Use the the Azure DevOps extension to integrate Contrast with your deployment workflow. The following instructions guide you through the steps to set up and configure the extension for your Contrast instance.
Before You Start
Before you begin to set up the extension, make sure that you have the privileges to install a Microsoft extension. If you lack the necessary privileges, you can request the extension for a project.
Setup and Configuration
Go to your Project Settings at the bottom of you side bar. You'll need to be part of the Project administration group or have enough permissions to alter the settings.
In the Pipelines section of the settings menu, select Service connections.
- Click over the + New Service connection button (shown in the image in the previous step), and select Contrast Server Connection.
- Complete all the fields with the required data. You can find the values for all the fields in the Contrast UI by going to the user menu > Your Account > Profile page.
Note: Your Contrast URL should not include /Contrast at the end; only the host is required.
Configuration for Release Gate
- Now that you have at least one service connection, enter on Edit mode for the release pipeline you wish to include the gate.
- Select a pre- or post-deployment condition.
- Enable the Gates section if you haven't already.
- Click on the + Add button to select the Verify application vulnerabilities option.
- Select a Service Connection from the Contrast Service Connection field. You can also click on the Manage option to go to the Service connections settings in your Project Settings.
- Select one of your applications from the Application dropdown. This enables more fields for configuring the gate.
- You can use the Allowed Status and Build Number fields to filter your results from Contrast. The values set in these fields will be validated against the conditions you configure in the following fields.
- Proceed to your severity counters, where you must set the maximum number of vulnerabilities allowed per severity. If your selected application has more vulnerabilities than allowed for that severity level, your gate will fail.
Note: Remember that your gates evaluation settings affect all the gates on the current stage for the pre- or post-deployment conditions.