Veracode Azure DevOps Extension
Veracode enables you to build software securely at the speed of DevOps, providing application security in development, the release pipeline, and production. The Veracode Azure DevOps extension integrates the automated processes of Veracode Static Analysis and Veracode Software Composition Analysis, to deliver fast, repeatable results, into your Azure DevOps workflows. This integration means you can find security defects earlier in the development lifecycle and stop the build and release pipeline as soon as critical issues are found. Security testing becomes part of your development team’s daily workflow, ensuring that fewer late-release blockers occur. By making it easier to code securely, Veracode enables you to deliver secure applications faster.
The Veracode Azure DevOps Extension is part of the Veracode ecosystem of integrations that helps you connect Veracode with your software development process, including an IDE plugin for Visual Studio and other integrations for other build servers, IDEs, and defect tracking solutions. For more information about Veracode's integrations and APIs, see the Veracode Help Center.
- Integrate application security into the development tools you already use: From within Azure DevOps and Team Foundation Server you can automatically scan code using the Veracode Application Security Platform to find security vulnerabilities, import any security findings that violate your security policy as work items, and even optionally stop the build if serious security issues are found.
- Don't stop for false alarms: Because Veracode gives you accurate results and prioritize them based on severity, you won’t need to waste resources dealing with hundreds of false positives. We have assessed over 2 trillion lines of code in 15 languages and 70+ frameworks, and we get better with every assessment due to our rapid update cycles and continuous improvement processes. And, if something does get through, just mitigate it using the easy Veracode workflow; we’ll remember it the next time.
- Align your AppSec practices with your development practices: Do you have a large or distributed development team? Are you drowning in revision control branches? You can integrate your Azure DevOps workflows with the Veracode Developer Sandbox, which supports multiple development branches, feature teams, and other parallel development practices.
- Don't just find vulnerabilities, fix them: Veracode gives you remediation guidance with each finding as well as the data path that an attacker would use to reach the weak point in the application. Veracode also highlights the most common sources of vulnerabilities to help prioritize remediation. In addition, when vulnerability reports don’t provide enough clarity, you can set up one-on-one developer consultations with our experts who have backgrounds in both security and software development. Show-stopping security findings show up in your teams' list of work items automatically, and are automatically updated and closed once you scan your fixed code.
- Proven onboarding process allows for scanning on day one: Want to get started quickly? The cloud based Veracode Application Security Platform is designed to be instantly on and easy to use so that you can get started in minutes. Veracode's services and support team can get you going quickly and make sure that you are on track to build application security into your process.
Getting started with Veracode Azure DevOps
Using the Veracode Azure DevOps Extension
The Veracode Azure DevOps and Team Foundation Services (TFS) extension enables you to upload your code to Veracode for scanning.
To be able to use the Veracode Azure DevOps and TFS extension, you must have the following installed:
- TFS Extension:
- TFS 2015.2 or later
- Java Runtime Environment 1.8
- VSO Agent 1.95.3 or later
- Azure DevOps:
- Node.JS 4.6
- A Azure DevOps subscription with sufficient build time
- The extension supports the following browsers:
- Chrome 54 or later
- Firefox 49 or later
Installing the Azure DevOps Extension
To install the Azure DevOps extension:
Go to https://marketplace.visualstudio.com/items?itemName=veracode.veracode-vsts-build-extension.
In your project, go to the Build tab and navigate to your build definition. Select Add build step....
Find the Veracode Upload and Scan build step in the list and click Add.
In the Upload and Scan window on the right, provide the following information:
- Connection details: Choose to connect to Veracode using an endpoint or your Veracode credentials. If connecting using an endpoint, you can use an existing endpoint name or create a new endpoint.
- Veracode Scan Settings: Enter the application name, a unique scan name, and filepath of the artifact that you want to upload to Veracode.
- Advanced Scan Settings: If applicable, enter a sandbox Name if you are using a developer sandbox, any additional arguments, and a check status interval (in seconds). If your application does not yet have a profile in the Veracode Platform, select the Create Application Profile checkbox and Veracode creates one for you.
- Veracode Scan Results: Select the respective checkbox if you want to import the scan results and, if you select that option, you can then opt to stop the build if the application fails your security policy requirements.
Selecting either of these options reserves an assigned build agent for this scan to wait until the scan results are complete and available. By not selecting either option, the build agent is available to perform other tasks after the binaries are uploaded to Veracode.
Note: Before you build your application, if you intend to use the Veracode Azure DevOps flaw import feature, you must configure additional build variables.
After the scan completes, the results of your scan are available in the Summary tab of your release definition.
Installing the TFS Extension
To install the TFS extension:
- Go to https://marketplace.visualstudio.com/items?itemName=veracode.veracode-vsts-build-extension.
- Click Download.
- Configuring the TFS Extension is described here, https://www.visualstudio.com/en-us/docs/marketplace/get-tfs-extensions#disconnected-tfs