Security Scan

Overview

Security Scan is a free commercial-grade security tool for modern DevOps teams. With an integrated multi-scanner based design, Scan can detect various kinds of security flaws in your application and infrastructure code in a single fast scan. The product supports a range of integration options: from scanning every push via a git hook to scanning every build and pull-request in the CI/CD pipelines.

This extension allows you to view the various scan reports generated by the Security Scan tool. To learn how to integrate automated security scanning by integrating Security Scan in your pipeline, follow these docs. Currently, the following reports are available:

• Credentials Scan Report
• SAST Report
• Dependency Scan Report
• License Compliance Scan Report

Getting Started

• Simply add the following snippet to your build configuration YAML file (Usually azure-pipelines.yaml).

- script: |
	docker run \
  	-v "$(Build.SourcesDirectory):/app:cached" \
  	-v "$(Build.ArtifactStagingDirectory):/reports:cached" \
  	shiftleft/sast-scan scan --src /app \
  	--out_dir /reports/CodeAnalysisLogs
  displayName: "Perform Security Scan"
  continueOnError: "true"

- task: PublishBuildArtifacts@1
  displayName: "Publish analysis logs"
  inputs:
	PathtoPublish: "$(Build.ArtifactStagingDirectory)/CodeAnalysisLogs"
	ArtifactName: "CodeAnalysisLogs"
	publishLocation: "Container"

• Trigger a build as normal. & From the Pipelines page, select the most recent run. You should see a tab called Security Scan as shown below.

Screenshots

Scan Tab

Build Log Summary

Scan Report Tabs

Dependency Scan Report

License Scan Report

Highlighted Features

• Supported scans
  • Credentials Scanning to detect accidental secret leaks
  • Static Analysis Security Testing (SAST) for a range of languages and frameworks
  • Open-source dependencies audit
  • License violation checks

• Languages supported
  • Salesforce Apex
  • bash
  • Go
  • Java
  • JSP
  • Node.js
  • Oracle PL/SQL
  • Python
  • Rust (Dependency and License scan alone)
  • Terraform
  • Salesforce Visualforce
  • Apache Velocity

Documentation

Please refer to https://slscan.io/en/latest/integrations/azure-devops-pipeline/ for documentation on using Security Scan in your pipelines.