You can trigger a ZeroNorth-orchestrated artifact scan of a .NET project build from your Azure DevOps (TFS) CI/CD pipeline. This integration is made possible by the use of ZeroNorth standalone executable that acts as a proxy to your ZeroNorth account.
Features and Benefits:
- Minimal disruption to the pipeline process.
- Invoke one or more ZeroNorth-orchestrated scans from your CI/CD pipeline.
- View scan results, history, etc. in ZeroNorth’s web UI as usual.
- Embed security into DevOps, paving the path to DevSecOps.
Prerequisites
The steps described in this article assume that you have:
- ZeroNorth License and Credentials
- Access to ZeroNorth and the Scanning tools
- ZeroNorth’s command-line executable (available here )
- Azure DevOps (TFS) CI/CD environment running on Win64 platform
- Egress access to https://api.zeronorth.io from the above environment
Integration
Example flow with ZeroNorth Docker Image integrated into a CI/CD workflow is as follows:
- The pipeline process produces a build artifact.
- An added step in the pipeline invokes the ZeroNorth CLI executable providing to it:
- The location of the build artifact
- API authentication credentials
- ZeroNorth Scan Policy details
- The ZeroNorth CLI executable submits the build artifact to the scan tool specified in the Scan Policy details.
- The scan result are made available via the ZeroNorth UI.
Setup
Obtain the ZeroNorth CLI Executable
The ZeroNorth CLI Executable is a standalone executable compiled to run on the Win64 platform (available for other platforms upon request). You can download the latest version of the executable from the download link at the bottom of the article Integration Guide - ZeroNorth Command-Line Interface (CLI) .
Add a Step to the Pipeline Process
In this procedure, we will add a step to invoke the ZeroNorth CLI after a success build in the pipeline. In Azure DevOps (TFS), below the build step in the pipeline, add a “Utility” step of the type “Command Line” with details like the below example:
The step illustrated above has the following features and details:
- cybric_cli_yyyymmdd.exe - the name of the ZeroNorth CLI executable. The path to this executable must be in the system’s PATH environment variable of the host machine.
- $(CYBRIC_API_KEY) - in this example, the ZeroNorth API key was defined into Azure DevOps (TFS) as a protected Process variable named “CYBRIC_API_KEY”.
- %cd% - in most cases, the build artifact will be found in the default work space of the project, which can be referenced as %cd% (current directory). This value can be changed as needed.
- –policy_id - provide to this parameter the ID of the Scan Policy that was created in advance. The Scan Policy should be associated with a Target of type “Artifact” and a Scenario suitable for scanning your build artifact.
For the full list of options and parameters to the ZeroNorth CLI executable, see the article Integration Guide - ZeroNorth Command-Line Interface (CLI) . The CLI executable also allows on-demand creation of Targets and Scan Policies in ZeroNorth.
A Special Case for SonarScanner for MSBuild/dotnet
To use SonarQube for your .NET project, the recommended approach is to use SonarQube’s TFS plugin to perform the scan and then use the ZeroNorth CLI executable to import the scan results into your ZeroNorth account. This approach is the most reliable and has the least disruption to an existing project pipeline.
The overall flow looks a little bit different:
- The pipeline process produces a build artifact.
- The Sonar plugin for Azure DevOps (TFS) scans the build (you configure this step into the pipeline as a step outside of the ZeroNorth orchestration).
- An added step in the pipeline invokes the ZeroNorth CLI executable providing to it:
- The Project Key of the project in SonarQube
- API authentication credentials
- ZeroNorth Scan Policy details
- The ZeroNorth CLI executable reads the SonarQube scan results from the specified SonarQube server (specified in the ZeroNorth Scan Policy) and then uploads the result to your ZeroNorth account.
- The scan result are made available via the ZeroNorth UI.
An Example
In the below example, the ZeroNorth CLI is used, not to orchestrate the scan, but simply to import the results of the SonarQube scan:
The step illustrated above has the following unique features and details:
- –sonarqube_bypass_runner - this parameter tells ZeroNorth to skip the scan, but to look for an existing scan resultset in SonarQube.
- –sonarqube_project_key <…> - use this parameter to specify the Project Key of the project as defined in your SonarQube server.
- –policy_ID - provide to this parameter the ID of the Scan Policy that was created in advance. The Scan Policy should be associated with a Target of type “Artifact” and specifically the “sonarqube-msbuild-runner” Scenario.
Viewing Results
Use ZeroNorth’s web UI to view your scan results.