The SOOS Azure DevOps Task is currently invite only. Please email support@soos.io or use the Contact Us option under the Help menu to request access.

Please include your Azure DevOps organization name!

contact SOOS link

After receiving the SOOS invitation, the SOOS task will be found under the Shared extension listing in your Organization Settings.  Click the option to install the task. The installation has been completed successfully when it is visible under the Installed listing.

view SOOS installed extension

After the task is successfully installed, download the Script Integration content from the Azure DevOps Integrations page in the SOOS app and paste to your existing pipeline yaml file or search for SOOS under Tasks.

-or-

SOOS install step

 

Setup Variables

Configure the SOOS variable, either directly in the yaml section or in the Task variables section.   Use the API Key and Client ID values you collected from the SOOS App.

Make sure to also set the Project Name (which groups scans together) and the Build and Branch parameters if available.

  • Providing the branch/build parameters allows us to tie together scans and issues, and provide more meaningful insights and actionability to you.

insert SOOS api and client ID

Additional Azure Pipeline Setup Notes

Enable the following parameters in your pipeline as desired:

  • continueOnError - prevents a failed build during maintenance window (SOOS Task option)
  • waitForScan - waits for the analysis scan to complete (SOOS script parameter)
- task: SOOS-Security-Analysis@0
  displayName: 'Analysis Scan'
  continueOnError: true
  inputs:
    path: $(Build.SourcesDirectory)              
    project: ***
    clientId: ***
    apiKey: ***
    waitForScan: true

These options will allow SOOS to return scan status information to Azure.  The task will either Succeed or Fail with one of the following messages:

  • Scan completed with # vulnerabilities and # violations.
  • Scan failed.
    • Will appear if there was an error on the SOOS side while performing the scan.
  • Scan failed with # vulnerabilities and # violations.
    • Will show if the Scan/Build configurations are turned on, and the corresponding settings in Azure are set to fail the build in the presence of failures due to vulnerabilities/violations. Note, Scan/Build settings can be set at both the global & project level; make sure to check both!
    • The specifics of the vulnerabilities/violations will need to be viewed in SOOS, this information will not be returned to Azure.

Run It

To run the SOOS Azure DevOps task against your repository’s code, just execute a build or commit a change. The build will use the environment variables that you created for the API Key and Client ID.