How to Integrate Edgescan & Azure Pipelines.

With the Azure Pipelines connector for Edgescan, you can build application vulnerability scans into existing CI/CD processes.  The connector allows DevOps teams to initiate VM scanning directly from their pipelines.  Once initiated, a scan will take place, and a pass/fail will be returned depending on configured criteria.  The build will fail if the results do not match the configured criteria.  Otherwise, the build will proceed to the next step if applicable.

Edgescan makes it easy to add security scanning to Azure Pipelines. The basic steps are: 1. Configure your Pipeline by adding or editing the azure-pipelines.yml file in your project repository 2. Configure Edgescan by CLI or with environment variables 3. Secure your API key as a secret Variable in your Pipeline

Edgescan API Key

When you signed up with Edgescan, you created an API key. You will need your this API key, so be sure to record it.

Create a Git Repo

If you don’t already have a Git repo, go ahead and create one for this tutorial. We recommend Azure Repos, Bitbucket, or GitHub for ease of integration.

Configure Your Azure Pipelines

At the base directory of your code repository, add an azure-pipelines.yml file to configure Azure Pipelines to run HawkScan.

pool:
vmImage: 'ubuntu-latest'

jobs:
- job: Remote_Scan
  steps:
    - script: >
        docker run -t
        -e ES_API_TOKEN="${ES_API_TOKEN}"
        -e ES_ASSET="${ES_ASSET_ID}"
        edgescan/cicd-integration
      displayName: Run Edgescan
      env:
        ES_API_TOKEN: $(es_api_token)
        ES_ASSET_ID: $(es_asset_id)

This configuration tells Pipelines to run a single job which runs the Edgescan Docker image. The job will pass the Edgescan API token and your asset ID as environment variables, taken from some secret Pipeline Variables, which we will set up momentarily. The job will wait for the scan results before finishing.

The final command could also be:

docker run -t edgescan/cicd-integration --asset-id ${ES_API_TOKEN} --api-token ${ES_ASSET_ID}

Add, commit, and push azure-pipelines.yml to your Git repository.

Create an Azure Pipelines

Make sure the file above have been pushed to your central Git repo so that Azure Pipelines can find them.

From your Azure DevOps Console, select (or create) the Project you wish to add a Pipeline to. From your Project, select Pipelines from the left pane. Then click the blue New Pipeline button to create a new Pipeline.

From here, Azure will step you through the process of adding your repository, as follows: – Where is your code? Select your provider, Azure Repos, Bitbucket, or GitHub – Select a repository – Select the repo you just pushed your new configurations to – Configure your pipeline – Select “Existing Azure Pipelines YAML File” – Select an Existing YAML File – Enter azure-pipelines.yml in the Path field – Review your pipeline YAML – Click the grey Variables button – Variables – Click the blue New variable button

In the New variable dialogue, name your variable es_api_token, and add your Edgescan API key as the Value. Check the box to Keep this value secret. Save the variable.

Do the same for your asset ID and name it es_asset_id.

Run It

Now that you have identified your Pipeline configuration file and saved your API key and asset ID as Variables, Pipelines will allow you to Review your pipeline YAML. It should contain exactly the Pipeline code you entered from above. Hit the blue Run button, and watch your pipeline run.

You should see the Edgescan container run and print some summary information to the screen when the scan is complete.