azure-pipelines-devsecops.yml

# Full Scan + Deploy
# Pipeline para realizar análisis de código fuente, build de la imagen y análisis de la imagen de un contenedor
# Se finaliza con la publicación de la aplicación en una Web App en Azure

trigger: none # Disable CI triggers.
#- master

resources:
- repo: self

variables:
# a regular variable
- name: dockerfilePath
  value: '$(Build.SourcesDirectory)/Dockerfile'
- name: tag
  value: 'latest'
- name: vmImageName
  value: 'ubuntu-latest'
# a variable group
- group: Mis_Variables


stages:

# Análisis del código fuente

  - stage: CodeSecurityScan
    displayName: Code Security Scan
    jobs:

      # Análisis con Mend

      - job: Mend
        displayName: Mend
        pool:
          vmImage: $(vmImageName)
        steps:
        - task: WhiteSource@21
          inputs:
            cwd: '$(System.DefaultWorkingDirectory)'
            projectName: 'reactjs-shopping-cart'
      
      # Análisis con SonarCloud

      - job: SonarCloud
        displayName: SonarCloud
        pool:
          vmImage: $(vmImageName)
        steps:
        - checkout: self
          fetchDepth: 0
        - task: SonarCloudPrepare@1
          inputs:
            SonarCloud: 'SonarCloud_Malevarro'
            organization: 'malevarro'
            scannerMode: 'CLI'
            configMode: 'manual'
            cliProjectKey: 'malevarro_reactjs-shopping-cart'
            cliProjectName: 'reactjs-shopping-cart'
            cliSources: '.'
        - task: SonarCloudAnalyze@1
        - task: SonarCloudPublish@1
          inputs:
            pollingTimeoutSec: '300'

      # Análisis con Checkov

      - job: Checkov
        displayName: Checkov
        pool:
          vmImage: $(vmImageName)
        steps:
        - task: Bash@3
          displayName: 'Install Checkov CLI'
          inputs:
            targetType: 'inline'
            script: |
              echo 'Install Checkov'
              pip3 install checkov
              mkdir checkov-report
        - task: Bash@3
          displayName: 'Checkov Dockerfile Analysis'
          inputs:
            targetType: 'inline'
            script: |
              checkov -d . --soft-fail --framework all --output junitxml > ./checkov-report/TEST-checkov-IaC-report.xml
        - task: PublishTestResults@2
          displayName: 'Checkov Dockerfile Report'
          inputs:
            testResultsFormat: 'JUnit'
            testResultsFiles: '**/TEST-checkov-IaC-report.xml'
            searchFolder: '$(System.DefaultWorkingDirectory)/checkov-report'
            mergeTestResults: false
            testRunTitle: 'Checkov Dockerfile Report'
            failTaskOnFailedTests: false
            publishRunAttachments: true

# Creación de imagen de contenedor

  - stage: Build
    displayName: Build and push stage
    jobs:
    - job: Build
      displayName: Build
      pool:
        vmImage: $(vmImageName)
      steps:
      - task: Docker@2
        displayName: Build and push an image to container registry
        inputs:
          command: buildAndPush
          repository: $(WEBAPP_NAME)
          dockerfile: $(dockerfilePath)
          containerRegistry: $(ACR_Conn)
          tags: |
            $(tag)

# Análisis de imagen de contenedor

  - stage: ImageSecurityScan
    displayName: Image Security Analysis
    jobs:
    
      # Análisis con Snyk

      - job: Snyk
        displayName: Snyk
        pool:
          vmImage: $(vmImageName)
        steps:
        - task: Docker@2
          inputs:
            containerRegistry: $(ACR_Conn)
            command: 'login'
        - task: SnykSecurityScan@1
          inputs:
            serviceConnectionEndpoint: $(Snyk_Conn)
            testType: 'container'
            dockerImageName: $(ACR_NAME)/$(WEBAPP_NAME):latest
            dockerfilePath: '$(dockerfilePath)'
            monitorWhen: 'always'
            failOnIssues: false
      
      # Análisis con Trivy

      - job: Trivy
        displayName: Trivy
        pool:
          vmImage: $(vmImageName)
        steps:
        - task: Docker@2
          inputs:
            containerRegistry: $(ACR_Conn)
            command: 'login'
        - task: trivy@1
          inputs:
            version: 'latest'
            debug: true
            loginDockerConfig: true
            image: '$(ACR_NAME)/$(WEBAPP_NAME):latest'
            exitCode: '0'

#Publicando la aplicacion en Azure

  - stage: DeployWebApp
    displayName: Deploy Web App
    jobs:
    - job: Deploy
      displayName: Deploy
      pool:
        vmImage: $(vmImageName)
      steps:
      - task: AzureRmWebAppDeployment@4
        displayName: Deploy Web App
        inputs:
          ConnectionType: 'AzureRM'
          azureSubscription: $(Azure_Conn)
          appType: 'webAppContainer'
          WebAppName: $(WEBAPP_NAME)
          DockerNamespace: '$(ACR_NAME)'
          DockerRepository: '$(WEBAPP_NAME)'
          DockerImageTag: '$(tag)'
          AppSettings: '-port 3000'
      - task: AzureAppServiceManage@0
        displayName: Restart App Service
        inputs:
          azureSubscription: $(Azure_Conn)
          Action: 'Restart Azure App Service'
          WebAppName: $(WEBAPP_NAME)