Created
August 1, 2020 06:38
-
-
Save mysticrenji/cda75053af85c8a75b6c49fedd57de13 to your computer and use it in GitHub Desktop.
Azure pipelines with integrated Sonar, WhiteSource and OWASP
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ASP.NET Core (.NET Framework) | |
| trigger: | |
| - master | |
| stages: | |
| - stage: BuildDeployStage | |
| jobs: | |
| - job: Build | |
| pool: Default | |
| variables: | |
| solution: '**/*.sln' | |
| buildPlatform: 'Any CPU' | |
| buildConfiguration: 'Release' | |
| steps: | |
| - task: SonarQubePrepare@4 # Add the Sonar Service connection in the project settings | |
| inputs: | |
| SonarQube: 'SonarQube' | |
| scannerMode: 'MSBuild' | |
| projectKey: 'DevSecOps' | |
| projectName: 'DevSecOps' | |
| - task: DotNetCoreCLI@2 | |
| inputs: | |
| command: 'build' | |
| projects: '$(Build.SourcesDirectory)/DevSecOps/*.csproj' | |
| - task: Bash@3 | |
| inputs: | |
| targetType: 'inline' | |
| script: | | |
| #!/bin/sh | |
| DC_VERSION="latest" | |
| DC_DIRECTORY=$HOME/OWASP-Dependency-Check | |
| DC_PROJECT="dependency-check scan: $(pwd)" | |
| DATA_DIRECTORY="$DC_DIRECTORY/data" | |
| CACHE_DIRECTORY="$DC_DIRECTORY/data/cache" | |
| if [ ! -d "$DATA_DIRECTORY" ]; then | |
| echo "Initially creating persistent directory: $DATA_DIRECTORY" | |
| mkdir -p "$DATA_DIRECTORY" | |
| fi | |
| if [ ! -d "$CACHE_DIRECTORY" ]; then | |
| echo "Initially creating persistent directory: $CACHE_DIRECTORY" | |
| mkdir -p "$CACHE_DIRECTORY" | |
| fi | |
| # Make sure we are using the latest version | |
| docker pull owasp/dependency-check:$DC_VERSION | |
| docker run --rm \ | |
| -e user=$USER \ | |
| -u $(id -u ${USER}):$(id -g ${USER}) \ | |
| --volume $(pwd):/src:z \ | |
| --volume "$DATA_DIRECTORY":/usr/share/dependency-check/data:z \ | |
| --volume $(pwd)/odc-reports:/report:z \ | |
| owasp/dependency-check:$DC_VERSION \ | |
| --scan /src \ | |
| --format "ALL" \ | |
| --project "$DC_PROJECT" \ | |
| --out /report | |
| # Use suppression like this: (where /src == $pwd) | |
| # --suppression "/src/security/dependency-check-suppression.xml" | |
| workingDirectory: '$(Build.SourcesDirectory)/DevSecOps/' | |
| - task: WhiteSource Bolt@20 # Add the WhiteSource extension from Azure Devops Marketplace | |
| inputs: | |
| cwd: '$(Build.SourcesDirectory)' | |
| advance: true | |
| - task: SonarQubeAnalyze@4 | |
| - task: SonarQubePublish@4 | |
| inputs: | |
| pollingTimeoutSec: '300' | |
| - task: DotNetCoreCLI@2 | |
| inputs: | |
| command: 'publish' | |
| publishWebProjects: true | |
| modifyOutputPath: false | |
| - task: AzureRmWebAppDeployment@4 # Deployment to Azure App Service Via WINRM task | |
| inputs: | |
| ConnectionType: 'AzureRM' | |
| azureSubscription: '<Azure Subscription>' | |
| appType: 'webApp' | |
| WebAppName: '<WebAppName>' | |
| packageForLinux: '$(build.artifactStagingDirectory)/*.zip' | |
| - stage: PenetrationTesting | |
| jobs: | |
| - job: Testing | |
| pool: Default | |
| steps: | |
| - task: OwaspZapScan@2 # Run the OWASP ZAP container in the build machine with param required - "docker run -u zap -p 8080:8080 -i owasp/zap2docker-stable zap.sh -daemon -host 0.0.0.0 -port 8080" | |
| inputs: | |
| ZapApiUrl: '<ZAPScannerURL>' | |
| ZapApiKey: '<ApiKey>' | |
| TargetUrl: '<WebsiteUrl>' | |
| ExecuteSpiderScan: true |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment