Skip to content

What do you think about Visual Studio Marketplace? We are looking for feedback from developers like you! Take the survey

| Marketplace
Sign in
Azure DevOps>Azure Pipelines>Valint Cli

Valint Cli

Scribe Security

|
2 installs
| (0) | Free
Command Line Interpreter (CLI) tool, that generates evidence the verifies the integrity of your supply chain.

Azure DevOps pipeline

Scribe offers Azure Devops Tasks for embedding evidence collecting and integrity verification to your workflows.

Tasks provides several actions enabling generation of SBOMs from various sources. The usage examples on this page demonstrate several use cases of SBOM collection (SBOM from a publicly available Docker image, SBOM from a Git repository, SBOM from a local directory) as well as several use cases of uploading the evidence either to the Azure DevOps pipelines or to the Scribe Service.

Installation

Install the Scribe valint CLI tool:

- task: scribeInstall@0

Usage

  - job: scribe_azure_job
    displayName: scribe azure job
  
    pool:
      vmImage: 'ubuntu-latest'

    steps:
    - task: ScribeInstall@0
    - task: ValintCli@0
      displayName: SBOM image `busybox:latest`.
      inputs:
        command: bom
        target: busybox:latest
        outputDirectory: $(Build.ArtifactStagingDirectory)/scribe/valint
        verbose: 2

Before you begin

Integrating Scribe Hub with Azure DevOps requires the following credentials that are found in the product setup dialog (In your Scribe Hub go to Home>Products>[$product]>Setup)

  • Product Key
  • Client ID
  • Client Secret

Note that the product key is unique per product, while the client ID and secret are unique for your account.

Procedure

  • Add the credentials to your Azure environment according to the Azure DevOps - Set secret variables.

  • Open your Azure DevOps project and make sure you have a YAML file named azure-pipelines.yml.

Here's what all the steps look like in a unified pipeline example:

Sample integration code
resources:
  repositories:
  - repository: mongo-express
    type: github
    ref: 'refs/tags/v1.0.0-alpha.4'
    name: mongo-express/mongo-express

trigger:
        - main

        pool:
          vmImage: 'ubuntu-latest'

        variables:
          imageName: 'pipelines-javascript-docker'

        steps:
        - task: scribeInstall@0

        - checkout: mongo-express
          path: mongo-express-scm

        - task: ValintCli@0
          inputs:
            commandName: bom
            target: dir:mongo-express-scm
            outputDirectory: $(Build.ArtifactStagingDirectory)/scribe/valint
            scribeEnable: true
            scribeClientId: $(SCRIBE-CLIENT-ID)
            scribeClientSecret:  $(SCRIBE-CLIENT-SECRET)

        - task: ValintCli@0
          inputs:
            commandName: bom
            target: mongo-express:1.0.0-alpha.4
            outputDirectory: $(Build.ArtifactStagingDirectory)/scribe/valint
            scribeEnable: true
            scribeClientId: $(SCRIBE-CLIENT-ID)
            scribeClientSecret:  $(SCRIBE-CLIENT-SECRET)

Basic examples

Public registry image (SBOM)

Create SBOM for remote busybox:latest image.

- task: ValintCli@0
  displayName: Generate cyclonedx json SBOM
  inputs:
    commandName: bom
    target: busybox:latest
    outputDirectory: $(Build.ArtifactStagingDirectory)/scribe/valint
    verbose: 2
    force: true
Docker built image (SBOM)

Create SBOM for image built by local docker image_name:latest image.

- task: ValintCli@0
  displayName: Generate cyclonedx json SBOM
  inputs:
    commandName: bom
    target: image_name:latest
    outputDirectory: $(Build.ArtifactStagingDirectory)/scribe/valint
    verbose: 2
    force: true
Private registry image (SBOM)

Create SBOM for image hosted on private registry.

Use docker login task to add access.

- task: ValintCli@0
  displayName: Generate cyclonedx json SBOM
  inputs:
    commandName: bom
    target: scribesecuriy.jfrog.io/scribe-docker-local/stub_remote:latest
    outputDirectory: $(Build.ArtifactStagingDirectory)/scribe/valint
    verbose: 2
    force: true
Custom metadata (SBOM)

Custom metadata added to SBOM.

- job: custom_bom
  displayName: Custom bom

  variables:
    - name: test_env
      value: test_env_value

  pool:
    vmImage: 'ubuntu-latest'

  steps:
  - task: ValintCli@0
    displayName: Generate cyclonedx json SBOM - add metadata - labels, envs, name
    inputs:
      commandName: bom
      target: 'busybox:latest'
      outputDirectory: $(Build.ArtifactStagingDirectory)/scribe/valint
      verbose: 2
      force: true
      env: test_env
      label: test_label
Save as artifact (SBOM, SLSA)

Using input variable outputDirectory or outputFile to export evidence as an artifact.

Use input variable format to select between supported formats.

- task: ValintCli@0
  displayName: SBOM image `busybox:latest`.
  inputs:
    command: bom
    target: busybox:latest
    outputDirectory: $(Build.ArtifactStagingDirectory)/scribe/valint
    outputFile: $(Build.ArtifactStagingDirectory)/my_sbom.json
    verbose: 2
    force: true

# Using `outputDirectory` evidence cache dir
- publish: $(Build.ArtifactStagingDirectory)/scribe/valint
  artifact: scribe-evidence

# Using `outputFile` custom path.
- publish: $(Build.ArtifactStagingDirectory)/my_sbom.json
  artifact: scribe-sbom
Directory target (SBOM)

Create SBOM from a local directory.

- bash: |
    mkdir testdir
    echo "test" > testdir/test.txt

- task: ValintCli@0
  displayName: SBOM local directory.
  inputs:
    command: bom
    target: dir:testdir
    outputDirectory: $(Build.ArtifactStagingDirectory)/scribe/valint
    verbose: 2
    force: true
Git target (SBOM)

Create SBOM for mongo-express remote git repository.

- task: ValintCli@0
  displayName: SBOM remote git repository.
  inputs:
    command: bom
    target: git:https://github.com/mongo-express/mongo-express.git 
    outputDirectory: $(Build.ArtifactStagingDirectory)/scribe/valint
    verbose: 2
    force: true

Create SBOM for local git repository.

When using implicit checkout note the Azure-DevOps git-strategy will effect the commits collected by the SBOM.

- checkout: self

- task: ValintCli@0
  displayName: SBOM local git repository.
  inputs:
    command: bom
    target: git:. 
    outputDirectory: $(Build.ArtifactStagingDirectory)/scribe/valint
    verbose: 2
    force: true

Resources

If you're new to Azure pipelines these links should help you get started:

  • What is an Azure Pipelines?
  • Key concepts for new Azure Pipelines users.
  • Getting started with Azure Pipelines
  • Create your first Azure pipeline.
  • Contact us
  • Jobs
  • Privacy
  • Terms of use
  • Trademarks
© 2023 Microsoft