Sonatype for Azure DevOpsEvaluate open source policies at CI. OverviewThe Sonatype for Azure DevOps extension enforces open source governance policies within the CI phase. As a new step within the build, the application is scanned by Nexus IQ to identify any open source security, license, or quality policy violations and can be configured to fail the build or generate a warning. Once the scan is complete, the results are displayed within Azure DevOps with a link to the Nexus Lifecycle policy report for violation details and expert remediation guidance. Sonatype LifecycleIn a DevOps world, the only way to deliver secure applications at scale is to rely on precise intelligence about the quality of the open source components used within those applications. Sonatype Lifecycle provides the most precise intelligence regarding security vulnerabilities, license risk, and architectural quality of open source components and delivers that information directly within Azure DevOps as well as other tools in the DevOps toolchain. Automate your open source policies with confidence and deliver applications at scale by eliminating manual approval processes and whitelists/blacklists. Sonatype for Azure DevOpsThe results of a Sonatype Lifecycle scan appear directly within the Azure DevOps build pipeline so it is easy to understand what open source components are being used and if they violate any of your open source policies. The Sonatype IQ Summary Report and the Sonatype IQ Build Report tabs that will contain all the results for the evaluation.
You can check the logs on the Job details
On the Sonatype IQ Summary Report tab you will find a summary of the total violations and the total scanned components
In this example, there are 1 critical, 1 medium, and 0 low risk components identified within this application. On the Sonatype IQ Build Report tab you will find a detailed view you will be able to identify which components violate which policy.
The Sonatype IQ Summary report can also be integrated into the Azure DevOps dashboard for a quick view into the summary of components evaluated. You also have the ability to add a widget to check the trends for the IQ Policy Evaluations
More information about the Sonatype for Azure DevOps extension can be found in the public documentation. RequirementsThe extension requires Sonatype Lifecycle. ChangesFor more information about individual versions please visit the extension's official help page. |
