tells the scanner to write verbose output to the console when the build task runs.

### Execute Your Build Pipeline - Execute the build pipeline and wait for the tasks to finish. - Review the build logs and ensure the Puma Scan Professional task successfully completed.

- Click on the Puma Scan Professional task to view the build output.

### Puma Scan Summary and Details - View the build pipeline **Summary** tab to view the artifacts, warnings, and Puma Scan Pro summary.

- View the build pipeline **Puma Scan Pro** tab to view the detailed scan results.

- Download the Puma Scan vulnerability reports using the build **Artifacts**

## Known Issue(s) When running Puma Scan in a new pipeline, the build task will fail the first time as the new pipeline is associated with your Puma Scan license. The console output in the failed task will provide you a new license value to use in your pipeline, or you can copy the updated license data from your Puma Scan account. ## Learn More More details on configuring and running Puma Scan Professional can be found on our [Support Page](https://pumascan.com/support/). ## Supported Environments - Azure DevOps Agents must be running at least version 2.0 of the TFS agent. ## Contributors Thank you to the following Puma Scan Contributor(s) for this extension: - Andrew Guggenberger - Senior Security Engineer - Eric Johnson (@emjohn20) - Principal Security Engineer - Eric Mead (@ericmmead) - Principal Security Engineer ![](/static/images/pumascan-build.png) ![](/static/images/azuredevops-summary.png) ![](/static/images/azuredevops-details.png)