Search

How to setup Contrast Azure DevOps Pipeline Integration

  • Updated

When logged in to Azure DevOps, select the basket icon in the top right and then the Browse marketplace link from the menu:

Screenshot 2024-05-28 at 10.30.05.png

Search Contrast in the Marketplace and select Contrast Integration. Press the Get it Free button. Select the Azure DevOps organization into which you wish to install the extension or download it for installation on the Azure DevOps Server.

Screenshot 2024-05-28 at 10.36.01.png

Screenshot 2024-05-28 at 10.37.16.png

To create a service connection, go to your Project Settings at the bottom of the sidebar.

Screenshot 2024-05-28 at 10.47.50.png

In the Pipelines section of the settings menu, select Service connections. Select New Service connection, then Contrast Server Connection, and press Next.

Screenshot 2024-05-28 at 10.54.44.png

Enter the Contrast URL (without /Contrast), e.g. https://app.contrastsecurity.com.Enter the Username (normally the email address). The Organization UUID, Service key and API key is available in Contrast at User Settings -> Your API Keys. Specify the name of the service connection and save the connection.

Screenshot 2024-05-28 at 11.11.23.png

 

Screenshot 2024-05-28 at 11.14.32.png

 

Now, the next step is to configure a task in your Azure Pipelines extension for a release or a build pipeline. You can configure a task as a YAML build pipeline in your Azure DevOps extension. This task must run in the server pool (pool: server).

jobs:
- job: verify_application
pool: server
steps:

Add the below task to configure monitoring of your application in the pipeline and modify the properties as per your requirement.

The Application field requires an application ID from your Contrast instance, meaning the application must exist in Contrast first.

The fields: CriticalLimit, HighLimit, MediumLimit, LowLimit and NoteLimit allow you to specify the count of each severity which will be allowed.

Recommendation:

Set MediumLimit, LowLimit and NoteLimit to -1, so vulnerabilities of these severities will not be included, then set CriticalLimit and HighLimit to the current count of each severity in your application. This way, your build will not fail for the current state of the application, but any increase in the High or Critical counts would fail the build.

- task: ContrastIntegration@2
inputs:
ContrastService: 'TestContrastConnection'
Application: '30b2ba47-70a0-4718-8f25-ac6641695ce9' #application ID in Contrast
CriticalLimit: '0'
HighLimit: '0'
MediumLimit: '-1'
LowLimit: '-1'
NoteLimit: '-1'

Run the pipeline.

Screenshot 2024-05-28 at 11.26.59.png

Screenshot 2024-05-28 at 11.30.38.png

For further information on this topic you can refer to our official document site here

 

 

 

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request