Contrast Integration

Features

• Service connection
• Pipeline Task
• Release Gate

Service connection

Here you can specify your Contrast URL and credentials so our tasks are able to retrieve information from Contrast.

Pipeline Task

The task can be used to verify if an application has vulnerabilities.

Note: This task can only be used in an agentless job

Step one - Enter Edit mode

The task can be used in a Build or Release pipeline

Release Pipeline

• Enter Edit mode for the release pipeline you wish to add the task.
• Select a stage for which you wish to add the task

Build Pipeline

• Enter Edit mode for the build pipeline you wish to add the task.

Step two - add the task

• Now that you are in edit mode for a Release Pipeline or Build Pipeline, click on the ellipsis (...) menu and add an agentless job.

• Click on the + button next to you agentless job and add the Contrast Assess - Application Vulnerability Detection task.

Step three - choose connection and application

• Select a Service Connection from the Contrast Service Connection field. You can also click on the Manage option to go to the Service connections settings in your Project Settings.
• Select one of your applications from the Application dropdown. This enables more fields for configuring the task.

Step four - configure the task

• You can use the Allowed Status and Build Number fields to filter your results from Contrast, leave them blank if you don't want to filter. The values set in these fields will be validated against the conditions you configure in the following fields.

• Proceed to your severity counters, where you must set the maximum number of vulnerabilities allowed per severity. If your selected application has more vulnerabilities than allowed for that severity level, your task will fail.

Step five - set job dependency

For Build Pipelines - If you would like to prevent the execution of a job if the task fails, you must set the job to depend on the agentless job that includes the Contrast task.

• Select the job you want to prevent from executing.
• In the Dependencies section, add the agentless job.

Release Gate

Adding a new gate

1. Enter Edit mode for the release pipeline you wish to add the gate to.

2. Choose the stage and deployment conditions to which you'll be adding the gate, either pre or post conditions. You may later add more gates of the same type to the same stage or deployment conditions.

3. Go to the Gates section and enable them if you haven't already.

4. Click on + Add text and select Verify application vulnerabilities. Now you are ready to configure the gate.

Gate Configuration

1. You should have created a Contrast service connection first, if you don't have yet you can click on the New button next to the Service Connection dropdown. Fill all the fields with the correct data and click on Ok. Click on the refresh list next to the dropdown button and select your newly created connection.

2. Proceed to load the applications list either by clicking over the field or the refresh button next to it and select the application to which this artifact belongs.

3. You may choose to be more specific with the severity counters by selecting which vulnerability status or build numbers will be used for filtering when retrieving the data for the gate evaluation.

4. Now set the maximum amount of vulnerabilities per severity. Do mind that whenever your pipeline reaches this gate if one or all the validations fail your pipeline will keep requesting for samples until it is valid or the evaluation timeout is reached.

You may look for more info on Microsoft Docs Site on articles related to gates like Define a gate for a stage or Configure a gate.

For more information, visit the Contrast OpenDocs Project