Skip to main content

Setting up an integration in Azure Pipelines

The steps to take to integrate Azure Pipelines with Scribe Hub

  1. If you haven't yet done so, open a free Scribe Hub account here.
  1. Get your Client Secret credentials from your Scribe Hub Integrations page.
Scribe Integration Secrets

  1. Login to your Azure account.

  2. Follow the install-an-extension instructions to install our Valint-task from the Azure marketplace.

Azure marketplace
Azure marketplace
Azure marketplace
Azure marketplace
Azure marketplace
Azure marketplace
Azure marketplace
  1. Create a new project or go to an existing project
Azure project
  1. Inside the project create a new repository (repo) if you don't already have one you want to use Valint with an Azure pipeline on
Azure reposNew Azure repository
  1. Open your Azure DevOps project repository and make sure you have a YAML file named azure-pipelines.yml Or just click on Create a new pipeline.
New Azure pipelineazure-pipelines.yml
  1. Add the Scribe code example shown below to your azure-pipelines.yml file.
note

Refer to this Azure document to configure runners.

trigger:
  branches:
    include:
    - main

jobs:
- job: scribe_azure_job
  displayName: 'Scribe Azure Job'
  pool:
    name: {Update pool name here}       # Example: Mikey
    agent: {Update agent name here}     # Example: azure-runner-ubuntu

  variables:
    imageName: 'pipelines-javascript-docker'

  steps:
  - task: scribeInstall@0

  - task: ValintCli@0
    inputs:
      command: bom
      target: nginx
      format: statement
      outputDirectory: $(Build.ArtifactStagingDirectory)/scribe/valint
      scribeEnable: true
      scribeClientId: $(CLIENTID)
      scribeClientSecret: $(CLIENTSECRET)

  - task: ValintCli@0
    inputs:
      command: verify
      target: nginx
      inputFormat: statement
      outputDirectory: $(Build.ArtifactStagingDirectory)/scribe/valint
      scribeEnable: true
      scribeClientId: $(CLIENTID)
      scribeClientSecret: $(CLIENTSECRET)
azure-pipelines.yml

  1. Add the credentials to your Azure environment according to the Azure DevOps - Set secret variables:

    • Go to the Pipelines page, select the appropriate pipeline, and then select Edit.

    • Locate the Variables for this pipeline.

      Azure Pipeline Variables

    • Add or update the variable.

      Azure Pipeline VariablesAzure Pipeline Variables

    • Select the Secret lock icon to store the variable in an encrypted manner.

      Azure Pipeline Variables

    • Save the pipeline.

      Azure Pipeline Variables

  2. You can now run the pipeline you created for your repository.

Save and Run Azure PipelineAzure Pipeline Run

  1. To add your own policies to the pipeline check out this guide.

  2. To capture 3rd party tool results in the pipeline and turn it into evidence, check out this guide.

Where to go on Scribe Hub

Now that you've created your first set of evidence you can log into your Scribe Hub to view the results.

The first place you can look into to make sure your evidence has been uploaded properly is the Evidence report. The evidence report shows all the evidence you have collected and uploaded to Scribe Hub from all your pipelines and projects.

To see more details on your pipeline you can check out the Product page

Products page

The products page shows you your products along with some basic information: How many subscribers have you added to this product, when the latest version of it was created (the last pipeline run), how many components were identified in the project, if the source code integrity was verified or not, how many high (or higher) vulnerabilities were identified, and how the project stands in terms of compliance to the SSDF and SLSA frameworks.

Clicking on a product will show you all the product's builds and their information:

Product builds page

For each build you can see its version ID, the build date, if the source code integrity was verified or not, the number and severity of vulnerabilities, how that build stands in terms of compliance, whether the build was published and if its signature was verified.

for more information on the pipeline you just completed, click on the last build uploaded (the top of the list) and you'll get to the build dashboard:

Product build dashboard page

The dashboard is your main access to see this build's reports. You can see a summary of the build's compliance information to each of the frameworks, you can see a summary of the vulnerability information, and you can see the integrity validation information.

Where to go next

  • To learn more about what you can see, learn, and access about your build and your product look at the reports guide section.
  • To learn how to create and manage SBOMs and vulnerabilities go to this guide.
  • To learn about Scribe's use of the SLSA framework go to this guide.
  • To learn about enforcing SDLC policies go to this guide.
  • To learn how to achieve SSDF compliance go to this guide.
  • To learn how to secure your builds go to this guide.