# Azure DevOps extension

Use the Azure DevOps extension to integrate Contrast with your deployment workflow. The following instructions guide you through the steps to set up and configure the extension for your Contrast instance.

Before you begin to set up the extension, make sure that you have the privileges to install a Microsoft extension. If not, you can request the extension for a project.

## Install and configure the Azure DevOps extension

To install and configure the Azure DevOps extension:

1. Follow the Microsoft instructions to install the extension Contrast Integration.

2. Go to your Project Settings at the bottom of the sidebar. You'll need to be part of the Project administration group or have enough permissions to alter the settings.

3. In the Pipelines section of the settings menu, select Service connections.

4. Select New Service connection and then  Contrast Server Connection.

5. Complete all the fields with required data from your personal keys.

### Note

Your Contrast URL should not include /Contrast at the end; only the host is required.

## Configure a task in the Azure DevOps extension

To configure a task in your Azure DevOps extension for a release or a build pipeline:

1. Select the pipeline where you want to add the task then select Edit.

2. For release pipelines, select a stage for which you want to add the task.

4. Click on the + button next to your agentless job, and add the Contrast Assess - Application Vulnerability Detection task.

5. To choose a connection and application, select a Service Connection from the Contrast Service Connection menu. You can also select Manage to go to the Service connections settings in your Project Settings.

7. To configure the task, use the Allowed Status and Build Number fields to filter your results from Contrast. Leave them blank if you don't want to filter results. The values set in these fields will be validated against the conditions you configure in the following fields.

8. Proceed to your severity counters, where you must set the maximum number of vulnerabilities allowed per severity. If your selected application has more vulnerabilities than allowed for that severity level, your task will fail.

For build pipelines only: If you want to prevent the execution of a job if the task fails, you must set the job to depend on the agentless job that includes the Contrast task.

1. Select the job you want to prevent from executing.

2. In the Dependencies section, add the Agentless job.

### Note

You can only use this task for an agentless job.

## Configure a task as a YAML build pipeline

You can configure a task as a YAML build pipeline in your Azure DevOps extension. This task must run in the server pool (pool: server).

1. Enter Edit mode for the YAML build pipeline where you wish to add the task.

2. To create a server job, under the jobs list, add a new job that runs on the server pool. For example:

jobs:
- job: verify_application
pool: server
steps:
3. To add the task, click under the steps list, then select Show assistant and search for "Contrast Assess".

4. Select the Contrast Assess - Application Vulnerability Detection task.

5. Select a Service Connection from the Contrast Service Connection menu. Alternatively, you can select Manage to go to the Service connections settings in your Project Settings.

Inputs for this task are as follows:

Key

Description

Example Value

ContrastService

(Required) The service connection to be used to connect to the contrast

Contrast Connection

Application

(Required) The application that will be used to evaluate the vulnerabilities conditions

a123745f-5857-45e4-a278-ddb5012e1996

StatusFilter

(Optional)(Allowed Status) The vulnerability statuses that are included in the evaluation task. Delimited by ,

Reported

AppVersionFilter

(Optional)(Build Number) The build number to filter the vulnerabilities results

0.0.1

CriticalLimit

(Required) The maximum amount of vulnerabilities for the critical severity

0

HighLimit

(Required) The maximum amount of vulnerabilities for the high severity

0

MediumLimit

(Required) The maximum amount of vulnerabilities for the medium severity

0

LowLimit

(Required) The maximum amount of vulnerabilities for the low severity

0

NoteLimit

(Required) The maximum amount of vulnerabilities for the note severity

0

If you would like to prevent the execution of a job if the task fails, you must set the job to depend on the agentless job that includes the Contrast task. Add the dependsOn: property to the job you would like to prevent from executing.

In the following example, the agentless job that has the Contrast task is called verify_application.

- job: artifact
dependsOn: verify_application
pool:
name: Azure Pipelines
vmImage: 'ubuntu-latest'
steps:

## Add a release gate to a pipeline in Azure DevOps

Release gates offer a safeguard to prevent deployment to environments if vulnerabilities for a given application exceed a certain threshold. To add a release gate with the Azure DevOps extension:

1. Find the release pipeline where you want to add the gate and select Edit.

2. Choose the stage and deployment conditions for the gate. They can either be pre-conditions or post-conditions. You can add multiple gates to the same conditions.

3. Under Gates, enable the gate you created.

4. Select Add and then Contrast Assess - Application Vulnerability Detection.

5. Select New next to the service connection drop-down menu to create a Contrast service connection. Fill in all the fields and select OK.

Select Refresh list, then select your newly created connection.

6. Click over the field or select Refresh to see a list of applications. Select the one that is most appropriate to the release pipeline.

7. If you want, you can select which vulnerability status or build numbers will be used for filtering when retrieving the data for the gate evaluation.

8. Set the maximum amount of vulnerabilities allowed per severity. If any validations fail when your pipeline reaches this gate, the pipeline will keep requesting samples until it becomes valid, or until the evaluation times out.

Microsoft Documentation offers more information on how to define a gate for a stage and how to configure a gate.

### Tip

You can customize Evaluation options to configure the time between the re-evaluation of gates. For instance, you can set this value to 24 hours so that the gates will evaluate every day. This way you can remediate vulnerabilities and pass the required gate conditions without having to re-initiate the execution of the pipeline from start (or obtain manual approvals if they exist).