Adding software composition analysis inspections to the pipelines in Azure DevOps

Written by

Rajnish Kumar Jha

Under the topic

Azure DevOps

Dated:

May 16, 2024

Table Of Content

Adding software composition analysis inspections to the pipelines in Azure DevOps

Integrating Software Composition Analysis (SCA) checks into your CI/CD pipelines is crucial for automating the identification of security vulnerabilities, license compliance issues, and outdated dependencies in your software projects. By incorporating SCA into your pipelines, you can detect and fix issues as part of the build process, ensuring that vulnerabilities are identified early, before deployment to production.

Here’s a step-by-step guide to integrate SCA checks into CI/CD pipelines using popular tools and services.

1. Prerequisites for SCA Integration

Before you integrate SCA into your pipeline, ensure the following:

You have an existing CI/CD pipeline (e.g., using Jenkins, GitHub Actions, GitLab CI, CircleCI, or Travis CI).
Your project uses package management (e.g., npm for JavaScript, pip for Python, Maven for Java, etc.).
You have selected an SCA tool to use for scanning (e.g., Snyk, WhiteSource, Dependabot, OWASP Dependency-Check, Sonatype Nexus, etc.).

2. Choosing an SCA Tool

Several SCA tools integrate directly with CI/CD systems and offer vulnerability scanning, license compliance checks, and dependency management.

Popular SCA tools include:

Snyk:

Provides security vulnerability scanning for open-source dependencies and offers fixes.

OWASP Dependency-Check:

Identifies vulnerabilities in project dependencies and produces reports.

WhiteSource:

Tracks open-source vulnerabilities and license compliance.

Sonatype Nexus Lifecycle:

Helps in identifying security vulnerabilities, license issues, and policy violations in dependencies.

GitHub Dependabot:

Can be used for managing dependencies and creating pull requests for updates and fixes.

You can choose one or more based on your project’s needs.

For this guide

I’ll cover Snyk and GitHub Actions as examples, but the concepts apply to any SCA tool.

3. Integrating SCA Checks into CI/CD Pipelines

Option 1: Using Snyk for Security and License Scanning

Step 1: Set Up Snyk Account

Go to and create a free account if you don't have one.
Link your GitHub, GitLab, or Bitbucket account to Snyk to allow it to access your repositories.
Install the Snyk CLI tool on your local machine or CI/CD environment.


xxxxxxxxxx
1
1
npm install -g snyk

Step 2: Add Snyk to Your CI/CD Pipeline

Now, integrate Snyk into your CI/CD pipeline.
Below is an example of how to integrate it using GitHub Actions:
Create or update the .github/workflows/snyk.yml file to define the pipeline.


xxxxxxxxxx
26
1
name: Snyk Security Scan
2
on:
3
  push:
4
    branches:
5
      - main
6
  pull_request:
7
    branches:
8
      - main
9
jobs:
10
  snyk:
11
    runs-on: ubuntu-latest
12
    steps:
13
    - name: Checkout code
14
      uses: actions/checkout@v2
15
    - name: Set up Node.js (for Node.js projects)
16
      uses: actions/setup-node@v2
17
      with:
18
        node-version: '14'
19
    - name: Install dependencies
20
      run: npm install
21
    - name: Install Snyk
22
      run: npm install -g snyk
23
    - name: Run Snyk test
24
      run: snyk test --all-projects
25
    - name: Monitor for new vulnerabilities
26
      run: snyk monitor

Step 3: Review Results and Fix Issues

Snyk test runs the security scan on your dependencies and provides a report about vulnerabilities.

If any vulnerabilities are found, Snyk will return a non-zero exit code, causing the pipeline to fail. This ensures that critical vulnerabilities are caught before deployment.

Snyk monitor sends the current state of the project to the Snyk dashboard, allowing you to track vulnerabilities over time and get notifications for new issues.

Optional: Automatically Fix Issues (PR Creation)

You can configure the pipeline to automatically open pull requests to fix vulnerabilities.

Add the following step to the snyk.yml file:


xxxxxxxxxx
2
1
- name: Snyk Auto Fix
2
   run: snyk wizard --all-projects

This step will automatically create pull requests for vulnerable dependencies with fixed versions.

Option 2: Using OWASP Dependency-Check in Jenkins

Step 1: Install OWASP Dependency-Check Plugin (Jenkins)

Go to your Jenkins dashboard.
Install the OWASP Dependency-Check Plugin.
Navigate to Manage Jenkins > Manage Plugins.
Search for Dependency-Check Plugin and install it.

Step 2: Add Dependency-Check to Jenkins Pipeline

If you're using a Jenkins pipeline with a Jenkinsfile, you can add OWASP Dependency-Check to the pipeline to automatically scan your dependencies.

