Azure DevOps Extension

Use the Azure DevOps extension to integrate Contrast with your deployment workflow. The following instructions guide you through the steps to set up and configure the extension for your Contrast instance.

Before You Start

Before you begin to set up the extension, make sure that you have the privileges to install a Microsoft extension. If you lack the necessary privileges, you can request the extension for a project.

Setup and Configuration

Complete the following steps to configure the Contrast extension.

Step one: Install the extension

Step two: Project settings

  • Go to your Project Settings at the bottom of you side bar. You'll need to be part of the Project administration group or have enough permissions to alter the settings.

  • In the Pipelines section of the settings menu, select Service connections.

Step three: Configure the service connection

  • Click over the + New Service connection button (shown in the image in the previous step), and select Contrast Server Connection.
  • Complete all the fields with the required data. You can find the values for all the fields in the Contrast UI by going to the user menu > Your Account > Profile page.

Note: Your Contrast URL should not include /Contrast at the end; only the host is required.

Setup and Configuration for a Task

Complete the following steps to configure a task in your Azure DevOps extension. This task can be used in only an agentless job.

Step one: Enter Edit mode

The task can be used in a release or build pipeline. Complete the appropriate steps for the pipeline you're using.

Release Pipeline

  • Enter Edit mode for the release pipeline you want to add the task by clicking on the Edit button while the pipeline is selected.

  • Select a stage for which you want to add the task.

Build Pipeline

  • Enter Edit mode for the build pipeline you want to add the task by clicking on the Edit button while the pipeline is selected.

Step two: Add the task

  • Now that you are in Edit mode for a release pipeline or build pipeline, click on the ellipsis (...) menu and select Add an agentless job.

  • Click on the + button next to your agentless job, and add the Contrast Assess - Application Vulnerability Detection task.

Step three: Choose a connection and application

  • Select a Service Connection from the Contrast Service Connection menu. You can also click on the Manage option to go to the Service connections settings in your Project Settings.
  • Select one of your applications from the Application menu.

Step four: Configure the task

  • Use the Allowed Status and Build Number fields to filter your results from Contrast; or, leave them blank, if you don't want to filter. The values set in these fields will be validated against the conditions you configure in the following fields.

  • Proceed to your severity counters, where you must set the maximum number of vulnerabilities allowed per severity. If your selected application has more vulnerabilities than allowed for that severity level, your task will fail.

Step five: Set job dependency

For build pipelines only: If you want to prevent the execution of a job if the task fails, you must set the job to depend on the agentless job that includes the Contrast task.

  • Select the job you want to prevent from executing.
  • In the Dependencies section, add the Agentless job.

Setup and Configuration for a Task as a YAML Build Pipeline

Complete the following steps to configure a task as a YAML build pipeline in your Azure DevOps extension. This task must run in the server pool (pool: server).

Step one: Enter Edit mode

  • Enter Edit mode for the YAML build pipeline you wish to add the task.

Step two: Create a server job

  • Under the jobs list, add a new job that runs on the server pool.

Example:

jobs:
- job: verify_application
  pool: server
  steps:

Step three: Add the task

  • Click under the steps list, and then click on the Show assistant and search for "Contrast Assess".
  • Click on the Contrast Assess - Application Vulnerability Detection task.
  • Select a Service Connection from the Contrast Service Connection menu. You can also click on the Manage option to go to the Service connections settings in your Project Settings.
  • Select one of your applications from the Application menu.

  • Click Add. This will add the task to the steps list.
  • Inputs for this task are as follows:
Key Description Example Value
ContrastService (Required) The service connection to be used to connect to the contrast 'Contrast Connection'
Application (Required) The application that will be used to evaluate the vulnerabilities conditions 'a123745f-5857-45e4-a278-ddb5012e1996'
StatusFilter (Optional)(Allowed Status) The vulnerability statuses that are included in the evaluation task. Delimited by , 'Reported'
AppVersionFilter (Optional)(Build Number) The build number to filter the vulnerabilities results '0.0.1'
CriticalLimit (Required) The maximum amount of vulnerabilities for the critical severity '0'
HighLimit (Required) The maximum amount of vulnerabilities for the high severity '0'
MediumLimit (Required) The maximum amount of vulnerabilities for the medium severity '0'
LowLimit (Required) The maximum amount of vulnerabilities for the low severity '0'
NoteLimit (Required) The maximum amount of vulnerabilities for the note severity '0'

Step four: Set job dependency

If you would like to prevent the execution of a job if the task fails, you must set the job to depend on the agentless job that includes the Contrast task.

  • Add the dependsOn: property to the job you would like to prevent from executing.

Example: In this example, the agentless job that has the Contrast task is called verify_application.

- job: artifact
  dependsOn: verify_application
  pool:
    name: Azure Pipelines
    vmImage: 'ubuntu-latest'
  steps: