Using Snyk to implement end-to-end DevSecOps on Microsoft Azure

Written by:
Daniel Berman
Daniel Berman

May 26, 2020

0 mins read

We’re pleased to announce that we’ve added support for Azure Repos Server, enabling developers using Azure’s on-prem DevOps service to identify and fix security vulnerabilities and license issues in open source dependencies.

The new integration complements our support across the Microsoft Azure ecosystem—starting with Azure Repos (cloud-based and now on-premises as well), and running through Azure Pipelines, Azure Container Registry, and Azure Functions—helping Azure users implement DevSecOps across their software development lifecycle.

Azure Repos Server is part of Azure DevOps Server, previously known as Team Foundation Server (TFS)—a set of collaborative software development tools, hosted on-premises. It allows developers to manage their Git development workflow on-premises, with pull requests and advanced file management.

The new integration allows developers using Azure Repos Server to:

  • Detect existing vulnerabilities in projects managed in Azure Repos Server. Each vulnerability is displayed with actionable and contextual information such as the exact dependency path the issue was introduced to accelerate the triaging process.

  • Prevent new vulnerabilities from being introduced by scanning new pull requests. Each new pull request is scanned within Azure Repos Server before being merged to verify that the PR does not introduce new vulnerabilities.

  • Fix identified issues. Snyk calculates the required fix for both direct and transitive dependencies and automatically populates a fix pull request with the required upgrades or patches, all from within the Azure Repos Serverworkflow.

  • Continuously monitor for new vulnerabilities. Snyk monitors the imported projects on a daily basis and notifies developers whenever new vulnerabilities are disclosed. Policies can be defined to configure the vulnerability severity level that fails the merge.

Let’s take a closer look.

Integrating Snyk with Azure Repos Server

To set up the integration, we first need to retrieve two details from Azure—the URL of our Azure Repos Server org and an access token.

When creating our Snyk access token, we need to make sure we select Custom defined and then set the expiration date as furthest away as possible. Additionally, under Scopes | Code, we need to select Read & write.

wordpress-sync/azure_repos_access_token

With those two details in hand, we can head over to the Integrations page in Snyk and select Azure Repos.

wordpress-sync/azure_repos_integration_page

We now need to enter the URL of our Azure Repos Server org and the token we created above.

wordpress-sync/azure_repos_integration_settings

After hitting the Save button, we see a success message informing us that Snyk has managed to integrate with Azure Repos Server.

wordpress-sync/azure_repos_integration_success

All that’s needed to do now is click Add your Azure Repos repositories to Snyk and select the repositories we wish to secure with Snyk.

wordpress-sync/azure_repos_import_project

Snyk imports our project and performs an initial scan for security vulnerabilities and license issues. As we can see in the example here, our demo node.js project contains a number of vulnerabilities with various severity levels.

wordpress-sync/azure_repos_project_imported

Fixing vulnerabilities

Now that we’ve set up the integration, we can start using Snyk to find and fix vulnerabilities.

Opening the project reveals all the issues Snyk has identified in our Azure Repos Server repository—66 security vulnerabilities and 2 license issues, introduced via the open source dependencies in the project.

wordpress-sync/zazure_repos_projectpage

Snyk provides actionable remediation advice to help us quickly fix issues, including the full dependency path through which the issue was introduced, an indication of whether the vulnerability is exploitable or not, and the required upgrade to fix the issue.

wordpress-sync/azure_repos_prioritization

Clicking Fix this vulnerabilityautomatically opens a pull request in Azure Repos Server populated with the required upgrade.

wordpress-sync/azure_repos_fix_pr

Continuous security

Snyk ensures our Azure Repos Server repositories remain secure by continuously monitoring for new vulnerabilities.

First, Snyk notifies us when a new vulnerability is disclosed and is identified in our projects, providing all the details needed to quickly fix the vulnerability.

Second, Snyk also ensures changes made to the code do not introduce new vulnerabilities. Each time a new pull request is opened in Azure Repos Server, Snyk automatically scans it for both security vulnerabilities and license issues to ensure issues are resolved before merging.

Supporting DevSecOps throughout the Azure SDLC

This integration is the latest in a series of native integrations Snyk provides Microsoft Azure users, helping developers secure their applications throughout the SDLC—from code development, throughout CI/CD, and then during runtime. 

To get started with any of these integrations, visit the Integrations page in Snyk or read more about it in our Azure Repos integration documentation.

Please note that the integration supports TFS v2018 Update 2 and above and is available only for our Pro and Enterprise plans.

Stay secure!

Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.

Start freeBook a live demo