Azure Pipelines extension

Use the Azure Pipeline extension to integrate Contrast with your deployment workflow. The following instructions guide you through the steps to set up and configure the extension for your Contrast instance.

Before you begin to set up the extension, make sure that you have the privileges to install a Microsoft extension. If not, you can request the extension for a project.

Install and configure the Azure Pipelines extension

To install and configure the Azure Pipelines extension:

  1. Follow the Microsoft instructions to install the extension Contrast Integration.

  2. Go to your Project Settings at the bottom of the sidebar. You'll need to be part of the Project administration group or have enough permissions to alter the settings.

  3. In the Pipelines section of the settings menu, select Service connections.

  4. Select New Service connection and then  Contrast Server Connection.

  5. Complete all the fields with required data from your personal keys.

Note

Your Contrast URL should not include /Contrast at the end; only the host is required.

Configure a task in the Azure Pipelines extension

To configure a task in your Azure Pipelines extension for a release or a build pipeline:

  1. Select the pipeline where you want to add the task then select Edit.

  2. For release pipelines, select a stage for which you want to add the task.

  3. To add the task, click the ellipsis (...) menu and select Add an agentless job.

  4. Click on the + button next to your agentless job, and add the Contrast Assess - Application Vulnerability Detection task.

  5. To choose a connection and application, select a Service Connection from the Contrast Service Connection menu. You can also select Manage to go to the Service connections settings in your Project Settings.

  6. Select one of your applications from the Application menu.

  7. To configure the task, use the Allowed Status and Build Number fields to filter your results from Contrast. Leave them blank if you don't want to filter results. The values set in these fields will be validated against the conditions you configure in the following fields.

  8. Proceed to your severity counters, where you must set the maximum number of vulnerabilities allowed per severity. If your selected application has more vulnerabilities than allowed for that severity level, your task will fail.

For build pipelines only: If you want to prevent the execution of a job if the task fails, you must set the job to depend on the agentless job that includes the Contrast task.

  1. Select the job you want to prevent from executing.

  2. In the Dependencies section, add the Agentless job.

Note

You can only use this task for an agentless job.

Add a release gate to a pipeline in Azure Pipelines

Release gates offer a safeguard to prevent deployment to environments if vulnerabilities for a given application exceed a certain threshold. To add a release gate with the Azure Pipelines extension:

  1. Find the release pipeline where you want to add the gate and select Edit.

  2. Choose the stage and deployment conditions for the gate. They can either be pre-conditions or post-conditions. You can add multiple gates to the same conditions.

  3. Under Gates, enable the gate you created.

  4. Select Add and then Contrast Assess - Application Vulnerability Detection.

  5. Select New next to the service connection drop-down menu to create a Contrast service connection. Fill in all the fields and select OK.

    Select Refresh list, then select your newly created connection.

  6. Click over the field or select Refresh to see a list of applications. Select the one that is most appropriate to the release pipeline.

  7. If you want, you can select which vulnerability status or build numbers will be used for filtering when retrieving the data for the gate evaluation.

  8. Set the maximum amount of vulnerabilities allowed per severity. If any validations fail when your pipeline reaches this gate, the pipeline will keep requesting samples until it becomes valid, or until the evaluation times out.

    Microsoft Documentation offers more information on how to define a gate for a stage and how to configure a gate.

Tip

You can customize Evaluation options to configure the time between the re-evaluation of gates. For instance, you can set this value to 24 hours so that the gates will evaluate every day. This way you can remediate vulnerabilities and pass the required gate conditions without having to re-initiate the execution of the pipeline from start (or obtain manual approvals if they exist).