Puma Scan Professional Azure DevOps Extension
Puma Scan analyzes your source code for vulnerabilities identified in the OWASP Top 10, SANS/CWE Top 25, and other common insecure coding patterns as you write code in Visual Studio. The current vulnerability categories covered by Puma Scan include: Insecure Application Configuration, SQL Injection, LDAP Injection, Command Injection, Path Tampering, Weak Password Configuration, Unvalidated Redirects, Cross-Site Scripting, Cross-Site Request Forgery, Weak Input Validation, Insecure Cryptography, Insecure Object Deserialization, Broken Authentication, Broken Access Control, Server-side Request Forgery, and Poor Secrets Management.
The Puma Scan Professional Azure DevOps Extension enables the following features in an Azure Build Pipeline:
Security analyzers run on application source code during each build
Export vulnerability data to HTML, JSON, MSBuild, and MSTest formatted reports
Download vulnerability reports from the build's artifacts
Parse and display Puma Scan vulnerabilities as Unit Test results
View the number of Puma Scan vulnerabilities by severity on the build summary screen
View the Puma Scan vulnerability details on the Puma Scan Pro screen.
Installation Instructions
Order a Puma Scan Azure DevOps License
Create a Puma Scan Account (if you do not already have one)
Sign In to the Puma Scan web site.
Press the Buy Now button and purchase a Puma Scan Pro: Azure DevOps License
Browse to the My Profile screen to view your license(s)
Copy your Azure DevOps license information to the clipboard by pressing the Copy button.
Edit the build pipeline variables and add a new variable:
Set the value of the variable name to PumaLicense.
Paste the license information on the clipboard into the Value field.
Press the lock icon to protect the secret value.
Edit the build steps and add a new Puma Scan Professional task:
Configure the Puma Scan Professional Build Task by setting the following values:
Path to Solution File: Relative path to the solution or project file to scan.
Scan Results Format: Select one or more output result formats. Options include HTML, JSON, and MSBuild.
Path to Output File: Relative path and base name of the output files. The extension will be automatically added based on the formats selected above.
Path to Settings file: Relative path to the .pumafile (settings file) in the source control repository. This file includes the scanner configuration, custom sources, cleanse methods, and exceptions for the given application.
Puma Scan License: Reference the name of the pipeline variable containing your license information. If you followed the instructions above, this value should be $(PumaLicense).
Verbose: Tells the scanner to write verbose output to the console when the build task runs.
Execute Your Build Pipeline
Execute the build pipeline and wait for the tasks to finish.
Review the build logs and ensure the Puma Scan Professional task successfully completed.
Click on the Puma Scan Professional task to view the build output.
Puma Scan Summary and Details
View the build pipeline Summary tab to view the artifacts, warnings, and Puma Scan Pro summary.
View the build pipeline Puma Scan Pro tab to view the detailed scan results.
Download the Puma Scan vulnerability reports using the build Artifacts
Known Issue(s)
When running Puma Scan in a new pipeline, the build task will fail the first time as the new pipeline is associated with your Puma Scan license. The console output in the failed task will provide you a new license value to use in your pipeline, or you can copy the updated license data from your Puma Scan account.
Learn More
More details on configuring and running Puma Scan Professional can be found on our Support Page.
Supported Environments
- Azure DevOps Agents must be running at least version 2.0 of the TFS agent.
Contributors
Thank you to the following Puma Scan Contributor(s) for this extension:
Andrew Guggenberger - Senior Security Engineer
Eric Johnson (@emjohn20) - Principal Security Engineer
Eric Mead (@ericmmead) - Principal Security Engineer
