MergeBase Vulnerability Scanner

MergeBase is an SCA extension (software composition analysis) that scans your applications within your Azure Pipeline jobs. Use MergeBase to help your development teams identify dangerous and insecure library versions early. Your results will be displayed in your own web based dashboard. Please create a MergeBase security dashboard for your organization first, if you don't have one yet.

Features

• Supports all your DevOps languages: Javascript, Python, C#, Go, Ruby, Java, and more.
• Lowest false positive rate in the industry: Don't waste time chasing false positives.
• Sophisticated suppression management, so you can effectively pursue a zero-vuln strategy.
• Microsoft Board integration and developer guidance to streamline your workflows.
• Real-time notification if new vulnerabilities are uncovered in the industry, allowing you to respond to emerging threats immediately.
• Analyses your open source licenses enabling you to manage your legal risks.

This pipeline extension makes integrating MergeBase SCA into your Microsoft development environment a seamless experience.

MergeBase respects your IP. MergeBase analyses your project in place and will not upload your valuable intellectual property into the cloud.

In addition to analyzing your applications please talk to us about run-time protection and container scanning.

Requirements

The MergeBase extension runs correctly "out-of-the-box" (without any additional downloads or configurations) for the following Microsoft supplied Azure Devops agent images:

• Windows: vs2017-win2016, windows-2019, windows-2022, windows-latest
• Linux: ubuntu-18.04, ubuntu-20.04, ubuntu-latest
• Mac: macOS-10.14, macOS-10.15, macOS-11, macOS-latest

Requirements - Your Own Agents

When provisioning your own agent please ensure the agent meets the following requirements:

• Java: At least version 1.8.0 (aka "Java 8") or newer.
• Git: Any version.

Your own agent should also have the following build tools pre-installed (depending on the programming languages you intend to scan):

• powershell (for scanning DotNet projects)
• go (for scanning go projects)
• gradle (for scanning Java projects that use build.gradle)
• maven (for scanning Java projects that use pom.xml)
• mix (for scanning elixir projects)
• pipdeptree (for scanning Python projects)

Scans of PHP, Ruby, NPM, and Yarn projects do not require any additional build tools and work out-of-the-box.