Using Snyk to implement end-to-end DevSecOps on Microsoft Azure

We’re pleased to announce that we’ve added support for Azure Repos Server, enabling developers using Azure’s on-prem DevOps service to identify and fix security vulnerabilities and license issues in open source dependencies.

The new integration complements our support across the Microsoft Azure ecosystem—starting with Azure Repos (cloud-based and now on-premises as well), and running through Azure Pipelines, Azure Container Registry, and Azure Functions—helping Azure users implement DevSecOps across their software development lifecycle.

Azure Repos Server is part of Azure DevOps Server, previously known as Team Foundation Server (TFS)—a set of collaborative software development tools, hosted on-premises. It allows developers to manage their Git development workflow on-premises, with pull requests and advanced file management.

The new integration allows developers using Azure Repos Server to:

• Detect existing vulnerabilities in projects managed in Azure Repos Server. Each vulnerability is displayed with actionable and contextual information such as the exact dependency path the issue was introduced to accelerate the triaging process.

• Prevent new vulnerabilities from being introduced by scanning new pull requests. Each new pull request is scanned within Azure Repos Server before being merged to verify that the PR does not introduce new vulnerabilities.

• Fix identified issues. Snyk calculates the required fix for both direct and transitive dependencies and automatically populates a fix pull request with the required upgrades or patches, all from within the Azure Repos Serverworkflow.

• Continuously monitor for new vulnerabilities. Snyk monitors the imported projects on a daily basis and notifies developers whenever new vulnerabilities are disclosed. Policies can be defined to configure the vulnerability severity level that fails the merge.

Let’s take a closer look.

Integrating Snyk with Azure Repos Server

To set up the integration, we first need to retrieve two details from Azure—the URL of our Azure Repos Server org and an access token.

When creating our Snyk access token, we need to make sure we select Custom defined and then set the expiration date as furthest away as possible. Additionally, under Scopes | Code, we need to select Read & write.

With those two details in hand, we can head over to the Integrations page in Snyk and select Azure Repos.

We now need to enter the URL of our Azure Repos Server org and the token we created above.

After hitting the Save button, we see a success message informing us that Snyk has managed to integrate with Azure Repos Server.

All that’s needed to do now is click Add your Azure Repos repositories to Snyk and select the repositories we wish to secure with Snyk.

Snyk imports our project and performs an initial scan for security vulnerabilities and license issues. As we can see in the example here, our demo node.js project contains a number of vulnerabilities with various severity levels.

Fixing vulnerabilities

Now that we’ve set up the integration, we can start using Snyk to find and fix vulnerabilities.

Opening the project reveals all the issues Snyk has identified in our Azure Repos Server repository—66 security vulnerabilities and 2 license issues, introduced via the open source dependencies in the project.

Snyk provides actionable remediation advice to help us quickly fix issues, including the full dependency path through which the issue was introduced, an indication of whether the vulnerability is exploitable or not, and the required upgrade to fix the issue.

Clicking Fix this vulnerabilityautomatically opens a pull request in Azure Repos Server populated with the required upgrade.

Continuous security

Snyk ensures our Azure Repos Server repositories remain secure by continuously monitoring for new vulnerabilities.

First, Snyk notifies us when a new vulnerability is disclosed and is identified in our projects, providing all the details needed to quickly fix the vulnerability.

Second, Snyk also ensures changes made to the code do not introduce new vulnerabilities. Each time a new pull request is opened in Azure Repos Server, Snyk automatically scans it for both security vulnerabilities and license issues to ensure issues are resolved before merging.

Supporting DevSecOps throughout the Azure SDLC

This integration is the latest in a series of native integrations Snyk provides Microsoft Azure users, helping developers secure their applications throughout the SDLC—from code development, throughout CI/CD, and then during runtime. 

To get started with any of these integrations, visit the Integrations page in Snyk or read more about it in our Azure Repos integration documentation.

Please note that the integration supports TFS v2018 Update 2 and above and is available only for our Pro and Enterprise plans.

Stay secure!