A new Veracode Azure DevOps extension
Veracode is pleased to announce the general availability of our new Azure DevOps Workflow integration. This new integration provides our customers using Azure DevOps Services with easy-to-configure, event-driven security testing of their application and infrastructure code managed in their Azure DevOps Repos.
How does this differ from our previous Azure DevOps integrations?
In previous integrations, customers had to perform a number of different steps and then configure scanning for each individual pipeline. Our new integration dramatically simplifies integration with a single configuration file to enable Static Analysis, secret and IaC scanning, and Software Composition Analysis across an entire Azure DevOps Organization.
How does it work?
The Azure DevOps Workflow integration is installed from within the Veracode platform, all that is required is an access token and the name of the Azure DevOps organization.
Once the extension is installed, a new ‘Veracode’ repository is created, including a veracode.yml file containing a default configuration that can be easily altered to suit your requirements. Then, there are just a few more steps, including creating a key vault and granting access to the various components.
Scans are triggered by push and pull requests, as with our GitHub Workflow Integration. Requests to pull into a production branch can be assessed against a policy and blocked if the security findings do not pass.
The scan results can be seen in the output of the jobs that get triggered by the integration
And (optionally) turned into Work Items in your Azure project Boards:
How can I get it?
Veracode Azure DevOps Workflow is available now and can be installed by following the documentation. No additional SKUs or entitlements from Veracode are required, but you will need to have Administrator or Security Lead roles assigned to your Veracode user account, an Azure subscription with the ability to create an Azure Key Vault, and the permissions to create Personal Access Tokens in Azure.
What languages and platforms can I use?
The Veracode Azure DevOps Workflow works with Azure DevOps Services (not Server) and will support the following languages for Static Analysis.
Conclusion
This new integration brings simplicity, security, and integration with your existing workflows to Azure DevOps. Developers get fast feedback and easy tracking, and DevSecOps gets ‘install-once-run-everywhere’ for their AzureDevOps organizations. We’d encourage you to try it out and let us know what you think – your Veracode team always wants to hear your feedback.
If you’re not (yet) a Veracode customer, why not contact us for a demo?