/aug 16, 2024

Azure DevOps - Now With Added Veracode

By Robert Haynes

A new Veracode Azure DevOps extension 

Veracode is pleased to announce the general availability of our new Azure DevOps Workflow integration. This new integration provides our customers using Azure DevOps Services with easy-to-configure, event-driven security testing of their application and infrastructure code managed in their Azure DevOps Repos.   

How does this differ from our previous Azure DevOps integrations?  

In previous integrations, customers had to perform a number of different steps and then configure scanning for each individual pipeline. Our new integration dramatically simplifies integration with a single configuration file to enable Static Analysis, secret and IaC scanning, and Software Composition Analysis across an entire Azure DevOps Organization.  

How does it work?  

The Azure DevOps Workflow integration is installed from within the Veracode platform, all that is required is an access token and the name of the Azure DevOps organization. 

"Azure Extension installation"

Once the extension is installed, a new ‘Veracode’ repository is created, including a veracode.yml file containing a default configuration that can be easily altered to suit your requirements. Then, there are just a few more steps, including creating a key vault and granting access to the various components. 

'veracode.yaml configuration file'

Scans are triggered by push and pull requests, as with our GitHub Workflow Integration. Requests to pull into a production branch can be assessed against a policy and blocked if the security findings do not pass.  

The scan results can be seen in the output of the jobs that get triggered by the integration 

A screenshot of a computer</p> <p>Description automatically generated

And (optionally) turned into Work Items in your Azure project Boards:  

"Azure Devops Work Items"

How can I get it?  

Veracode Azure DevOps Workflow is available now and can be installed by following the documentation. No additional SKUs or entitlements from Veracode are required, but you will need to have Administrator or Security Lead roles assigned to your Veracode user account, an Azure subscription with the ability to create an Azure Key Vault, and the permissions to create Personal Access Tokens in Azure.  

What languages and platforms can I use? 

The Veracode Azure DevOps Workflow works with Azure DevOps Services (not Server) and will support the following languages for Static Analysis.  

  • Java 

  • JavaScript and TypeScript 

  • .NET 

  • Python 

  • Go 

  • Kotlin 

  • React Native 

Conclusion

This new integration brings simplicity, security, and integration with your existing workflows to Azure DevOps. Developers get fast feedback and easy tracking, and DevSecOps gets 'install-once-run-everywhere' for their AzureDevOps organizations. We'd encourage you to try it out and let us know what you think - your Veracode team always wants to hear your feedback. 

If you’re not (yet) a Veracode customer, why not contact us for a demo?  

Related Posts

/18 nov, 2024

Software Liability Comes to the EU: Navigating New Compliance Challenges

By Chris Wysopal

Learn More
/13 nov, 2024

Introducing Veracode Risk Manager: A New Chapter in ASPM Built for Scale

By Derek Maki

Learn More
/14 nov, 2024

Revolutionizing Risk Management in Application Security

By Donna Namorato

Learn More
By Robert Haynes

Robert’s quarter-century working in IT has progressed (or is that regressed?) through helpdesk, UNIX sysadmin, backup, storage, application security,  technical sales, and marketing.  He now spends his time hanging out at the intersection of artificial intelligence and human ingenuity, waving a sign that says: “This way for secure software."