SAST Integration with Azure DevOps

Security Program 360’s (SP360) Static Application Security Testing (SAST) enables continuous code inspection by scanning source code and identifying potential security vulnerabilities, bugs, and best practice violations. SP360’s SAST functionality integrates with your existing workflow and enables continuous code inspection to ensure code quality and security integrity prior to deployment to customer accessible environments. This makes SP360’s SAST functionality an integral part of a continuous integration regime.

This document describes the process of integrating SP360’s SAST with Azure DevOps repositories. . sp360

To integrate SP360’s SAST and scan the source code of an application and its components stored in the Azure DevOps repository, you need to follow the steps below:

Step 1: Log into SP360 and click on the SAST option in the navigation menu on the left side. DSDS

Step 2: Click on the Azure DevOps icon at the top right. DSDS

Note:

Clicking on the Azure DevOps icon, results in the following possible scenarios:

    ● If you are not logged into Azure DevOps, the Microsoft Azure DevOps login page shown in Step 3 is displayed.
    ● If you successfully log in to Azure DevOps but have never authorized the SP360 application, the Microsoft Azure DevOps page shown in Step 4 is displayed
    ● If you are logged in to Azure DevOps and previously had authorized access to SP360, the page shown in Step 5 is displayed.


Step 3: Sign-in to your respective Microsoft Azure DevOps account. DSDS

Step 4: The Microsoft Azure DevOps, page requires you to accept authorization to the SP360 application

DSDS

Step 5: After clicking Accept, an SP360 page is displayed. Select the desired Workspace. DSDS

Note:

In Azure DevOps, the repositories are under workspaces, and you can create multiple workspaces in bitbucket and can add numerous repositories in it. Because of this flow, you will see a drop-down in front of Workspace and Repository.


Step 6: After selecting a Workspace, a pop-up message indicates that the connection has been successfully updated. DSDS

Step 7: The repositories available in the chosen Workspace are displayed. Select the Repository to add for periodic scanning. After selecting a Repository from the drop-down, a pop-up message indicates that the connection has been successfully updated. DSDS

Step 8: A repository may have one or more Branches. Selecting a branch limits the scanning to that branch. Omitting a branch, results in the entire repository being scanned.
sp360

Step 9: A pop-up message indicates that the connection has been successfully updated. DSDS

Once the connection to the repository has been established, it will be scanned. This progression is reflected by a series of changes in the repository status starting from “Connecting”, “Connected”, “Scheduled”, “Scanning”, “Synced” to “Scanned”. Once completed. the date and time of the scan is displayed. Also, after the scan is completed, the vulnerabilities, bugs, and unsatisfied best practices found in source code can be explored. For more information on Status Flow Diagram, click here

Supported Actions Once Respository is Connected

DSDS

Each of the connected Repository has four available action buttons as indicated by the icon on the right side of each line. For more information, click here