Add security testing to pull requests in Azure Repos

Simon Maple
May 6, 2019 | in Ecosystems, DevSecOps
| By Simon Maple, Edward Thompson

The following is a best practice guideline from our series of 8 Azure Repos security best practices

DOWNLOAD THE CHEAT SHEET!

7. Add security testing to pull requests in Azure Repos

By adding Snyk’s native integration with Azure Repos, each pull request will be tested to ensure new vulnerabilities aren’t introduced into the code base. Policies can be defined to configure the severity level of a vulnerability that fails the merge. The following image displays a failed PR due to new vulnerabilities that it would have added:

azure repos security best practices to find a security vulnerability in CI

If Snyk finds a vulnerability it provides developers with the needed tools in order to triage and fix the vulnerabilities. Snyk calculates the required fix for both direct and transitive dependencies and automatically populates a fix pull request with the required upgrades or patches, all from within the Azure Repos workflow. The following image displays a fix PR created by Snyk

azure repos security best practices with snyk bot open automatic fix PR

* The functionality of Fix PR and testing new PRs is in closed beta. Please contact us if you would like to join it.


Continue reading the list of 8 Azure Repos security best practices:

  1. Never store credentials as code/config in Azure Repos
  2. Remove sensitive data in your files and Azure Repos history
  3. Tightly control access
  4. Add a SECURITY.md file
  5. Use Personal Access Tokens
  6. Provide granular permissions and groups for users
  7. Add security testing to Pull Requests
  8. Rotate SSH keys and personal access tokens

If you haven’t done so yet, make sure you download this cheat sheet now and pin it up, so your future decisions are secure decisions!

8 Azure Repos Security Best Practices