Azure Pipelines extension

Use the Azure Pipeline extension to integrate Contrast with your deployment workflow. The following instructions guide you through the steps to set up and configure the extension for your Contrast instance.

Before you begin to set up the extension, make sure that you have the privileges to install a Microsoft extension. If not, you can request the extension for a project.

Install and configure the Azure Pipelines extension

To install and configure the Azure Pipelines extension:

  1. Follow the Microsoft instructions to install the extension Contrast Integration.

  2. Go to your Project Settings at the bottom of the sidebar. You'll need to be part of the Project administration group or have enough permissions to alter the settings.

  3. In the Pipelines section of the settings menu, select Service connections.

  4. Select New Service connection and then  Contrast Server Connection.

  5. Complete all the fields with required data from your personal keys.

Note

Your Contrast URL should not include /Contrast at the end; only the host is required.

Configure a task in the Azure Pipelines extension

To configure a task in your Azure Pipelines extension for a release or a build pipeline:

  1. Select the pipeline where you want to add the task then select Edit.

  2. For release pipelines, select a stage for which you want to add the task.

  3. To add the task, click the ellipsis (...) menu and select Add an agentless job.

  4. Click on the + button next to your agentless job, and add the Contrast Assess - Application Vulnerability Detection task.

  5. To choose a connection and application, select a Service Connection from the Contrast Service Connection menu. You can also select Manage to go to the Service connections settings in your Project Settings.

  6. Select one of your applications from the Application menu.

  7. To configure the task, use the Allowed Status and Build Number fields to filter your results from Contrast. Leave them blank if you don't want to filter results. The values set in these fields will be validated against the conditions you configure in the following fields.

  8. Proceed to your severity counters, where you must set the maximum number of vulnerabilities allowed per severity. If your selected application has more vulnerabilities than allowed for that severity level, your task will fail.

For build pipelines only: If you want to prevent the execution of a job if the task fails, you must set the job to depend on the agentless job that includes the Contrast task.

  1. Select the job you want to prevent from executing.

  2. In the Dependencies section, add the Agentless job.

Note

You can only use this task for an agentless job.

Configure a task as a YAML build pipeline

You can configure a task as a YAML build pipeline in your Azure Pipelines extension. This task must run in the server pool (pool: server).

  1. Enter Edit mode for the YAML build pipeline where you wish to add the task.

  2. To create a server job, under the jobs list, add a new job that runs on the server pool. For example:

    jobs:
    - job: verify_application
      pool: server
      steps:
  3. To add the task, click under the steps list, then select Show assistant and search for "Contrast Assess".

  4. Select the Contrast Assess - Application Vulnerability Detection task.

  5. Select a Service Connection from the Contrast Service Connection menu. Alternatively, you can select Manage to go to the Service connections settings in your Project Settings.

  6. Select one of your applications from the Application menu.

  7. Select Add. This adds the task to the steps list.

Inputs for this task are as follows:

Key

Description

Example Value

ContrastService

(Required) The service connection to be used to connect to the contrast

Contrast Connection

Application

(Required) The application that will be used to evaluate the vulnerabilities conditions

a123745f-5857-45e4-a278-ddb5012e1996

StatusFilter

(Optional)(Allowed Status) The vulnerability statuses that are included in the evaluation task. Delimited by ,

Reported

AppVersionFilter

(Optional)(Build Number) The build number to filter the vulnerabilities results

0.0.1

CriticalLimit

(Required) The maximum amount of vulnerabilities for the critical severity

0

HighLimit

(Required) The maximum amount of vulnerabilities for the high severity

0

MediumLimit

(Required) The maximum amount of vulnerabilities for the medium severity

0

LowLimit

(Required) The maximum amount of vulnerabilities for the low severity

0

NoteLimit

(Required) The maximum amount of vulnerabilities for the note severity

0

If you would like to prevent the execution of a job if the task fails, you must set the job to depend on the agentless job that includes the Contrast task. Add the dependsOn: property to the job you would like to prevent from executing.

In the following example, the agentless job that has the Contrast task is called verify_application.

- job: artifact
  dependsOn: verify_application
  pool:
    name: Azure Pipelines
    vmImage: 'ubuntu-latest'
  steps:

Add a release gate to a pipeline in Azure Pipelines

Release gates offer a safeguard to prevent deployment to environments if vulnerabilities for a given application exceed a certain threshold. To add a release gate with the Azure Pipelines extension:

  1. Find the release pipeline where you want to add the gate and select Edit.

  2. Choose the stage and deployment conditions for the gate. They can either be pre-conditions or post-conditions. You can add multiple gates to the same conditions.

  3. Under Gates, enable the gate you created.

  4. Select Add and then Contrast Assess - Application Vulnerability Detection.

  5. Select New next to the service connection drop-down menu to create a Contrast service connection. Fill in all the fields and select OK.

    Select Refresh list, then select your newly created connection.

  6. Click over the field or select Refresh to see a list of applications. Select the one that is most appropriate to the release pipeline.

  7. If you want, you can select which vulnerability status or build numbers will be used for filtering when retrieving the data for the gate evaluation.

  8. Set the maximum amount of vulnerabilities allowed per severity. If any validations fail when your pipeline reaches this gate, the pipeline will keep requesting samples until it becomes valid, or until the evaluation times out.

    Microsoft Documentation offers more information on how to define a gate for a stage and how to configure a gate.

Tip

You can customize Evaluation options to configure the time between the re-evaluation of gates. For instance, you can set this value to 24 hours so that the gates will evaluate every day. This way you can remediate vulnerabilities and pass the required gate conditions without having to re-initiate the execution of the pipeline from start (or obtain manual approvals if they exist).