Shifting Left on security has been the main focus for lots of Elite DevOps organizations. But what does shifting on security mean?
In a traditional software organization, the developers develop their code, deploy to production and then the security analysts come in and run all the scans they need to run to make sure no high-level vulnerabilities are present on the application. And if there is a vulnerability, it usually takes until the next release cycle for a fix to be released and sometimes those fixes just stay in the backlog for a while.
Now shifting left means that we move security scanning or security mindfulness onto the left side of the software development lifecycle (early stages of writing code). We want to reach a point that when a developer commits code and it is introducing some type of vulnerability, the build fails right away and the developer has to fix that issue right away.
There are lots of great tools that can be integrated into your build pipeline to enable this and one of this tools is Veracode.
I recently had to deploy Veracode for a customer of mine and noticed the lack of documentation when it comes to adding veracode to an Azure DevOps pipeline and the things that one needs to be aware of.
- The Veracode Application analysis tool subscription
- Generate an API Key from the Veracode Portal
- Create a service connection in Azure DevOps to Veracode
- An existing YAML pipeline that produces an artifact.
- The Veracode Azure DevOps extension.
Quick set-up and things to be aware of
The above is the veracode extension within a YAML template. The task takes your artifacts from the artifact directory and uploads it to veracode and scans the artifact.
Important Note: This scan is called a policy scan and does take a long time to complete. If you do want to see the summary of the results with Azure DevOps or if you want to fail the build based on the results, your pipeline will wait for the scan to complete.
Now when running pipeline jobs on Microsoft hosted agents, there is a limit of 60 minutes per job unless you go ahead and buy a parallel job (that gives you 6 hours). These 60 minutes might not be enough for veracode to scan your artifact and the job will timeout.
Ok, so what are your options now?
- You can do what I did above and add false beside import results and failBuildOnPolicyFail, this way the task will just kick off the scan and finish this task as succeeded while the scan is taking place on your veracode subscription and you can view the results there.
- Buy a parallel job from Microsoft and get the ability to run a job for 6 hours.
- Use veracode’s pipeline scan tool and scan smaller dependencies of your source code. This tool can only run on artifacts with a limit of 100MB.
Veracode pipeline scan: About the Pipeline Scan • Pipeline Scan • Reader (veracode.com)
Note: The Veracode pipeline scan is not part of the Azure DevOps extension. It is a jar file that needs to be downloaded and ran within your pipeline.
This was a quick summary of how to add Veracode into your Azure DevOps pipeline and a few considerations that come with it. For a more complete analysis of your pipeline, or to help you design your pipelines. Please reach out to us at the Microsoft Business Group and we will definitely be able to help you get started on your DevOps journey.