Add a release gate to a pipeline in Azure DevOps

Release gates offer a safeguard to prevent deployment to environments if vulnerabilities for a given application exceed a certain threshold. With the Azure DevOps extension, you can add a release gate:

  1. Find the release pipeline where you want to add the gate and select Edit.

  2. Choose the stage and deployment conditions for the gate. They can either be pre-conditions or post-conditions. You can add multiple gates to the same conditions.

  3. Under Gates, enable the gate you created.

  4. Select + Add and then Contrast Assess - Application Vulnerability Detection.

  5. Select New next to the service connection drop-down menu to create a Contrast service connection. Fill in all the fields and select OK.

    Select Refresh list, then select your newly created connection.

  6. Click over the field or the Refresh button to see a list of applications. Select the one that is most appropriate to the release pipeline.

  7. Optionally, you can select which vulnerability status or build numbers will be used for filtering when retrieving the data for the gate evaluation.

  8. Set the maximum amount of vulnerabilities allowed per severity. If any validations fail when your pipeline reaches this gate, the pipeline will keep requesting samples until it becomes valid, or until the evaluation times out.

    Microsoft Documentation offers more information on how to define a gate for a stage and how to configure a gate.

Tip

You can customize Evaluation options to configure the time between the re-evaluation of gates. For instance, you can set this value to 24 hours so that the gates will evaluate every day. This way you can remediate vulnerabilities and pass the required gate conditions without having to re-initiate the execution of the pipeline from start (or obtain manual approvals if they exist).