Overview Q & A Rating & Review
Harness SAST and SCA for Azure DevOps
Harness SAST and SCA for Azure DevOps is an extension for Azure DevOps Pipelines that displays Qwiet AI analysis results produced as part of an Azure DevOps Pipelines run.
Configuration
Create a new variable group and variable:
Update pipeline
Update an existing pipeline (e.g. azure-pipelines.yaml) or create a new one with the code below. Please note that this extension expects an artifact called QwietReports that contains files with the following names:
qwiet-analysis-output.jsonqwiet-check-analysis-report.mdqwiet-bestfix-report.jsonqwiet-sbom-report.json
variables:
- group: shiftleft-token
trigger:
- master
- feature/*
pool:
vmImage: 'windows-latest'
stages:
- stage: Builders
displayName: Harness SAST and SCA
jobs:
- job: Build
displayName: Harness SAST and SCA analysis
steps:
- task: NuGetToolInstaller@1
- task: PowerShell@2
displayName: Download Harness SAST and SCA CLI
inputs:
targetType: 'inline'
script: |
Invoke-WebRequest -Uri 'https://cdn.shiftleft.io/download/sl-latest-windows-x64.zip' -OutFile $(Agent.HomeDirectory)\sl.zip
Expand-Archive -Path $(Agent.HomeDirectory)\sl.zip -DestinationPath $(Agent.HomeDirectory)\
- task: DotNetCoreCLI@2
displayName: Restore web api
inputs:
command: 'restore'
projects: '$(Build.SourcesDirectory)'
- task: CmdLine@2
displayName: Analyze code with Harness SAST and SCA
inputs:
script: |
$(Agent.HomeDirectory)\sl.exe analyze --wait --app $(System.TeamProject) --tag branch=$(Build.SourceBranchName) --structured-output --structured-output-format JSON --structured-output-file-path qwiet-analysis-output.json --csharp vulnerable_asp_net_core.sln
workingDirectory: '$(Build.SourcesDirectory)'
env:
SHIFTLEFT_ACCESS_TOKEN: $(SHIFTLEFT_ACCESS_TOKEN)
- task: CmdLine@2
displayName: Generate Harness SAST and SCA check-analysis report
inputs:
script: |
$(Agent.HomeDirectory)\sl.exe check-analysis --v2 --no-build-rules --app $(System.TeamProject) --branch $(Build.SourceBranchName) --report-file qwiet-check-analysis-report.md
workingDirectory: '$(Build.SourcesDirectory)'
env:
SHIFTLEFT_ACCESS_TOKEN: $(SHIFTLEFT_ACCESS_TOKEN)
- task: CmdLine@2
displayName: Download and setup Harness SAST and SCA integrations
inputs:
script: |
git clone https://github.com/ShiftLeftSecurity/field-integrations.git report
pip3 install -r report/shiftleft-utils/requirements.txt
workingDirectory: '$(Build.SourcesDirectory)'
- task: CmdLine@2
displayName: Generate Harness SAST and SCA bestfix report
inputs:
script: |
python3 report/shiftleft-utils/bestfix.py --no-logo -a $(System.TeamProject) -f json -o qwiet-bestfix-report.json -s .
workingDirectory: '$(Build.SourcesDirectory)'
env:
SHIFTLEFT_ACCESS_TOKEN: $(SHIFTLEFT_ACCESS_TOKEN)
CI: 1
- task: CmdLine@2
displayName: Generate Harness SAST and SCA SBOM report
inputs:
script: |
python3 report/shiftleft-utils/sbom_report.py -a $(System.TeamProject) -o qwiet-sbom-report.json
workingDirectory: '$(Build.SourcesDirectory)'
env:
SHIFTLEFT_ACCESS_TOKEN: $(SHIFTLEFT_ACCESS_TOKEN)
- task: CopyFiles@2
displayName: 'Copy Harness SAST and SCA reports to: $(Build.ArtifactStagingDirectory)'
inputs:
SourceFolder: '$(Build.SourcesDirectory)'
Contents: |
qwiet-analysis-output.json
qwiet-check-analysis-report.md
qwiet-bestfix-report.json
qwiet-sbom-report.json
TargetFolder: '$(Build.ArtifactStagingDirectory)'
- task: PublishBuildArtifacts@1
displayName: 'Publish Artifact: QwietReports'
inputs:
ArtifactName: QwietReports
PathtoPublish: '$(Build.ArtifactStagingDirectory)'
About Qwiet AI
Qwiet AI, formerly ShiftLeft, reduces the noise inherent in the AppSec and DevSecOps space and allows developers to focus on high-fidelity results that have the greatest impact in their environment. Qwiet AI’s platform is the first in the industry to provide AI-driven detection and AutoFixes of zero-day and pre-zero-day vulnerabilities in code.
