MergeBase Vulnerability Scanner
MergeBase is an SCA extension (software composition analysis) that scans your applications within your Azure Pipeline jobs. Use MergeBase to help your development teams identify dangerous and insecure library versions early. Your results will be displayed in your own web based dashboard. Please create a MergeBase security dashboard for your organization first, if you don't have one yet.
This pipeline extension makes integrating MergeBase SCA into your Microsoft development environment a seamless experience.
MergeBase respects your IP. MergeBase analyses your project in place and will not upload your valuable intellectual property into the cloud.
In addition to analyzing your applications please talk to us about run-time protection and container scanning.
The MergeBase extension runs correctly "out-of-the-box" (without any additional downloads or configurations) for the following Microsoft supplied Azure Devops agent images:
Requirements - Your Own Agents
When provisioning your own agent please ensure the agent meets the following requirements:
Your own agent should also have the following build tools pre-installed (depending on the programming languages you intend to scan):
Scans of PHP, Ruby, NPM, and Yarn projects do not require any additional build tools and work out-of-the-box.