azure-pipelines-devsecops.yml

# Full Scan
# Pipeline para realizar análisis de código fuente, build de la imagen y análisis de la imagen de un contenedor
# 

trigger:
- master

resources:
- repo: self

variables:
  dockerRegistryServiceConnection: '26a65500-b05f-4a4c-a7dd-73a9e7a59dcb'
  dockerfilePath: '$(Build.SourcesDirectory)/Dockerfile'

pool:
  vmImage: $(vmImageName)

stages:

# Análisis del código fuente

  - stage: CodeSecurityScan
    displayName: Code Security Scan
    jobs:

      # Análisis con Mend

      - job: Mend
        displayName: Mend
        pool:
          vmImage: $(vmImageName)
        steps:
        - task: WhiteSource@21
          inputs:
            cwd: '$(System.DefaultWorkingDirectory)'
            projectName: '$(MendProj)'
      
      # Análisis con SonarCloud

      - job: SonarCloud
        displayName: SonarCloud
        pool:
          vmImage: $(vmImageName)
        steps:
        - checkout: self
          fetchDepth: 0
        - task: SonarCloudPrepare@1
          inputs:
            SonarCloud: 'SonarCloud'
            organization: '$(SonarOrg)'
            scannerMode: 'CLI'
            configMode: 'manual'
            cliProjectKey: '$(SonarProjKey)'
            cliProjectName: '$(SonarProj)'
            cliSources: '.'
        - task: SonarCloudAnalyze@1
        - task: SonarCloudPublish@1
          inputs:
            pollingTimeoutSec: '300'

      # Análisis con Checkov

      - job: Checkov
        displayName: Checkov
        pool:
          vmImage: $(vmImageName)
        steps:
        - task: Bash@3
          displayName: 'Install Checkov CLI'
          inputs:
            targetType: 'inline'
            script: |
              echo 'Install Checkov'
              pip3 install checkov
              mkdir checkov-report
        - task: Bash@3
          displayName: 'Checkov Dockerfile Analysis'
          inputs:
            targetType: 'inline'
            script: |
              checkov -d . --soft-fail --framework all --output junitxml > ./checkov-report/TEST-checkov-IaC-report.xml
        - task: Bash@3
          displayName: 'Checkov SCA Analysis'
          inputs:
            targetType: 'inline'
            script: |
              checkov -d . --soft-fail --framework sca_package --bc-api-key $(API) --output junitxml > ./checkov-report/TEST-checkov-SCA-report.xml
        - task: PublishTestResults@2
          displayName: 'Checkov Dockerfile Report'
          inputs:
            testResultsFormat: 'JUnit'
            testResultsFiles: '**/TEST-checkov-IaC-report.xml'
            searchFolder: '$(System.DefaultWorkingDirectory)/checkov-report'
            mergeTestResults: false
            testRunTitle: 'Checkov Dockerfile Report'
            failTaskOnFailedTests: false
            publishRunAttachments: true
        - task: PublishTestResults@2
          displayName: 'Checkov SCA Report'
          inputs:
            testResultsFormat: 'JUnit'
            testResultsFiles: '**/TEST-checkov-SCA-report.xml'
            searchFolder: '$(System.DefaultWorkingDirectory)/checkov-report'
            mergeTestResults: false
            testRunTitle: 'Checkov SCA Report'
            failTaskOnFailedTests: false
            publishRunAttachments: true

# Creación de imagen de contenedor

  - stage: Build
    displayName: Build and push stage
    jobs:
    - job: Build
      displayName: Build
      pool:
        vmImage: $(vmImageName)
      steps:
      - task: Docker@2
        displayName: Build and push an image to container registry
        inputs:
          command: buildAndPush
          repository: $(imageRepository)
          dockerfile: $(dockerfilePath)
          containerRegistry: $(dockerRegistryServiceConnection)
          tags: |
            $(tag)

# Análisis de imagen de contenedor

  - stage: ImageSecurityScan
    displayName: Image Security Analysis
    jobs:
    
      # Análisis con Snyk

      - job: Snyk
        displayName: Snyk
        pool:
          vmImage: $(vmImageName)
        steps:
        - task: Docker@2
          displayName: Registry Login
          inputs:
            containerRegistry: '$(containerRegistrys)'
            command: 'login'
        - task: SnykSecurityScan@1
          inputs:
            serviceConnectionEndpoint: 'SnykApp'
            testType: 'container'
            dockerImageName: '$(URL)/$(imageRepository):$(tag)'
            dockerfilePath: '$(dockerfilePath)'
            monitorWhen: 'always'
            failOnIssues: false
      
      # Análisis con Trivy

      - job: Trivy
        displayName: Trivy
        pool:
          vmImage: $(vmImageName)
        steps:
        - task: Docker@2
          displayName: 'Registry Login'
          inputs:
            containerRegistry: '$(containerRegistrys)'
            command: 'login'
        - task: trivy@1
          inputs:
            version: 'latest'
            docker: false
            exitCode: 0
            image: $(URL)/$(imageRepository):$(tag)
            debug: true
        - task: Bash@3
          displayName: Trivy CLI
          inputs:
            targetType: 'inline'
            script: |
              cd $(Build.SourcesDirectory)
              mkdir $(sariflog)
              export TRIVY_AUTH_URL=$(URL)
              export TRIVY_USERNAME=$(USERNAME)
              export TRIVY_PASSWORD=$(PASSWORD)
              echo "[+] Fetching Trivy"
              export TRIVYVERSION=$(git ls-remote --refs --sort="version:refname" --tags https://github.com/aquasecurity/trivy | cut -d/ -f3-|tail -n1 | sed -e 's/^.//')
              echo "[+] Trivy Version:" ${TRIVYVERSION}
              wget -nv --no-cache https://github.com/aquasecurity/trivy/releases/download/v${TRIVYVERSION}/trivy_${TRIVYVERSION}_Linux-64bit.deb
              echo "[+] Installing Trivy"
              sudo dpkg -i trivy_${TRIVYVERSION}_Linux-64bit.deb
              echo "[+] Trivy Installed "${TRIVYVERSION}
              echo "[+] Running Trivy"
              echo "***Vulneability Assesment***"
              echo "[+] Creating Trivy Vulnerabilities"
              trivy --quiet image --format sarif -o $(sariflog)/Trivy_Vulnerabilities.sarif --exit-code 0 $(URL)/$(imageRepository):$(tag)
              echo "***License Inventory***"
              echo "[+] Creating Trivy License Inventory" 
              trivy --quiet image -f table --scanners license --license-full --exit-code 0 $(URL)/$(imageRepository):$(tag) > $(sariflog)/License_Report.txt
              echo "***Docker Compliance Analysis***"
              echo "[+] Creating Trivy Docker Compliance File" 
              trivy --quiet image -f table --compliance docker-cis $(URL)/$(imageRepository):$(tag) > $(sariflog)/CIS_Compliance_Report.txt
              echo "***Dockerfile Analysis***"
              echo "[+] Creating Dockerfile Compliance" 
              trivy --quiet --format sarif -o $(sariflog)/Compliance_Dockerfile_Report.sarif config $(dockerfilePath)
              echo "***SBOM Analysis***"
              echo "[+] Creating Trivy SBOM JSON File" 
              trivy --quiet image --list-all-pkgs --scanners vuln --format cyclonedx --output $(sariflog)/SBOM_Cyclonedx_Report.json --exit-code 0 $(URL)/$(imageRepository):$(tag)
        - task: PublishPipelineArtifact@1
          inputs:
            targetPath: './$(sariflog)'
            artifact: '$(sariflog)'
            publishLocation: 'pipeline'

#Publicando la aplicacion en Azure

  - stage: DeployWebApp
    displayName: Deploy Web App
    jobs:
    - job: Deploy
      displayName: Deploy
      pool:
        vmImage: $(vmImageName)
      steps:
      - task: AzureRmWebAppDeployment@4
        displayName: Deploy Web App Service
        inputs:
          ConnectionType: 'AzureRM'
          azureSubscription: 'AzureVS'
          appType: 'webAppContainer'
          WebAppName: '$(WebAppSvc)'
          DockerNamespace: '$(URL)'
          DockerRepository: '$(imageRepository)'
          DockerImageTag: '$(tag)'
          AppSettings: '-port 3000'
      - task: AzureAppServiceManage@0
        displayName: Restart Web App Service
        inputs:
          azureSubscription: 'AzureVS'
          Action: 'Restart Azure App Service'
          WebAppName: '$(WebAppSvc)'