Azure Pipelines extension
Use the Azure Pipeline extension to integrate Contrast with your deployment workflow. The following instructions guide you through the steps to set up and configure the extension for your Contrast instance.
Before you begin to set up the extension, make sure that you have the privileges to install a Microsoft extension. If not, you can request the extension for a project.
Install and configure the Azure Pipelines extension
Use these procedures to install the extensions and create a service connection.
Install the extension
Follow the Microsoft instructions t to install the extension Contrast ADO Pipeline Integration.
Create a service connection
The Contrast Server Connection service connection lets Azure DevOps integrate with Contrast.
Go to your Project Settings at the bottom of the sidebar. You'll need to be part of the Project administration group or have enough permissions to alter the settings.
In the Pipelines section of the settings menu, select Service connections.
Select New Service connectionand then Contrast Server Connection.
Complete all the fields with required data:
Contrast URL: The URL for your Contrast instance. Exclude
/Contrast
at the end; only the host name is required.Contrast credentials: Copy these credentials from your personal keys under the user menu > User settings in the Contrast web interface:
Organization UUID (Organization ID)
Service Key
API Key
Contrast username: The user name you use to log in to Contrast.
Optionally, select the Logging option.
If enabled, logs are stored in the pipeline artifact, providing visibility into the task execution and Contrast API interactions.
Configure a task in the Azure Pipelines extension
Use this procedure to configure a release or build pipeline task.
Steps
Select the pipeline where you want to add the task then select Edit.
For release pipelines, select a stage for which you want to add the task.
To add the task, click the ellipsis (...) menu and select Add an agentless job.
Select the + button next to your agentless job, and add the Contrast Assess Security task.
To choose a connection and application, select a Service Connection from the Contrast Service Connection menu. You can also select Manage to go to the Service connections settings in your Project Settings.
Optionally, select a different vulnerability source. The default selection is Assess.
If you select Assess-Libraries as the Vulnerability source, Contrast looks at the number of instances where that library is used according to the specified severity criteria, not the number of libraries. For example, you could have 11 libraries with 45 vulnerable instances of those libraries.
Select one of your applications from the Application menu.
To configure the task, use the Allowed Status and Build Number fields to filter your results from Contrast. Leave them blank if you don't want to filter results. The values set in these fields will be validated against the conditions you configure in the following fields.
Proceed to your severity counters, where you must set the maximum number of vulnerabilities allowed per severity. If your selected application has more vulnerabilities than allowed for that severity level, your task will fail.
For build pipelines only: If you want to prevent the execution of a job if the task fails, you must set the job to depend on the agentless job that includes the Contrast task.
Select the job you want to prevent from executing.
In the Dependencies section, add the Agentless job.
Note
You can only use this task for an agentless job.
Add a release gate to a pipeline in Azure Pipelines
Release gates offer a safeguard to prevent deployment to environments if vulnerabilities for a given application exceed a certain threshold.
Before you begin
Microsoft Documentation offers more information on how to define a gate for a stage and how to configure a gate.
Optionally, create a Contrast Security service connection.
Add and configure a gate
Find the release pipeline where you want to add the gate and select Edit.
Choose the stage and deployment conditions for the gate. They can either be pre-conditions or post-conditions. You can add multiple gates to the same conditions.
Under Gates, enable the gate you created.
Select Add and then Verify application vulnerabilities.
Select your Contrast service connection.
If you haven't already created a service connection, select New next to the service connection dropdown to create the Contrast service connection. Fill in all the fields and select OK.
Select Refresh list, then select your newly created connection.
Hover on the field or select Refresh to see a list of applications. Select the one that is most appropriate to the release pipeline.
If you want, you can select which vulnerability status or build numbers will be used for filtering when retrieving the data for the gate evaluation.
Set the maximum amount of vulnerabilities allowed per severity or total threshold based on a threshold definition of Split or Combined.
If any validations fail when your pipeline reaches this gate, the pipeline will keep requesting samples until it becomes valid, or until the evaluation times out.
Tip
You can customize Evaluation options to configure the time between the re-evaluation of gates. For instance, you can set this value to 24 hours so that the gates will evaluate every day. This way you can remediate vulnerabilities and pass the required gate conditions without having to re-initiate the execution of the pipeline from start (or obtain manual approvals if they exist).
Split threshold definition: If you set the threshold definition to Split, specify the maximum allowed vulnerabilities for each severity level. The evaluation compares each severity value against its defined threshold.
Combined threshold definition: If you set the threshold definition to Combined, specify the total allowed threshold for the sum of all severity levels. The evaluation compares the combined severity count against the defined total threshold.
Find logs for Azure Pipelines
When you turn on logging, pipeline task details are captured and stored as log files in the pipeline artifact.
Before you begin
Verify that the Logging option in the service connection is selected.
Steps
Run the pipeline task.
The log file with the task results is stored as a pipeline artifact.
Build pipelines: Locate the log file:
Go to Azure DevOps → Pipelines → Runs.
Select a pipeline run.
Go to Artifacts.
Select Logs.
Download the log file.
Release pipelines: Locate the log file:
Go to Azure DevOps → Pipelines → Releases.
Select a release.
Hover on the stage and select Logs.
Select Download all logs.