Endor Labs helps developers spend less time dealing with security issues and more time accelerating development through safe Open Source Software (OSS) adoption. Our Dependency Lifecycle Management™ Solution helps organizations maximize software reuse by enabling security and development teams to select, secure, and maintain OSS at scale.
The Endor Labs azure pipeline task may be used to repeatably integrate Endor Labs scanning into your ADO CI pipelines.
-
You must have an account with Endor Labs, please follow the steps here to sign-in to Endor Labs.
-
Create API key and API secret to be used for authentication with Endor Labs.
Install the Endor labs extension into your Azure devops organization.
Configure service connection end-point for Endor Labs using the API key and secrets.
Within azure pipelines definition configure the Endor Labs task to scan.
trigger:
- none
pool:
name: Azure Pipelines
vmImage: "windows-latest"
steps:
- task: EndorLabsScan@0
inputs:
serviceConnectionEndpoint: 'endorlabs-service-connection'
namespace: 'endor'
The following input global parameters are supported for the Endor Labs Azure pipeline extension:
| Flags | Description |
|---|---|
serviceConnectionEndpoint |
Set the service connection endpoint name created to authenticate with Endor Labs. (Required) |
namespace |
Set to the namespace of the project that you are working with. (Required) |
endorctlChecksum |
Set to the checksum associated with a pinned version of endorctl. |
endorctlVersion |
Set to a version of endorctl to pin this specific version for use. Defaults to the latest version. |
logLevel |
Set the log level. (Default: info) |
logVerbose |
Set to true to enable verbose logging. (Default: false) |
enableDetachedRefName |
Set to true to automatically add detached-ref-name and use the actual branch name instead of commit SHA. Set to false to disable this behavior and continue using commit SHA. (Default: true) |
The following input parameters are also supported for the Endor Labs Azure pipeline extension when used for scanning:
| Flags | Description |
|---|---|
additionalArgs |
Use additionalArgs to add custom arguments to the endorctl scan command. |
phantomDependencies |
Set to true to enable phantom dependency analysis. (Default: false) |
sarifFile |
Set to a location on your hosted agent to output the findings in SARIF format. |
scanDependencies |
Scan git commits and generate findings for all dependencies. (Default: true) |
scanGitLogs |
Perform a more complete and detailed scan of secrets in the repository history. Must be used together with scanSecrets. (Default: false) |
scanPath |
Set the path to the directory to scan. (Default: .) |
scanSast |
Set to true to enable sast scan. (Default: false) |
scanSecrets |
Scan source code repository and generate findings for secrets. See also scanGitLogs. (Default: false) |
scanTools |
Scan source code repository for CI/CD tools. (Default: false) |
tags |
Specify a list of user-defined tags to add to this scan. Tags can be used to search and filter scans later. |
scanPackage |
Scan a specified artifact or a package. The path to an artifact must be set with scanPath. (Default: false) |
scanContainer |
Scan a specified container image. The image must be set with image and a project can be defined with projectName. (Default: false) |
projectName |
Specify a project name for a container image scan or for a package scan. |
image |
Specify a container image to scan. |
trigger:
- none
pool:
name: Azure Pipelines
vmImage: "windows-latest"
steps:
- task: EndorLabsScan@0
inputs:
serviceConnectionEndpoint: 'endorlabs-service-connection'
namespace: 'endor'
sarifFile: 'scanresults.sarif'
- task: AdvancedSecurity-Publish@1
displayName: Publish 'scanresults.sarif' to Advanced Security
inputs:
SarifsInputDirectory: $(Build.SourcesDirectory)\