note
This feature is an early release. Please reach out to Qwiet Support if you experience any issues.
Qwiet preZero for Azure DevOps
Qwiet preZero for Azure DevOps is an extension for Azure DevOps Pipelines that displays Qwiet AI analysis results produced as part of an Azure DevOps Pipelines run. Please visit the Microsoft Visual Studio Marketplace to install.
Configuration
In Azure DevOps, create a new variable group and variable:
- Navigate to Pipelines and then Library
- Create a new Variable group with name
shiftleft-token - Add a
SHIFTLEFT_ACCESS_TOKENvariable. Obtain a CI token from the Qwiet AI Organization integrations page - You can find additional details in the Azure Pipelines documentation
Update pipeline
Update an existing pipeline (e.g. azure-pipelines.yaml) or create a new one with the code below. Please note that this extension expects an artifact called QwietReports that contains files with the following names:
qwiet-analysis-output.jsonqwiet-check-analysis-report.mdqwiet-bestfix-report.jsonqwiet-sbom-report.json
variables:
- group: shiftleft-token
trigger:
- master
- feature/*
pool:
vmImage: 'windows-latest'
stages:
- stage: Builders
displayName: Qwiet preZero
jobs:
- job: Build
displayName: Qwiet preZero analysis
steps:
- task: NuGetToolInstaller@1
- task: PowerShell@2
displayName: Download Qwiet preZero CLI
inputs:
targetType: 'inline'
script: |
Invoke-WebRequest -Uri 'https://cdn.shiftleft.io/download/sl-latest-windows-x64.zip' -OutFile $(Agent.HomeDirectory)\sl.zip
Expand-Archive -Path $(Agent.HomeDirectory)\sl.zip -DestinationPath $(Agent.HomeDirectory)\
- task: DotNetCoreCLI@2
displayName: Restore web api
inputs:
command: 'restore'
projects: '$(Build.SourcesDirectory)'
- task: CmdLine@2
displayName: Analyze code with Qwiet preZero
inputs:
script: |
$(Agent.HomeDirectory)\sl.exe analyze --wait --app $(System.TeamProject) --tag branch=$(Build.SourceBranchName) --structured-output --structured-output-format JSON --structured-output-file-path qwiet-analysis-output.json --csharp vulnerable_asp_net_core.sln
workingDirectory: '$(Build.SourcesDirectory)'
env:
SHIFTLEFT_ACCESS_TOKEN: $(SHIFTLEFT_ACCESS_TOKEN)
- task: CmdLine@2
displayName: Generate Qwiet preZero check-analysis report
inputs:
script: |
$(Agent.HomeDirectory)\sl.exe check-analysis --v2 --no-build-rules --app $(System.TeamProject) --branch $(Build.SourceBranchName) --report-file qwiet-check-analysis-report.md
workingDirectory: '$(Build.SourcesDirectory)'
env:
SHIFTLEFT_ACCESS_TOKEN: $(SHIFTLEFT_ACCESS_TOKEN)
- task: CmdLine@2
displayName: Download and setup Qwiet preZero integrations
inputs:
script: |
git clone https://github.com/ShiftLeftSecurity/field-integrations.git report
pip3 install -r report/shiftleft-utils/requirements.txt
workingDirectory: '$(Build.SourcesDirectory)'
- task: CmdLine@2
displayName: Generate Qwiet preZero bestfix report
inputs:
script: |
python3 report/shiftleft-utils/bestfix.py --no-logo -a $(System.TeamProject) -f json -o qwiet-bestfix-report.json -s .
workingDirectory: '$(Build.SourcesDirectory)'
env:
SHIFTLEFT_ACCESS_TOKEN: $(SHIFTLEFT_ACCESS_TOKEN)
CI: 1
- task: CmdLine@2
displayName: Generate Qwiet preZero SBOM report
inputs:
script: |
python3 report/shiftleft-utils/sbom_report.py -a $(System.TeamProject) -o qwiet-sbom-report.json
workingDirectory: '$(Build.SourcesDirectory)'
env:
SHIFTLEFT_ACCESS_TOKEN: $(SHIFTLEFT_ACCESS_TOKEN)
- task: CopyFiles@2
displayName: 'Copy Qwiet preZero reports to: $(Build.ArtifactStagingDirectory)'
inputs:
SourceFolder: '$(Build.SourcesDirectory)'
Contents: |
qwiet-analysis-output.json
qwiet-check-analysis-report.md
qwiet-bestfix-report.json
qwiet-sbom-report.json
TargetFolder: '$(Build.ArtifactStagingDirectory)'
- task: PublishBuildArtifacts@1
displayName: 'Publish Artifact: QwietReports'
inputs:
ArtifactName: QwietReports
PathtoPublish: '$(Build.ArtifactStagingDirectory)'