sast-scan has good integration with Azure Pipelines. This repo contains an example for a yaml pipeline that invokes sast-scan as a build step. The step is reproduced below for convenience.
- script: |
docker run -e "WORKSPACE=https://github.com/AppThreat/WebGoat/blob/$(Build.SourceVersion)" \
-v "$(Build.SourcesDirectory):/app:cached" \
-v "$(Build.ArtifactStagingDirectory):/reports:cached" \
quay.io/appthreat/sast-scan scan --src /app \
--out_dir /reports/CodeAnalysisLogs
displayName: "Perform AppThreat Scan"
continueOnError: "true"
This section is mostly common for all dev and CI environments.
Use the example pre-commit script provided under docs/pre-commit.sh
to enable automatic sast-scan prior to commits.
cp docs/pre-commit.sh <git repo>/.git/hooks/pre-commit
This pre-commit hook performs both credentials and sast-scan. Any identified credential will be displayed in plain-text to enable remediation. sast-scan reports would be stored under reports
directory which could be added to .gitignore to prevent unwanted commits of the reports.
Include credscan
along with the type parameter as shown to enable credentials scanning for the branch on the CI. This feature is powered by gitleaks. Please note that identified secrets are automatically REDACTED in the CI environments to prevent leakage.
The following extension called SARIF viewer must be installed and enabled by the administrator.
The yaml pipeline should include the below steps to enable the analysis.
- task: PublishBuildArtifacts@1
displayName: "Publish analysis logs"
inputs:
PathtoPublish: "$(Build.ArtifactStagingDirectory)/CodeAnalysisLogs"
ArtifactName: "CodeAnalysisLogs"
publishLocation: "Container"