Integrate Mend with Azure Pipelines

  • 4 minutes

Visual Studio Code Marketplace is an important site for addressing Secure DevOps issues. You can integrate specialist security products into your Azure DevOps pipeline.

Having a full suite of extensions that allow a seamless integration into Azure Pipelines is invaluable.

Mend

The Mend extension is available on the Azure DevOps Marketplace. Using Mend, you can integrate extensions with your CI/CD pipeline to address Secure DevOps security-related issues.

The Mend extension specifically addresses open-source security, quality, and license compliance concerns for a team consuming external packages.

Because most breaches target known vulnerabilities in standard components, robust tools are essential to securing complex open-source components.

Continuously detect all open-source components in your software

Mend automatically detect all open-source components—including their transitive dependencies—every time you run a build.

It means you can generate a comprehensive inventory report within minutes based on the last build you ran.

It also gives complete visibility to your security, DevOps, and legal teams into your organization’s software development process.

Screenshot of the WhiteSource component Inventory Report.

Receive alerts on open-source security vulnerabilities

Mend automatically generates an alert and provides targeted remediation guidance when a new security vulnerability is discovered.

It can include links to patches, fixes, relevant source files, even recommendations to change system configuration to prevent exploitation.

Screenshot of the WhiteSource Vulnerabilities Severity library.

Automatically enforce open-source security and license compliance policies

According to a company’s policies, Mend automatically approves, rejects, or triggers a manual approval process every time a new open-source component is added to a build.

Developers can set up policies based on parameters such as security-vulnerability severity, license type, or library age.

When a developer adds a problematic open-source component, the service will alert and fail the build.

For searching online repositories such as GitHub and Maven Central, Mend also offers an innovative browser extension.

Before choosing a new component, a developer can review its security vulnerabilities, quality, license issues, and whether it fits their company’s policies.