Azure DevOps pipeline

Scribe offers Azure Devops Tasks for embedding evidence collecting and integrity verification to your workflows.

Tasks provides several actions enabling generation of SBOMs from various sources. The usage examples on this page demonstrate several use cases of SBOM collection (SBOM from a publicly available Docker image, SBOM from a Git repository, SBOM from a local directory) as well as several use cases of uploading the evidence either to the Azure DevOps pipelines or to the Scribe Service.

Installation

Install the Scribe valint CLI tool:

- task: scribeInstall@0

Usage

  - job: scribe_azure_job
    displayName: scribe azure job
  
    pool:
      vmImage: 'ubuntu-latest'

    steps:
    - task: ScribeInstall@0
    - task: ValintCli@0
      displayName: SBOM image `busybox:latest`.
      inputs:
        command: bom
        target: busybox:latest
        outputDirectory: $(Build.ArtifactStagingDirectory)/scribe/valint
        verbose: 2

Before you begin

Integrating Scribe Hub with Azure DevOps requires the following credentials that are found in the product setup dialog (In your Scribe Hub go to Home>Products>[$product]>Setup)

Product Key
Client ID
Client Secret

Note that the product key is unique per product, while the client ID and secret are unique for your account.

Procedure

Add the credentials to your Azure environment according to the Azure DevOps - Set secret variables.
Open your Azure DevOps project and make sure you have a YAML file named azure-pipelines.yml.

Here's what all the steps look like in a unified pipeline example:

Sample integration code

resources:
  repositories:
  - repository: mongo-express
    type: github
    ref: 'refs/tags/v1.0.0-alpha.4'
    name: mongo-express/mongo-express

trigger:
        - main

        pool:
          vmImage: 'ubuntu-latest'

        variables:
          imageName: 'pipelines-javascript-docker'

        steps:
        - task: scribeInstall@0

        - checkout: mongo-express
          path: mongo-express-scm

        - task: ValintCli@0
          inputs:
            commandName: bom
            target: dir:mongo-express-scm
            outputDirectory: $(Build.ArtifactStagingDirectory)/scribe/valint
            scribeEnable: true
            scribeClientId: $(SCRIBE-CLIENT-ID)
            scribeClientSecret:  $(SCRIBE-CLIENT-SECRET)

        - task: ValintCli@0
          inputs:
            commandName: bom
            target: mongo-express:1.0.0-alpha.4
            outputDirectory: $(Build.ArtifactStagingDirectory)/scribe/valint
            scribeEnable: true
            scribeClientId: $(SCRIBE-CLIENT-ID)
            scribeClientSecret:  $(SCRIBE-CLIENT-SECRET)

Basic examples

Public registry image (SBOM)

Create SBOM for remote busybox:latest image.

- task: ValintCli@0
  displayName: Generate cyclonedx json SBOM
  inputs:
    commandName: bom
    target: busybox:latest
    outputDirectory: $(Build.ArtifactStagingDirectory)/scribe/valint
    verbose: 2
    force: true

Docker built image (SBOM)

Create SBOM for image built by local docker image_name:latest image.

- task: ValintCli@0
  displayName: Generate cyclonedx json SBOM
  inputs:
    commandName: bom
    target: image_name:latest
    outputDirectory: $(Build.ArtifactStagingDirectory)/scribe/valint
    verbose: 2
    force: true

Private registry image (SBOM)

Create SBOM for image hosted on private registry.

Use docker login task to add access.

- task: ValintCli@0
  displayName: Generate cyclonedx json SBOM
  inputs:
    commandName: bom
    target: scribesecuriy.jfrog.io/scribe-docker-local/stub_remote:latest
    outputDirectory: $(Build.ArtifactStagingDirectory)/scribe/valint
    verbose: 2
    force: true

Custom metadata (SBOM)

Custom metadata added to SBOM.

- job: custom_bom
  displayName: Custom bom

  variables:
    - name: test_env
      value: test_env_value

  pool:
    vmImage: 'ubuntu-latest'

  steps:
  - task: ValintCli@0
    displayName: Generate cyclonedx json SBOM - add metadata - labels, envs, name
    inputs:
      commandName: bom
      target: 'busybox:latest'
      outputDirectory: $(Build.ArtifactStagingDirectory)/scribe/valint
      verbose: 2
      force: true
      env: test_env
      label: test_label

Save as artifact (SBOM, SLSA)

Using input variable outputDirectory or outputFile to export evidence as an artifact.

Use input variable format to select between supported formats.

- task: ValintCli@0
  displayName: SBOM image `busybox:latest`.
  inputs:
    command: bom
    target: busybox:latest
    outputDirectory: $(Build.ArtifactStagingDirectory)/scribe/valint
    outputFile: $(Build.ArtifactStagingDirectory)/my_sbom.json
    verbose: 2
    force: true

# Using `outputDirectory` evidence cache dir
- publish: $(Build.ArtifactStagingDirectory)/scribe/valint
  artifact: scribe-evidence

# Using `outputFile` custom path.
- publish: $(Build.ArtifactStagingDirectory)/my_sbom.json
  artifact: scribe-sbom

Directory target (SBOM)

Create SBOM from a local directory.

- bash: |
    mkdir testdir
    echo "test" > testdir/test.txt

- task: ValintCli@0
  displayName: SBOM local directory.
  inputs:
    command: bom
    target: dir:testdir
    outputDirectory: $(Build.ArtifactStagingDirectory)/scribe/valint
    verbose: 2
    force: true

Git target (SBOM)

Create SBOM for mongo-express remote git repository.

- task: ValintCli@0
  displayName: SBOM remote git repository.
  inputs:
    command: bom
    target: git:https://github.com/mongo-express/mongo-express.git 
    outputDirectory: $(Build.ArtifactStagingDirectory)/scribe/valint
    verbose: 2
    force: true

Create SBOM for local git repository.

When using implicit checkout note the Azure-DevOps git-strategy will effect the commits collected by the SBOM.

- checkout: self

- task: ValintCli@0
  displayName: SBOM local git repository.
  inputs:
    command: bom
    target: git:. 
    outputDirectory: $(Build.ArtifactStagingDirectory)/scribe/valint
    verbose: 2
    force: true

Resources

If you're new to Azure pipelines these links should help you get started:

Valint Cli

Scribe Security