Skip to content

Azure DevOps

Enabling Boost advisor

The Boost advisor let you address your findings backlog easier and faster. With it AppSec team can initiate a finding remediation from the Boost finding view.

The following describe how to set it on Bitbucket SCM.

  1. Go to the boost repository.

  2. Add a new pipeline definition file (i.e: .azuredevops/boost-advisor.yml) and register it as a new pipeline:

    1. In the Azure DevOps project, go to Pipelines → New pipeline.
    2. Select Azure Repos Git (or GitHub, depending on where the code lives) → choose the repository.
    3. Choose Existing Azure Pipelines YAML file → select the path to boost-advisor.yml.
    4. Save (do not run yet — secrets must be configured first).

    The pipeline expects a variable group named boostsecurityio (declared in the YAML at variables.group). Create it under Pipelines → Library → + Variable group.

    File contents:

    trigger: none
parameters:
  - name: payload
    type: string
    default: ""
variables:
  - group: boostsecurityio
  - name: BOOST_API_TOKEN
    value: $[variables.BOOST_API_TOKEN]
  - name: BOOST_SCM_TOKEN
    value: $[variables.BOOST_SCM_TOKEN]
  - name: BOOST_LLM_MODEL
    value: $[variables.BOOST_LLM_MODEL]
  - name: BOOST_LLM_KEY
    value: $[variables.BOOST_LLM_KEY]
pool:
  vmImage: ubuntu-latest
steps:
  - script: |
      set -euo pipefail
      curl -sSL https://assets.build.boostsecurity.io/boost-advisor/get-boost-advisor | sh
    displayName: Download boost-advisor
  - script: |
      echo "$PAYLOAD" | /tmp/boost-advisor/latest -
    displayName: Run boost-advisor
    env:
      BOOST_API_KEY: $(BOOST_API_TOKEN)
      BOOST_SCM_TOKEN: $(BOOST_SCM_TOKEN)
      BOOST_LLM_MODEL: $(BOOST_LLM_MODEL)
      BOOST_LLM_KEY: $(BOOST_LLM_KEY)
      PAYLOAD: ${{ parameters.payload }}

  3. Create the Personal Access Token Azure DevOps uses a Personal Access Token (PAT) for SCM authentication.

  4. Sign in to Azure DevOps as a user with at least Basic access to the project (and admin rights on the repository, so PR creation is permitted).

  5. Click your profile icon (top right) → Personal access tokens → + New Token. Direct link: https://dev.azure.com/{organization}/_usersSettings/tokens

  6. Set:

    • Name: boost-advisor
    • Organization: the target organization
    • Expiration: per customer policy (max 1 year)
    • Scopes: click Custom defined and grant:
      • Code → Read & write (clone and push)
      • Code → Status (optional, to set commit statuses)
      • Pull Request Threads → Read & write (post review comments, optional)

  7. Click Create and copy the token (shown only once).

    ADO PATs respect the user's permissions. Make sure the user owning the PAT is a member of the Contributors group of the target repository, otherwise pushes and PRs will fail with a 403.

  8. Add the secrets to the variable group

    Open Pipelines → Library → boostsecurityio and add these variables. Click the lock icon to mark each as secret.

    Variable Name Value
    BOOST_SCM_TOKEN Workspace or repository access token
    BOOST_LLM_MODEL LLM model identifier
    BOOST_LLM_KEY LLM provider API key

    Note

    BOOST_API_TOKEN is provisioned automatically by ZTP and does not need to be added manually.

Manual security scans

Scanning steps can be added to your Azure DevOps pipelines by installing the Boost Security extension.

To do so:

  1. Navigate to the Marketplace App.
  2. Click Get it free.
  3. Select your organization and click Install.

Additionally, it would help if you made the Boost API Token available in your Variables. If you do not already have an API token created, you may create one on the dashboard Settings Page.

Once everything is ready, a scanning step can be added, for example:

  - stage: Run Security Scanners
    variables:
      - group: boostsecurity
      - name: boostApiToken
        value: $[variables.BOOST_API_TOKEN]
    jobs:
      - job:
        steps:
          - task: BoostSecurityScan@1
            inputs:
              apiToken: $(boostApiToken)
              registryModule: boostsecurityio/semgrep

BoostSecurityScan is the Boost Security pipeline task enabling running scanners and uploading results to the Boost Security service.

The input apiToken configures the API key for authenticating the scanner.

The keyword registry_module specifies the scanner module to use. The example above configures the Semgrep scanner with the id boostsecurityio/semgrep.

Azure DevOps for Source Scanning

This configuration is appropriate for scanner modules for SAST scanning or SBOM inventory from source code.

Note: Even if the pipeline is configured to run the SBOM scanner on pull requests, the SBOM scanner does not collect components inventory on pull requests. 

  - stage: Run Security Scanners
    variables:
      - group: boostsecurity
      - name: boostApiToken
        value: $[variables.BOOST_API_TOKEN]
      - name: isMainBranch
        value: $[eq(variables['Build.SourceBranch'], 'refs/heads/main')]
    jobs:
      - job:
        steps:
          - task: BoostSecurityScan@1
            inputs:
              apiToken: $(boostApiToken)
              registryModule: boostsecurityio/semgrep
          - task: BoostSecurityScan@1
            condition: eq(variables.isMainBranch, 'true')
            inputs:
              apiToken: $(boostApiToken)
              registryModule: boostsecurityio/trivy-sbom

Azure DevOps for scanning generated artifacts

This configuration is appropriate for scanner modules that scan artifacts generated from the build process. For example, scanner modules that generate SBOM from container images or scan for vulnerabilities need to generate the container image first.

Add the Boost Security scanner module-related stanza to your build pipeline, for example:

  - stage: Build Step
    variables:
      - group: boostsecurity
      - name: boostApiToken
        value: $[variables.BOOST_API_TOKEN]
    jobs:
      - job:
        steps:
          - task: Bash@3
            displayName: Build Image
            inputs:
              targetType: "inline"
              script: |
                docker build . -t acme-analytics
          - task: BoostSecurityScan@1
            env:
              BOOST_IMAGE_NAME: acme-analytics  # set image name to scan
            inputs:
              apiToken: $(boostApiToken)
              registryModule: boostsecurityio/trivy-image

In the example above, the container image name set in the environment variable BOOST_IMAGE_NAME is static. If your image name needs to be created dynamically, a step can be inserted prior to the scan step, to set the environment variable. i.e., replace.

  steps:
    - task: Bash@3
      displayName: Build Image
      inputs:
        targetType: "inline"
        script: |
          docker build . -t acme-analytics
    - task: BoostSecurityScan@1
      env:
        BOOST_IMAGE_NAME: acme-analytics  # set image name to scan
      inputs:
        apiToken: $(boostApiToken)
        registryModule: boostsecurityio/trivy-image
with 
  steps:
    - task: Bash@3
      displayName: Build Image
      inputs:
        targetType: "inline"
        script: |
          docker build . -t acme-analytics
          echo "##vso[task.setvariable variable=BOOST_IMAGE_NAME]my_image_name_and_tag"
    - task: BoostSecurityScan@1
      inputs:
        apiToken: $(boostApiToken)
        registryModule: boostsecurityio/trivy-image

Note

The task.setvariable step sets the environment variable, and the key env is removed from step BoostSecurityScan.