Cloudanix Security Extension for Azure DevOps

This comprehensive extension provides security features for Azure DevOps, including code analysis, container image scanning, and event webhooks. It helps you identify and address security issues throughout your development lifecycle.

Features

Code Analysis

• Analyze code in pull requests for security vulnerabilities
• View detailed analysis results in a dedicated pull request tab
• Configure severity thresholds and automatic analysis

Container Image Scanner

• Scan Docker images for vulnerabilities in your pipelines
• Fail builds when critical vulnerabilities are detected
• Get detailed reports of found vulnerabilities

Service Hooks

• Send Azure DevOps events to any API endpoint
• Support for code push and pull request events
• Simple configuration with just a URL

Getting Started

Installation

1. Install the extension in your Azure DevOps organization
2. Configure the extension settings by navigating to Project Settings > Code Analysis Settings
3. Enter your API endpoint and API key

Using the Code Analysis

1. Create or update a pull request
2. Navigate to the "Code Analysis" tab in the pull request
3. View the analysis results and address any security issues

Using the Container Image Scanner

1. Add the task to your pipeline YAML:

- task: CloudanixImageScanner@1.0.0
  displayName: 'Scan Docker image for vulnerabilities'
  inputs:
    image: 'myapp:$(Build.BuildId)'
    authzToken: '$(CLOUDANIX_AUTHZ_TOKEN)'
    identifier: '$(CLOUDANIX_ACCOUNT_IDENTIFIER)'
    failOnVulnerabilities: true

2. Set up the required pipeline variables:
   • CLOUDANIX_AUTHZ_TOKEN: Your Cloudanix authorization token
   • CLOUDANIX_ACCOUNT_IDENTIFIER: Your Cloudanix account identifier

Setting Up Service Hooks

1. Go to Project Settings > Service Hooks
2. Click on the "+" button to add a new service hook
3. Select "Cloudanix Code Web Hook" from the list of services
4. Configure the trigger (event) you want to subscribe to
5. Configure the action with your API endpoint URL
6. Test the connection and save

Supported Events

Code Push

Triggered when code is pushed to a repository. The payload includes details about the push, including the repository, commits, and the user who performed the push.

Pull Request Created

Triggered when a new pull request is created. The payload includes details about the pull request, including the source and target branches, title, description, and the user who created it.

Pull Request Updated

Triggered when an existing pull request is updated. This includes changes to the pull request title, description, or when new commits are pushed to the source branch.

Webhook Payload

The webhook sends the complete event payload as a JSON POST request to the specified URL. The payload structure varies depending on the event type, but generally includes:

• Event type and ID
• Repository information
• Commit details (for push events)
• Pull request details (for pull request events)
• User information
• Timestamps

Your API endpoint should be configured to accept JSON payloads and process them accordingly.

Configuration

Code Analysis Settings

• API Endpoint: The URL of the Cloudanix API for code analysis
• API Key: Your authentication key for the Cloudanix API
• Enable Auto Analysis: Automatically analyze code when pull requests are created or updated
• Severity Threshold: The minimum severity level to report (critical, major, minor)
• Debug Mode: Enable additional logging for troubleshooting

Container Image Scanner Settings

• Image: The Docker image to scan (e.g., ubuntu:24.10)
• Authorization Token: API Authorization Token for Cloudanix
• Account Identifier: Unique Identifier for your Cloudanix account
• Fail on Vulnerabilities: Whether to fail the build if vulnerabilities are found
• Debug Mode: Enable debug logging for troubleshooting

Service Hook Settings

• URL: The URL of the API endpoint where the webhook payload will be sent. This must be a valid HTTP or HTTPS URL.

Code Analysis Results

The Code Analysis tab in pull requests provides detailed information about potential security issues in your code:

• Summary: Overview of found issues by severity (critical, major, minor)
• Issue List: Detailed list of all detected issues
• Issue Details: For each issue:
  • Severity level
  • File path and line number
  • Description of the issue
  • Rule ID and explanation
  • Recommendations for fixing the issue

Container Scan Results

After running the container image scanner task, you'll get:

• Vulnerability Summary: Total count of vulnerabilities by severity
• Detailed Report: List of all detected vulnerabilities
• Build Status: Pass/fail status based on your configuration
• Output Variables: Access to vulnerability data for custom reporting

Privacy and Security

The Cloudanix extension:

• Only sends necessary data to the Cloudanix API for analysis
• Does not store your source code
• Uses secure HTTPS connections for all API calls
• Requires authentication for all operations

Support

For support or feature requests, please contact support@cloudanix.com.