Skip to main content

Azure DevOps Self-Hosted

Notice

It is possible to add the Checkmarx One external IP addresses to the customer Firewall allowlist - For more information see Managing Checkmarx One Traffic and AWS S3 Access

Additionally, if the code repository is not internet accessible, it is possible to configure the code repository IP address instead of its hostname during the initial integration with the code repository - as it is not resolved via DNS.

Overview

Checkmarx One supports Azure DevOps integration, enabling automated scanning of your Azure DevOps projects whenever the code is updated. Checkmarx One's Azure DevOps integration listens for Azure DevOps commit events and uses a webhook to trigger Checkmarx scans when a push, or a pull request occurs. Once a scan is completed, the results can be viewed in the Checkmarx One Platform.

Additionally, for pull requests, a comment is created in Azure DevOps, which includes a scan summary, list of vulnerabilities and a link to the scan results in Checkmarx One.

The integration is performed on a per-project basis, where a dedicated Checkmarx One Project corresponds to a specific Azure DevOps repository. You can select several repositories to create multiple integrations in a bulk action.

Checkmarx One supports integration with only one Azure DevOps self-hosted instance. Following a successful integration, the instance cannot be removed but can be updated, provided there are sufficient Checkmarx One permissions. To remove an existing instance please contact Checkmarx One support team.

Notice

This integration supports both public and private git based repos.

Prerequisites

  • The source code for your project is hosted on a Azure DevOps repo.

  • You have a Checkmarx One account and have credentials to log in to your account.

    Important

    Creating new import configurations or editing existing configurations requires update-tenant-params permission. Importing new Projects using an existing configuration requires create-project permission.

  • The Azure DevOps user has admin privileges for this repo, see Code Repository Integrations.

  • Verify that in the Azure DevOps Organization settings under Organization Settings → Policies → “Third-Party application access via OAuth” is enabled - For additional assistance use the following link: Azure DevOps connection and security policies.

    For example:

    6297288859.png

To retrieve your Azure DevOps Username & Token, perform the following steps:

  1. In your Azure DevOps account, click on your user > Security.

    Azure_SH_Security.png
  2. Click on Personal Access Tokens > + New Token.

    A panel will be opened on the right screen side.

  3. Configure the following fields:

    • Name - Token name.

    • Organization - All accessible organizations.

    • Scopes - Custom defined.

      • Code - Read, Status.

      • Pull Request Thread - Read & write.

        Azure_SH_Config_Token.png
        Azure_SH_Config_Token2.png
    • Click Create.

  4. Copy the token.

    Azure_SH_Copy_Token.png

Setting up the Integration and Initiating a Scan

This process involves first connecting to your repo by specifying the repo URL and your authentication credentials, and then selecting the repos to import and configuring the Project settings.

It is possible to configure multiple configurations for connecting to Azure self-hosted code repositories, each using a different URL and/or different authentication credentials. Once the initial configuration is set up, for each subsequent import action you can choose either to use the existing configuration or to create a new one.

To create Azure DevOps self-hosted code repository Projects:

  1. In the Workspace Workspace.png, click on New > New Project - Code Repository Integration.

    Code_Repo_Integration.png

    The Import From window opens.

    Import_From.png
  2. Select Self-Hosted > Azure.

    Image_047.png
  3. Configure the connection to your code repository, as follows:

    • If you are setting up an import configuration for the first time, enter data for the following fields and then click Save & Continue.

      • Instance Name - Designate a name for this import configuration.

      • URL - Your Azure DevOps self-managed domain.

        For example: https://azure.example.com

      • Token - See Retrieving Azure DevOps Username & Token for retrieving your Azure DevOps token.

        Image_048.png
    • If you are adding Projects using an existing configuration, select the radio button next to the configuration that you would like to use, and then click Next.

      Image_049.png
    • If you are adding a new configuration in addition to an existing configuration, click + Add Configuration, then fill in the data for this configuration as described above, and then click Save & Continue.

      Image_050.png

      Notice

      If you would like to edit an existing configuration (e.g., change the URL or credentials), go to Global Settings > Code Repository.

  4. Select the Azure DevOps Organization or Group (for the requested repository) and click Select Organization.

    Azure_DevOps_Select_Org.png
  5. Select the Repository inside the Azure DevOps organization and click Next.

    Note

    • A separate Checkmarx One Project will be created for each repo that you import.

    • There can’t be more than one Checkmarx One Project per repo. Therefore, once a Project has been created for a repo, that repo is greyed out in the Import dialog.

    Azure_DevOps_Select_Repo.png
  6. In the Repositories Settings screen, perform the following and click Next.

    • Permissions:

      • Scan Trigger: Push, Pull request - Enable/disable automatic scans for every push event or pull request.

    • Scanners: Select the scanners for All/Specific repositories. At lease 1 scanner must be selected for each repository.

    • Protected Branches: Select which Protected Branches to scan for each repository.

      Note

      For additional information about Protected Branches see About Protected Branches

    • Add SSH key.

    • Assign Groups: Specify the Groups to which you would like to assign the project.

    • Assign Tags: Add Tags to the Project. Tags can be added as a simple strings or as key:value pairs.

    • Set Criticality Level: Manually set the project criticality level.

      Azure_DevOps_Repo_Settings.png

    Note

    If multiple repositories are selected, an additional configuration option will appear at the top of the wizard for applying settings to all selected repositories. Configure the necessary parameters, then scroll down on the right-side panel and click Apply to all.

    For example:

    All_Repo_Settings.png
  7. Select which Protected Branches to scan for each Repository and click Next.

    Note

    For additional information about Protected Branches see About Protected Branches

    Azure_DevOps_Select_Branches.png
  8. In the Advanced Options screen it is possible to select Scanning the default branch upon the creation of the Project.

    Click Create Project.

    Azure_DevOps_Advanced_Options.png
  9. The Project is successfully added to the Projects page.

    Note

    In order to update the scanners see Imported Project Settings

Editing Project Settings

To learn about editing Project Settings for an existing code repository integration Project, see Code Repository Project Settings.