TABLE OF CONTENTS

Overview

Aqua Security extension can be used in the Azure DevOps project to scan Windows based images after the CI/CD pipeline build. After installation of the extension, you should add Image Scanning task to the CI/CD pipeline. While configuring the Image Scanning task, for the Windows parameters, you should select either scanner version 4.2.0 or Artifacts to scan the Windows based images. For more information on the configuration of Image Scanning task in your Azure DevOps CI/CD pipeline, refer to Azure DevOps Extension.


Windows scanner version 4.2.0 (executable binary) is offered out of the box through Aqua extension. If you want to use Windows scanner version later than 4.2.0, you must use Artifacts feature to download the scanner binary. For example, if you want to use Windows scanner version 5.2.0 or 6.2.0, you should create an artifact to download and publish the package from Aqua storage and add the package as a task in the Azure image scanning pipeline. Using artifacts, the desired scanner version is packaged and used in the Azure image scanning pipeline to scan Windows based images.


This topic explains the configuration and usage of the Artifacts feature in Azure DevOps to scan Windows based images using Aqua. Artifacts feature in Azure DevOps allows you to use a service where you can create package containing Windows scanner binary, feed to publish, and consume the Windows based scanner binary package to scan Windows based images.


Publish packages using Artifacts feature

This section explains how to download the package containing Windows binary scanner and publish it. The published package can be consumed in the Image Scanning task in CI/CD pipeline to scan Windows based images, using the binary scanner embedded in the package.


To download and publish the package:

  1. In the Azure DevOps console, in the left pane, click Artifacts hub.
  2. At the top left of the page, from the dropdown, select the organization.
  3. Click + Create Feed. Create new feed dialog appears at the right side of the page.
  4. In the Create new feed dialog, enter the following:
  • Name: name of the feed
  • Visibility: Select the option, Members of your Azure Active Directory
  • Check Include packages from common public sources
  • Scope: select Organization to include this feed as common functionality that can be shared across projects in this organization

      5. Click Create. A new feed is created.

      6. Click Connect to Feed at the top left of the page and select Universal packages. Universal Packages appears where you can download and publish the packages.



    7. In the Universal Packages page, perform the following actions to download and publish the packages:

  1. In the Project setup, click Windows. You can see a windows command in this section.
  2. On your Windows platform, login to the Azure CLI with an AAD or MSA identity using the following command:
az login

       c. Pass the following command to download the binary. You should modify values to the following keys in the command:
  • organization: no action is required. It is populated with the organization that you work on
  • feed: no action is required. It is populated with the feed that you have created
  • name: assign name to your package
  • version: version of the Windows binary scanner that you want to download
  • path: enter the path having the Windows scanner. You should modify the link as per the required version.


az artifacts universal download --organization https://dev.azure.com/pratapkumar1234/ --feed AquasecScanner --name my-first-package --version 0.0.1 --path


     d. Pass the following command to publish the Universal Package. You should modify values to the following keys in the command. You can directly use the Aqua's scanner link (added in the previous step) to publish the feed so that download package appears in the list of tasks while adding a new task.

  • organization: no action is required. It is populated with the organization that you work on
  • feed: no action is required. It is populated with the feed that you have created
  • name: assign name to your package
  • version: version of the Windows binary scanner that you want to download
  • description: enter any description for this feed
  • path: enter the downloaded zip path in your machine, after execution of command in the previous step.


az artifacts universal publish --organization https://dev.azure.com/pratapkumar1234/ --feed AquasecScanner --name my-first-package --version 0.0.1 --description "Welcome to Universal Packages" --path



Configure scanner binary downloaded from the package

You can add the downloaded package as a task to your pipeline and then configure the scanner binary in the package to scan Windows based images.


To configure scanner binary:

  1. In the Azure DevOps console, in the left pane, select Pipelines.
  2. Select the required pipeline from the available list.
  3. Click Edit on the top right side of the page.
  4. In the Tasks tab on the left pane, Click + and go to the Marketplace tab. 



       5. Hover over the Download Package from the list of tasks in the Marketplace, and then click AddThe Download Package task will be added to the list of tasks in the build pipeline. 

       6. Click the Download Package task and enter the following details as shown in the screenshot:


FieldDescription
Task versionVersion of the specific task
Display nameName of the step that should appear in the list of build steps
Package TypeUniversal as you have configured Universal package while creating artifact
FeedFrom dropdown, select the required feed that you have created to create artifact for download package
ViewFrom dropdown, select Local
PackageFrom dropdown, select the package that you need to scan the image. It is recommended to select scannercli file for windows.exe to scan the image.
Destination directoryadd the directory to which you want to store scan output files
Control OptionsFor detailed information on the fields, refer to Azure DevOps Extension
Output VariablesFor detailed information on the fields, refer to Azure DevOps Extension