Scanning in Azure Pipelines
Azure Pipelines is a continuous integration and continuous delivery (CI/CD) service available in Azure DevOps ecosystem. It facilitates continuous integration, continuous testing, and continuous deployment for seamless building, testing, and delivery of software.
To integrate Endor Labs into an Azure pipeline:
Complete the Prerequisites
Ensure that you complete the following prerequisites before you proceed.
Set up an Endor Labs tenant
You must have an Endor Labs tenant set up for your organization. You can also set up namespaces according to your requirements. See Set up namespaces
Configure Endor Labs authentication
Configure an API key and secret for authentication. See managing API keys for more information on generating an API key for Endor Labs. Store API key and secret as environment variables, ENDOR_API_CREDENTIALS_KEY
and ENDOR_API_CREDENTIALS_SECRET
.
Enable Advanced Security in Azure
You need to enable Advanced Security in your Azure repository to view results in Azure.
- Log in to Azure and open Project Settings.
- Navigate to Repos > Repositories in the left navigation panel.
- Select your repository.
- Enable Advanced Security.
Configure Endor Labs variables in the pipeline
You can manage Endor Labs variables centrally by configuring them within your Azure project. You can assign these variables to various pipelines.
- Log in to Azure and select Pipelines > Library.
- Click +Variable Group to add a new variable group for Endor Labs.
- Enter a name for the variable group, for example,
tenant-variables
, and click Add under Variables. - Add the following variables.
ENDOR_API_CREDENTIALS_KEY
ENDOR_API_CREDENTIALS_SECRET
NAMESPACE
- Select the variable group that you created.
- Click Pipeline Permissions.
- Click + to add the pipelines in which you want to use the variable group.
Configure your Azure pipeline
- Create
azure-pipelines.yml
file in your project, if it doesn’t exist. - In the
azure-pipelines.yml
file, customize the job configuration based on your project’s requirements. - Adjust the image field to use the necessary build tools for constructing your software packages, and align your build steps with those of your project. For example, update the node pool settings based on your operating system.
pool:
name: Default
vmImage: "windows-latest"
pool:
name: Default
vmImage: "ubuntu-latest"
pool:
name: Default
vmImage: "macOS-latest"
- Update your default branch from main if you do not use main as the default branch name.
- Modify any dependency or artifact caches to align with the languages and caches used by your project.
- Enter the following steps in the
azure-pipelines.yml
file to download endorctl.
- bash: |
echo "Downloading latest version of endorctl"
VERSION=$(curl https://api.endorlabs.com/meta/version | grep -o '"Version":"[^"]*"' | sed 's/.*"Version":"\([^"]*\)".*/\1/')
curl https://storage.googleapis.com/endorlabs/"$VERSION"/binaries/endorctl_"$VERSION"_windows_amd64.exe -o endorctl.exe
echo "$(curl -s https://api.endorlabs.com/sha/latest/endorctl_windows_amd64.exe) endorctl" | sha256sum -c
if [ $? -ne 0 ]; then
echo "Integrity check failed"
exit 1
fi
- bash: |
echo "Downloading latest version of endorctl"
VERSION=$(curl https://api.endorlabs.com/meta/version | grep -o '"Version":"[^"]*"' | sed 's/.*"Version":"\([^"]*\)".*/\1/')
curl https://storage.googleapis.com/endorlabs/"$VERSION"/binaries/endorctl_"$VERSION"_linux_amd64 -o endorctl
echo "$(curl -s https://api.endorlabs.com/sha/latest/endorctl_linux_amd64) endorctl" | sha256sum -c
if [ $? -ne 0 ]; then
echo "Integrity check failed"
exit 1
fi
- bash: |
echo "Downloading latest version of endorctl"
VERSION=$(curl https://api.endorlabs.com/meta/version | grep -o '"Version":"[^"]*"' | sed 's/.*"Version":"\([^"]*\)".*/\1/')
curl https://storage.googleapis.com/endorlabs/"$VERSION"/binaries/endorctl_"$VERSION"_macos_arm64 -o endorctl
echo "$(curl -s https://api.endorlabs.com/sha/latest/endorctl_macos_arm64) endorctl" | shasum -a 256 --check
if [ $? -ne 0 ]; then
echo "Integrity check failed"
exit 1
fi
-
Enter the steps to build your project if your project needs building and setup steps.
-
Enter the following step in the
azure-pipelines.yml
file to run endorctl scan to generate the SARIF file.You can run endorctl scan with options according to your requirement, but you must include the
-s
option to generate the SARIF file.For example, use the
--secrets
flag to scan for secrets.
- script: |
.\endorctl.exe scan -n $(NAMESPACE) -s scanresults.sarif
- script: |
.\endorctl scan -n $(NAMESPACE) -s scanresults.sarif
- script: |
.\endorctl scan -n $(NAMESPACE) -s scanresults.sarif
-
Enter the following task in the
azure-pipelines.yml
to publish the scan results.- task: AdvancedSecurity-Publish@1 displayName: Publish '.\sarif\scanresults.sarif' to Advanced Security inputs: SarifsInputDirectory: $(Build.SourcesDirectory)\
After a successful run of the pipeline, you can view the results in Azure.