Example Jenkinsfile with Dependency-Check:


xxxxxxxxxx
38
1
pipeline ``{
2
    agent any
3
    stages ``{
4
        stage('Checkout') ``{
5
            steps ``{
6
                checkout scm
7
            ``}
8
        ``}
9
        stage('Install Dependencies') ``{
10
            steps ``{
11
                script ``{
12
                    // Example for npm-based project
13
                    sh 'npm install'
14
                ``}
15
            ``}
16
        ``}
17
        stage('Run OWASP Dependency-Check') ``{
18
            steps ``{
19
                script ``{
20
                    // Run Dependency-Check scan
21
                    sh 'dependency-check --scan . --format HTML --out target/dependency-check-report'
22
                ``}
23
            ``}
24
        ``}
25
        stage('Publish Report') ``{
26
            steps ``{
27
                // Publish Dependency-Check report as an artifact
28
                archiveArtifacts artifacts: 'target/dependency-check-report/.html', allowEmptyArchive: true
29
            ``}
30
        ``}
31
    ``}
32
    post ``{
33
        always ``{
34
            // Always clean up after the build
35
            cleanWs()
36
        ``}
37
    ``}
38
}

Step 3: View and Review Reports

Dependency-Check generates a detailed HTML report showing all vulnerabilities, their severity, and remediation steps.

You can view the report in Jenkins or download it to examine which vulnerabilities were identified.

Optional: Fail the Build on Vulnerability

To ensure that critical vulnerabilities fail the build, you can configure the pipeline to check for vulnerabilities' severity (e.g., HIGH or CRITICAL) and fail the build if necessary.

Example to fail the build if high-risk vulnerabilities are found:


xxxxxxxxxx
10
1
stage('Fail on Critical Vulnerabilities') ``{
2
    steps ``{
3
        script ``{
4
            def report = readFile 'target/dependency-check-report/dependency-check-report.html'
5
            if (report.contains('Critical')) ``{
6
                error "Build failed due to critical vulnerabilities."
7
            ``}
8
        ``}
9
    ``}
10
}

4. Integrating Other SCA Tools

Sonatype Nexus Lifecycle (for advanced policy enforcement)

Sonatype Nexus provides an extensive set of capabilities for managing and securing open-source components. Integrating Nexus with your CI/CD pipeline allows you to enforce security and license policies before dependencies are added to your codebase.

Example Nexus Lifecycle CLI integration:


xxxxxxxxxx
4
1
- name: Install Nexus CLI
2
  run: curl -L https://download.sonatype.com/nexus/cli/nexus-cli-1.0.1.jar -o nexus-cli.jar
3
- name: Run Nexus Lifecycle Scan
4
  run: java -jar nexus-cli.jar --scan

5. Best Practices for Integrating SCA

Automate Dependency Scanning:

Always run SCA checks as part of the CI/CD pipeline to ensure continuous security monitoring.

Fail Builds on Critical Vulnerabilities:

If vulnerabilities exceed a certain threshold (e.g., high severity), fail the build to enforce resolution before deployment.

Monitor for New Vulnerabilities:

Set up tools like Snyk or OWASP Dependency-Check to continuously monitor for new vulnerabilities in your dependencies.

Set Security Update Policies:

Create policies to regularly update dependencies, such as making dependency updates part of your sprint cycle or requiring regular updates via automated PRs.

Track License Compliance:

Many SCA tools also track license compliance. Ensure you're using the right licenses for the OSS components in your project.

Summary

By integrating Software Composition Analysis (SCA) into your CI/CD pipelines, you can proactively identify vulnerabilities, manage dependencies, and ensure compliance. Tools like Snyk, OWASP Dependency-Check, and Sonatype Nexus help automate this process, enabling your team to stay secure without sacrificing speed.

By incorporating these checks, your team can mitigate the risks associated with third-party libraries and open-source components, ensuring the security, quality, and compliance of your code.

Course Navigation Learn Azure DevOps from scratch

Understanding External Configuration Store Patt…

Understanding External Configuration Store Patterns in …

Learn about Organizational Structure for Agile …

Learn about Organizational Structure for Agile Practice…

Exploring the difference between Containers and…

Exploring the difference between Containers and Virtual…

Explore Build and Release Tasks in Azure DevOps

Explore Build and Release Tasks in Azure DevOps In Azur…

Tags attached to this Post

About the Author

Rajnish Kumar Jha

MCT, MCSA, MCSE, MCAD, MCPD, MCTS, MCSD

My name is Rajnish Kumar Jha. I am Technical architect on Azure Cloud and .NET since 21+ years. I’ve worked for pioneer companies and as freelance trainer/consultant helping my clients to achieve their IT goals.

I find blogging, a great way to share back what I’ve learned all through my professional journey. You are welcome to connect or share feedback/suggestion here or through an email.