Overview Q & A Rating & Review
Qwiet preZero for Azure DevOps
Qwiet preZero for Azure DevOps is an extension for Azure DevOps Pipelines that displays Qwiet AI analysis results produced as part of an Azure DevOps Pipelines run.
Configuration
Create a new variable group and variable:
Update pipeline
Update an existing pipeline (e.g. azure-pipelines.yaml
) or create a new one with the code below. Please note that this extension expects an artifact called QwietReports
that contains files with the following names:
qwiet-analysis-output.json
qwiet-check-analysis-report.md
qwiet-bestfix-report.json
qwiet-sbom-report.json
variables:
- group: shiftleft-token
trigger:
- master
- feature/*
pool:
vmImage: 'windows-latest'
stages:
- stage: Builders
displayName: Qwiet preZero
jobs:
- job: Build
displayName: Qwiet preZero analysis
steps:
- task: NuGetToolInstaller@1
- task: PowerShell@2
displayName: Download Qwiet preZero CLI
inputs:
targetType: 'inline'
script: |
Invoke-WebRequest -Uri 'https://cdn.shiftleft.io/download/sl-latest-windows-x64.zip' -OutFile $(Agent.HomeDirectory)\sl.zip
Expand-Archive -Path $(Agent.HomeDirectory)\sl.zip -DestinationPath $(Agent.HomeDirectory)\
- task: DotNetCoreCLI@2
displayName: Restore web api
inputs:
command: 'restore'
projects: '$(Build.SourcesDirectory)'
- task: CmdLine@2
displayName: Analyze code with Qwiet preZero
inputs:
script: |
$(Agent.HomeDirectory)\sl.exe analyze --wait --app $(System.TeamProject) --tag branch=$(Build.SourceBranchName) --structured-output --structured-output-format JSON --structured-output-file-path qwiet-analysis-output.json --csharp vulnerable_asp_net_core.sln
workingDirectory: '$(Build.SourcesDirectory)'
env:
SHIFTLEFT_ACCESS_TOKEN: $(SHIFTLEFT_ACCESS_TOKEN)
- task: CmdLine@2
displayName: Generate Qwiet preZero check-analysis report
inputs:
script: |
$(Agent.HomeDirectory)\sl.exe check-analysis --v2 --no-build-rules --app $(System.TeamProject) --branch $(Build.SourceBranchName) --report-file qwiet-check-analysis-report.md
workingDirectory: '$(Build.SourcesDirectory)'
env:
SHIFTLEFT_ACCESS_TOKEN: $(SHIFTLEFT_ACCESS_TOKEN)
- task: CmdLine@2
displayName: Download and setup Qwiet preZero integrations
inputs:
script: |
git clone https://github.com/ShiftLeftSecurity/field-integrations.git report
pip3 install -r report/shiftleft-utils/requirements.txt
workingDirectory: '$(Build.SourcesDirectory)'
- task: CmdLine@2
displayName: Generate Qwiet preZero bestfix report
inputs:
script: |
python3 report/shiftleft-utils/bestfix.py --no-logo -a $(System.TeamProject) -f json -o qwiet-bestfix-report.json -s .
workingDirectory: '$(Build.SourcesDirectory)'
env:
SHIFTLEFT_ACCESS_TOKEN: $(SHIFTLEFT_ACCESS_TOKEN)
CI: 1
- task: CmdLine@2
displayName: Generate Qwiet preZero SBOM report
inputs:
script: |
python3 report/shiftleft-utils/sbom_report.py -a $(System.TeamProject) -o qwiet-sbom-report.json
workingDirectory: '$(Build.SourcesDirectory)'
env:
SHIFTLEFT_ACCESS_TOKEN: $(SHIFTLEFT_ACCESS_TOKEN)
- task: CopyFiles@2
displayName: 'Copy Qwiet preZero reports to: $(Build.ArtifactStagingDirectory)'
inputs:
SourceFolder: '$(Build.SourcesDirectory)'
Contents: |
qwiet-analysis-output.json
qwiet-check-analysis-report.md
qwiet-bestfix-report.json
qwiet-sbom-report.json
TargetFolder: '$(Build.ArtifactStagingDirectory)'
- task: PublishBuildArtifacts@1
displayName: 'Publish Artifact: QwietReports'
inputs:
ArtifactName: QwietReports
PathtoPublish: '$(Build.ArtifactStagingDirectory)'
About Qwiet AI
Qwiet AI, formerly ShiftLeft, reduces the noise inherent in the AppSec and DevSecOps space and allows developers to focus on high-fidelity results that have the greatest impact in their environment. Qwiet AI’s platform is the first in the industry to provide AI-driven detection and AutoFixes of zero-day and pre-zero-day vulnerabilities in code.