Skip to main content

Integrate Azure DevOps Pipelines with Scan local engine

The Azure DevOps Pipelines plugin enables secure, offline static application security testing (SAST) directly within Azure DevOps pipelines. It lets teams run scans locally without sending source code outside the build environment. This plugin automates the scanning process, generates SARIF-compliant results, enforces customizable security thresholds, and ensures vulnerabilities are identified early in the development lifecycle—all while maintaining full control over the source code.

Features

  • Enables early detection of security issues by running static scans during the development pipeline.

  • Seamless integration with existing Azure DevOps projects and repositories. You can add the task to both build and release pipelines.

  • Locally executes SAST scans on source code from the default branch, ensuring source code stays within the build environment.

  • Automatic scanner download from Contrast during pipeline execution.

  • Uploads Scan results to Contrast, allowing centralized visibility and remediation tracking.

    The upload contains all the vulnerability details that are included in the scan SARIF file, such as

    • Information about the scanner that Contrast uses

    • Data on what was scanned and the scan composition

    • Data on vulnerability findings

    • Errors or notifications that are handled gracefully during the scan

    • Scan coverage data.

  • Customizable vulnerability validation: Enforces configurable validation logic with pipeline pass/fail gating based on scan results.

  • Supports new validation and severity validation modes:

    • New validation: Validates only newly introduced vulnerabilities by comparing the current scan against the baseline scan. The pipeline fails if any new issues are detected, regardless of their severity level. This method requires a previous scan to be available for comparison.

    • Severity validation: Lets users define a severity threshold (for example, Medium). The scan checks for all vulnerabilities that match or exceed the selected level. For example, a threshold of Medium includes Medium, High, and Critical. If the scan finds any vulnerabilities at or above the chosen level, the pipeline will fail.

  • Generates SARIF output and automatically uploads it as a pipeline artifact in the build pipeline.

  • Provides immediate visibility into detected vulnerabilities, with detailed insights available in the Contrast web interface for remediation.

Before you begin

  • Supported operating systems:

    • Windows (latest)

    • Ubuntu (latest)

    • Mac OS (latest)

Install the ADO plugin for Contrast Scan

  1. Log in to the Azure website.

    You are redirected to the Azure portal.

  2. Select Create new organization and follow the setup instructions.

    You could also select an existing organization.

  3. Select the organization to open the Azure DevOps portal.

  4. Install the extension (Extension - Public)

    1. Go to Visual Studio Marketplace Publisher Management.

    2. Search for Contrast and select the Contrast ADO Pipeline Integration extension and select Get it free.

    3. Install it in your organization.

Scan local engine build pipeline workflow

  1. In the Azure DevOps portal, clone the project into the Azure repository.

  2. Select Repos, Files in the left panel.

  3. Under Import a Repository, select Import.

  4. Enter the clone URL and select import

  5. Create a branch:

    1. Select Branches and then, select New Branch.

    2. Enter a new branch name that uses a format such as: feature/scan-local-with-sast and select Create.

      Using feature/ puts all of your feature branches in a single folder. Grouping all the Contrast items together can be useful. For example, you could use this branch name: contrast/scan-local-with-sast.

  6. Create a service connection for the Contrast connection service:

    1. Go to Project Settings > Service connections > New service connection.

    2. Select Contrast from the list of new services and then, select Next.

    3. Enter the required information from the Contrast web interface and enable or disable logging as needed.

      To find the Service key and the API key, in the Contrast web interface, under the user menu, select Organization settings > Agent keys, select a key and then, select Legacy agent keys.

      If you enable logging, when the pipeline executes, the task result is captured and stored in a log file. The log file is stored as a pipeline artifact. These artifacts are stored separately from the console logs.

  7. Create the new build pipeline:

    1. Select the Azure Repos Git where the code is available.

    2. Select the project created, then select Starter pipeline.

  8. Select Show assistant in the right top corner.

  9. Search for Contrast Local Scanner in the task list and enter all necessary details.

    ADOSastYAML.png

  10. Select Add to ensure the task is properly created for a local scan. The YAML file should look similar to this example:

    After you create the task, if there are any commits to the branch, the build is automatically triggered. After the job is successful, the console logs of the task look like this example:

    ADOSastLog.png

    The log contains these details:

    • Pipeline ID

    • Pipeline name

    • Pull request ID

    • Source branch name

    • Contrast service connection ID

    • Pipeline build number

    • Pipeline type (build or release)

    • Scanner download status

    • Scanner unzip status

    • Scanner execution status

    • Error messages: If the build pipeline fails, a link to the Scan overview page in the Contrast user interface is provided for the parent and development branches.

Scan local engine release pipeline workflow

  1. In the Azure DevOps portal, select Releases in the left panel.

  2. Select New pipeline.

  3. Create an artifact:

    1. Select Add an artifact and then, select the Azure Repo,

    2. Select the project on which the pipeline should run and select the branch.

    3. Select Add.

  4. To trigger the pipeline based on the changes in the code, select the Lightening bolt icon (icon-AzureLighteningBolt.png) and enable Continuous deployment trigger.

  5. Create the stages:

    1. Select Add and then, select Empty job.

    2. Enter the stage name and select Save.

  6. Configure the hosted agent before adding the task:

    1. In the selected stage, go to the Tasks tab.

    2. Select Agent job.

    3. Under Agent selection:

      1. Set the Agent pool to Azure Pipelines.

      2. Set the Agent specification to one of the following based on your requirements and select Save:

        • ubuntu-latest

        • macos-latest

        • windows-latest

  7. Add the Contrast Local Scanner task to the stage:

    1. Select the Tasks tab.

    2. Select the Add icon (icon-add.svg )next to the Agent job.

    3. In the search bar, enter Contrast Local Scanner.

    4. From the search results, select Add to include the task in the stage.

    5. Select the Contrast Service Connection, enter details in the required fields and select Save.

    If there are any commits to the branch, the pipeline is triggered and provides the result as shown in in this example:

    ADOSastReleasePipelineResult.png

  8. View logs by hovering over the stage and select the hover on the stage and select the Logs icon.

Finding ADO logs for the Scan local engine

  1. In the DevOps portal, go to your project.

  2. Select Pipelines > Releases.

  3. Open the specific release for which you want to find the log files

  4. Hover on the stage and select Logs.

  5. Select Download all logs.

Note

You cannot download the results.sarif.json file (scan results) from the release pipeline.

In this section: