Skip to main content

Azure DevOps Self-Hosted

Notice

It is possible to add the Checkmarx One external IP addresses to the customer Firewall allowlist - For more information see Checkmarx One External IPs

In addition, if the code repository is not internet accessible, it is possible to configure the code repository IP address instead of its hostname during the initial integration with the code repository - as it is not resolved via DNS.

Overview

Checkmarx One supports Azure DevOps integration, enabling automated scanning of your Azure DevOps projects whenever the code is updated. Checkmarx One's Azure DevOps integration listens for Azure DevOps commit events and uses a webhook to trigger Checkmarx scans when a push, or a pull request occurs. Once a scan is completed, the results can be viewed in the Checkmarx One Platform.

In addition, for pull requests, a comment is created in Azure DevOps, which includes a scan summary, list of vulnerabilities and a link to view the scan results in Checkmarx One.

Notice

This integration supports both public and private git based repos.

The integration is done on a per project basis, with a specific Checkmarx One Project corresponding to a specific Azure DevOps repo.

Notice

You can select several repos to create multiple integrations in a bulk action.

Prerequisites

  • The source code for your project is hosted on a Azure DevOps repo.

  • You have an Checkmarx One account and have credentials to log in to your account.

  • The Azure DevOps user has admin privileges for this repo, see Code Repository Integrations

  • Verify that in the Azure DevOps Organization settings under Organization Settings → Policies → “Third-Party application access via OAuth” is enabled - For additional assistance use the following link: Azure DevOps connection and security policies

    For example:

    6297288859.png

Retrieving Azure DevOps Username & Token

To retrieve your Azure DevOps Username & Token, perform the following steps:

  1. In your Azure DevOps account, click on your user > Security

    Azure_SH_Security.png

  2. Click on Personal Access Tokens > + New Token

    A panel will be opened on the right screen side

  3. Configure the following fields:

    • Name - Token name

    • Organization - All accessible organizations

    • Scopes - Custom defined

      • Code - Read, Status

      • Pull Request Thread - Read & write

        Azure_SH_Config_Token.png
        Azure_SH_Config_Token2.png

    • Click Create

  4. Copy the token

    Azure_SH_Copy_Token.png

Setting up the Integration and Initiating a Scan

To integrate your self hosted (on-prem) Azure DevOps organization with Checkmarx One, perform the following:

  1. In the Applications and Projects home page, click on New > New Project - Code Repository Integration.

    Code_Repo_Integration.png

    The Import From window opens.

    Import_From.png

  2. Select the Self-hosted → Azure

    Azure_SH_Select_Azure.png

  3. Configure the following fields and click Next:

    • Domain Name or IP Address - Your Azure DevOps Self-Managed domain.

      For example: http://<domain name.com> / or http:<IP address.com>

    • Username - Azure DevOps username

    • Token - Azure DevOps token.

      For more information see Retrieving Azure DevOps Username & Token

      Azure_SH_Select.png

  4. Select the Azure DevOps Organization or Group (for the requested repository) and click Select Organization

    Azure_DevOps_Select_Org.png

  5. Select the Repository inside the Azure DevOps organization and click Next

    Note

    • A separate Checkmarx One Project will be created for each repo that you import.

    • There can’t be more than one Checkmarx One Project per repo. Therefore, once a Project has been created for a repo, that repo is greyed out in the Import dialog.

    Azure_DevOps_Select_Repo.png

  6. In the Repositories Settings screen, perform the following and click Next.

    • Select the scanners for All/Specific repositories.

    • Select which Protected Branches to scan for each Repository.

      Note

      For additional information about Protected Branches see About Protected Branches

    • It is possible to specify the Groups to which you would like to assign the Project.

    • You can also add Tags to the Project. Tags can be added as a simple strings or as key:value pairs.

      Azure_DevOps_Repo_Settings.png

  7. Select which Protected Branches to scan for each Repository and click Next

    Note

    For additional information about Protected Branches see About Protected Branches

    Azure_DevOps_Select_Branches.png

  8. In the Advanced Options screen it is possible to select Scanning the default branch upon the creation of the Project

    Click Create Project

    Azure_DevOps_Advanced_Options.png

  9. The Project is successfully added to the Applications and Projects home page.

    Note

    In order to update the scanners see Imported Project Settings

    Import_Project_Created.png

Update Project Settings

See Imported Project Settings

In this section: