Skip to main content

Integrating Dependency-Track into Azure DevOps Pipelines

Welcome to the final post in this Dependency-Track series! We've covered what Dependency-Track is and why we started using it, how to deploy it on Azure Container Apps, and how to configure OIDC authentication with Microsoft Entra ID. Now it's time to put it all together by integrating Dependency-Track into our Azure DevOps CI/CD pipelines.

In this post, I'll show you how to automatically generate Software Bill of Materials (SBOMs and upload them to Dependency-Track, By the end, you'll have a fully automated vulnerability management workflow that provides continuous visibility into your software supply chain.

CI/CD architecture

We adopted the following approach for integrating Dependency-Track in our CI/CD architecture:

During the CI phase we generate an SBOM as part of the build process using language-specific tools and store it among the other build artifacts

During the CD phase, the code is rolled out in multiple environments with approval checks between each environment. When we deploy to a specific environment, we upload the SBOM to Dependency-Track via its REST API.   This gives us exact insights on which vulnerabilities can be found in which application for which environment.

Create a service connection

First, we need an API key for Azure DevOps to communicate with Dependency-Track:

  1. Log into Dependency-Track with an admin account
  2. Navigate to AdministrationAccess ManagementTeams
  3. Select the Automation team (or create a new team for CI/CD integration)
  4. Set the following permissions: BOM_UPLOAD, PORTFOLIO_MANAGEMENT, PROJECT_CREATION_UPLOAD, VIEW_PORTFOLIO
  5. Click on API Keys tab
  6. Click Create API Key
  7. Give it a descriptive name like "Azure DevOps Pipeline"
  8. Copy the generated API key immediately (you won't be able to see it again)

Important: This API key has the same permissions as the team it belongs to. I’ve used the built-in Automation team, but you can also create a separate team with permissions to:

  • Create/update projects
  • Upload BOM files
  • View vulnerabilities and policy violations

Now we can switch to Azure DevOps to add this as a new service connection:

  1. Log into your Azure DevOps instance
  2. Navigate to Project SettingsService connections
  3. Click on New service connection
  4. Choose Generic and click on Next
  5. Enter the Dependency-Track URL as the  Server URL, the API key as the token and set a Service connection name.
  6. Click on Save

OK, we are good to go.

Configure the CI phase

As I mentioned in the beginning, we use the CI phase to generate and store the SBOM as part of our build artifacts.

Depending on the technology stack, you can use different tools to generate the SBOM.

.NET / C# Projects

For .NET projects, we use the CycloneDX .NET tool:

By generating the SBOM in the artifactstagingdirectory, it will automatically be uploaded together with the other build artifacts.

Angular Projects

For Angular projects, we use the CycloneDX npm tool:

In both cases, we store the generated SBOM as part of our build artifacts.

By generating the SBOM in the artifactstagingdirectory, it will automatically be uploaded together with the other build artifacts.

Configure the CD phase

In our CD phase we go through multiple stages:

To upload the generated SBOM, we use the Dependency-Track Azure Devops extension from the Visual Studio marketplace:

 

We can specify the correct Dependency-Track project id or let the extension generate the project on the fly.

More information

Dependency Track - Visual Studio Marketplace

CycloneDX/cyclonedx-dotnet: Creates CycloneDX Software Bill of Materials (SBOM) from .NET Projects

CycloneDX/cyclonedx-node-npm: Create CycloneDX Software Bill of Materials (SBOM) from Node.js NPM projects.

Labels:

Popular posts from this blog

Azure DevOps/ GitHub emoji

I’m really bad at remembering emoji’s. So here is cheat sheet with all emoji’s that can be used in tools that support the github emoji markdown markup: All credits go to rcaviers who created this list.
Read more

Kubernetes–Limit your environmental impact

Reducing the carbon footprint and CO2 emission of our (cloud) workloads, is a responsibility of all of us. If you are running a Kubernetes cluster, have a look at Kube-Green . kube-green is a simple Kubernetes operator that automatically shuts down (some of) your pods when you don't need them. A single pod produces about 11 Kg CO2eq per year( here the calculation). Reason enough to give it a try! Installing kube-green in your cluster The easiest way to install the operator in your cluster is through kubectl. We first need to install a cert-manager: kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.yaml Remark: Wait a minute before you continue as it can take some time before the cert-manager is up & running inside your cluster. Now we can install the kube-green operator: kubectl apply -f https://github.com/kube-green/kube-green/releases/latest/download/kube-green.yaml Now in the namespace where we want t...
Read more

Podman– Command execution failed with exit code 125

After updating WSL on one of the developer machines, Podman failed to work. When we took a look through Podman Desktop, we noticed that Podman had stopped running and returned the following error message: Error: Command execution failed with exit code 125 Here are the steps we tried to fix the issue: We started by running podman info to get some extra details on what could be wrong: >podman info OS: windows/amd64 provider: wsl version: 5.3.1 Cannot connect to Podman. Please verify your connection to the Linux system using `podman system connection list`, or try `podman machine init` and `podman machine start` to manage a new Linux VM Error: unable to connect to Podman socket: failed to connect: dial tcp 127.0.0.1:2655: connectex: No connection could be made because the target machine actively refused it. That makes sense as the podman VM was not running. Let’s check the VM: >podman machine list NAME         ...
Read more