Integrating the Sec1 Containter Image Scanner plugin as Azure DevOps Extension allows developers and teams to enhance the security of their software projects by scanning container images for open-source vulnerabilities against the Sec1 Security Database. This documentation provides a step-by-step guide on integrating the Sec1 Container Image Scanner Extension into your Azure CI/CD pipelines.
Search for "Sec1 Container Image Scanner" and click on the search result to visit the plugin page.
Click on "Get it free", select the "Azure DevOps organization" where you would like to install and click "Install".
Once installation is complete then "Proceed to organisation"
2. Configure API Token
You need to configure API Token as Generic Service Connection
Go to your "Project" > "Project Settings"
Click "Service Connections" under Pipelines section
Click "New service connection"
Search for "Generic" and click "Next"
Enter below configuration
Server URL - Default value of Server URL will be https://api.sec1.io. If you are using SaaS service then leave it blank otherwise provide the appropriate value
Username is optional as Sec1 Security uses API Token for authentication purpose.
Password/Token Key - Provide SecAPI Security API Token.
Service connection name - Provide appropriate service connection name (e.g. Sec1SecurityServiceConnection).
Description - It is option field but you can provide appropriate description.
Grant access permission to all pipelines - Select checkbox in case you want to grant the permission to all pipeline otherwise you need to grant the permission to individual pipeline during execution.
Note : To get SecAPI Security API Token navigate to Scopy > "Login with GitHub" > "Settings"
In the "API key" section, click on "Generate API key" and copy it for use.
📷 Show Preview
3. Configure Sec1 Container Image Scanner Extension as a Build Step
Navigate to "Pipelines" section in your project.
Click on "Edit".
Search "Sec1 Container Image Scanner" in the tasks search box and select the result.
Select Service Connection which you have added as Generic Service Connection in dropdown.
Enter fully qualified path of docker image. You can also modify azure-pipeline.yaml file and configure over there.
Click "Add"
📷 Show Preview
You can also copy below code snippet to directly copy in pipeline yaml file.
- task: Sec1ContainerImageScanner@1
inputs:
serviceConnection: '<<Enter Service Connection Name e.g. Sec1ServiceConnection>>'
image: '<<Fully qualified path of image including tag>'
thresholdCheck: true
critical: '2'
high: '5'
medium: '10'
low: '20'
4. Configuration Parameters
Configure the following parameters in the "Sec1 Security Settings" while adding extention to build step:
Enable the Threshold Check (optional) If selected, define your vulnerability threshold levels by "Severity". Default values for Critical and High are 0 and 10 respectively
If you set the critical vulnerability threshold to 10, your build will fail if more than 10 critical vulnerabilities are found in the scan.