Azure Pipeline Examples
trigger:
- none
pool:
name: Azure Pipelines
vmImage: "windows-latest"
variables:
- group: tenant-variables
steps:
# All steps related to building of the project should be before this step.
# Implement and scan with Endor Labs after your build is complete.
- bash: |
- bash: |
echo "Downloading latest version of endorctl"
VERSION=$(curl https://api.endorlabs.com/meta/version | grep -o '"Version":"[^"]*"' | sed 's/.*"Version":"\([^"]*\)".*/\1/')
curl https://storage.googleapis.com/endorlabs/"$VERSION"/binaries/endorctl_"$VERSION"_windows_amd64.exe -o endorctl.exe
echo "$(curl -s https://api.endorlabs.com/sha/latest/endorctl_windows_amd64.exe) endorctl" | sha256sum -c
if [ $? -ne 0 ]; then
echo "Integrity check failed"
exit 1
fi
```
displayName: 'Downloading latest version of endorctl'
continueOnError: false
- script: |
.\endorctl.exe scan --secrets -n $(NAMESPACE) -s scanresults.sarif
displayName: 'Run a scan against the repository using your API key & secret pair'
- task: AdvancedSecurity-Publish@1
displayName: Publish '.\sarif\scanresults.sarif' to Advanced Security
inputs:
SarifsInputDirectory: $(Build.SourcesDirectory)\
trigger:
- none
pool:
name: Azure Pipelines
vmImage: "ubuntu-latest"
variables:
- group: tenant-variables
steps:
# All steps related to building of the project should be before this step.
# Implement and scan with Endor Labs after your build is complete.
- bash: |
- bash: |
echo "Downloading latest version of endorctl"
VERSION=$(curl https://api.endorlabs.com/meta/version | grep -o '"Version":"[^"]*"' | sed 's/.*"Version":"\([^"]*\)".*/\1/')
curl https://storage.googleapis.com/endorlabs/"$VERSION"/binaries/endorctl_"$VERSION"__linux_amd64 -o endorctl
echo "$(curl -s https://api.endorlabs.com/sha/latest/endorctl_linux_amd64) endorctl" | sha256sum -c
if [ $? -ne 0 ]; then
echo "Integrity check failed"
exit 1
fi
## Modify the permissions of the binary to ensure it is executable
chmod +x ./endorctl
## Create an alias of the endorctl binary to ensure it is available in other directories
alias endorctl="$PWD/endorctl"
displayName: 'Downloading latest version of endorctl'
continueOnError: false
- script: |
./endorctl scan --secrets -n $(NAMESPACE) -s scanresults.sarif
displayName: 'Run a scan against the repository using your API key & secret pair'
- task: AdvancedSecurity-Publish@1
displayName: Publish '.\sarif\scanresults.sarif' to Advanced Security
inputs:
SarifsInputDirectory: $(Build.SourcesDirectory)/
trigger:
- none
pool:
name: Azure Pipelines
vmImage: "macos-latest"
variables:
- group: tenant-variables
steps:
# All steps related to building of the project should be before this step.
# Implement and scan with Endor Labs after your build is complete.
- bash: |
echo "Downloading latest version of endorctl"
VERSION=$(curl https://api.endorlabs.com/meta/version | grep -o '"Version":"[^"]*"' | sed 's/.*"Version":"\([^"]*\)".*/\1/')
curl https://storage.googleapis.com/endorlabs/"$VERSION"/binaries/endorctl_"$VERSION"_macos_arm64 -o endorctl
echo "$(curl -s https://api.endorlabs.com/sha/latest/endorctl_macos_arm64) endorctl" | shasum -a 256 --check
if [ $? -ne 0 ]; then
echo "Integrity check failed"
exit 1
fi
## Modify the permissions of the binary to ensure it is executable
chmod +x ./endorctl
## Create an alias of the endorctl binary to ensure it is available in other directories
alias endorctl="$PWD/endorctl"
displayName: 'Downloading latest version of endorctl'
continueOnError: false
- script: |
./endorctl scan --secrets -n $(NAMESPACE) -s scanresults.sarif
displayName: 'Run a scan against the repository using your API key & secret pair'
- task: AdvancedSecurity-Publish@1
displayName: Publish '.\sarif\scanresults.sarif' to Advanced Security
inputs:
SarifsInputDirectory: $(Build.SourcesDirectory)/
View scan results in Azure
After the pipeline runs, you can view the scan results in Azure.
- Log in to Azure and navigate to your projects.
- Select Repos > Advanced Security to view the scan results.
- Click an alert to view more details.
- If you ran endorctl with
--secrets
flag, you can view if there are any secret leaks. Click the entry to view more details.
Feedback
Was this page helpful?
Thanks for the feedback. Write to us at support@endor.ai to tell us more.
Thanks for the feedback. Write to us at support@endor.ai to tell us more.