Azure Pipelines Integration

Introduction

Azure Pipelines combines continuous integration (CI) and continuous delivery (CD) to test, build and ship your code to any target.

The following configuration examples show how to install & run the scanner using an API Token stored as a secret named XYGENI_TOKEN. See Generate Xygeni API Token for Scanner or ask your Xygeni administrator to generate it.

For registering a new secret in Azure DevOps, see Secret variables.

Using the Xygeni Task for Azure Pipelines

The simplest way to run the scanner in Azure Pipelines is to use the Xygeni Task. The tasks uses the Xygeni CLI to scan the software for vulnerabilities, malware and misconfigurations.

The API token should be registered safely as a (secret) pipeline variable. If you name the variable XYGENI_TOKEN, the task will look for it automatically. Otherwise, you can pass it in an environment variable such as XYGENI_TOKEN and set the input property xygeniToken = 'env:XYGENI_TOKEN'.

Installation

From the Xygeni Task in the Azure DevOps Marketplace, you can install for an Azure DevOps organization by clicking the Get it free button. There you select the Azure DevOps organizations where you want to install the task.

For Azure DevOps Server, the task can be downloaded as a .vsix file and installed in your Azure DevOps Server Extensions page (For example, http://someserver/_gallery/manage). Click upload new extension, select the downloaded .vsix file, click Install and select the Team Project Collection to install into.

Adding the task as a pipeline step

Edit your pipeline and add the Xygeni task as a pipeline step, using the Task Assistant filter by Xygeni and click Xygeni Security Scanner:

Edit the scan properties (1) by choosing the scan operations, the directory to scan. Then click Add button to add the YAML to the pipeline.

By default the XYGENI_TOKEN pipeline (secret) variable will be used if the Xygeni API Token field is not specified.

You can also edit the YAML source directly (2) in the Pipeline Editor. Autocomplete will work to help you fill in the task properties.

To make the scan findings available for inspection or for use by other pipeline steps, you may want to publish the findings as an artifact. Use the Publish Build Artifacts task to do so, as shown in (3) in the screenshot.

Task properties

The following is an example of the Xygeni task, including the most relevant parameters.

steps:
# ...Other build steps here...  
  
- task: xygeni-scanner@1
  displayName: 'Run Xygeni Scanner'
  env:
    XYGENI_TOKEN: $(XYGENI_TOKEN)
    # Token for checking Azure DevOps configuration for misconfigurations
    AZURE_TOKEN: $(AZURE_TOKEN)
  inputs:
    scanDirectory: '$(Build.Repository.LocalPath)'
    xygeniToken: 'env:XYGENI_TOKEN'
    deps: true
    inventory: true
    secrets: true
    misconfig: true
    suspectdeps: true
    iac: true
    outputFile: '$(Build.ArtifactStagingDirectory)/xygeni/findings.json'
    outputFormat: json

- task: PublishBuildArtifacts@1
  displayName: 'Publish xygeni findings as artifacts'
  inputs:
    PathtoPublish: '$(Build.ArtifactStagingDirectory)/xygeni'
    ArtifactName: 'Xygeni_findings'

Using the installation script

Another option is to download and unzip the scanner and run the CLI. Suppose that the secret xygeniToken stores the Xygeni API token. In a Linux runner, you may use the Bash task:

steps:
- task: Bash@3
  displayName: 'Install xygeni scanner'
  inputs:
    targetType: 'inline'
    script: >
      curl -s -L https://get.xygeni.io/latest/scanner/xygeni-release.zip -o xygeni_scanner.zip
      unzip -qq xygeni_scanner.zip -d $(Pipeline.Workspace)
      rm xygeni_scanner.zip

- task: Bash@3
  displayName: 'Scan for issues'
  inputs:
    targetType: 'inline'
    # Change the command arguments to match your needs
    script: |
      echo "Starting Xygeni scan for $(PROJECT_NAME)"
      $(Pipeline.Workspace)/xygeni_scanner/xygeni scan -n $(PROJECT_NAME) --dir $(PROJECT_HOME)
  env:
    PROJECT_NAME: $(System.TeamProject)
    PROJECT_HOME: $(Build.SourcesDirectory)
    XYGENI_TOKEN: $(xygeniToken)

Under Windows, you may use the PowerShell task instead of the Bash task, and run the xygeni.ps1 instead:

steps:
  - task: PowerShell@2
    displayName: 'Install xygeni scanner'
    inputs:
      targetType: 'inline'
      script: |
        $zipPath = "xygeni_scanner.zip"
        $extractPath = "$(Pipeline.Workspace)"
        Write-Host "Downloading Xygeni scanner..."
        Invoke-WebRequest -Uri "https://get.xygeni.io/latest/scanner/xygeni-release.zip" -OutFile $zipPath
        Expand-Archive -Path $zipPath -DestinationPath $extractPath -Force
        Remove-Item $zipPath -Force

  - task: PowerShell@2
    displayName: 'Scan for issues'
    inputs:
      targetType: 'inline'
      # Change the command arguments to match your needs
      script: |
        Write-Host "Starting Xygeni scan for $env:PROJECT_NAME"
        $scannerScript = "$(Pipeline.Workspace)\xygeni_scanner\xygeni.ps1"
        & $scannerScript scan -n $env:PROJECT_NAME --dir $env:PROJECT_HOME

    env:
      PROJECT_NAME: $(System.TeamProject)
      PROJECT_HOME: $(Build.SourcesDirectory)
      XYGENI_TOKEN: $(xygeniToken)

We recommend using the task, as it keeps the scanner cached between runs and makes configuration easier using the Azure Pipelines UI instead of manually editing the pipeline YAML.

Please refer to the scanner documentation for full details on the scanner command line options and configuration.

Last updated