Facebook Pixel

How Can We Help?


Carbonetes Comprehensive Analysis in Azure DevOps

< All Topics

Azure DevOps [1] was produced by Microsoft to allow software development companies to have DevOps capabilities upon creating software. It supplies version controlling, project management, and of course, a CI/CD pipeline they called Azure Pipelines.

Azure Pipelines [2] is designed to implement an automated building, testing, and deploying software and can support several programming languages as its base language. It also has a feature they call “Extensions”.

Extensions [3] are third-party tools or plugins that you can add right into your pipeline for some additional function. These extensions can easily communicate with Azure DevOps services by using Microsoft RESTful APIs [4].

Carbonetes is able to produce a fully managed security service as an extension [5] on Azure DevOps that triggers a comprehensive container analysis. It analyzes your container images for native code vulnerabilities, software composition analysis (SCA), license types, secrets, and bill of materials (BOMs).

The Most Comprehensive Security Analysis in the Market

Carbonetes Comprehensive Analysis can provide all the results of analysis faster than our competition. It uses a larger number of pods [8] to analyze your images -- rather than using the old-fashioned way of scanning them. Aside from providing results more expediently, Carbonetes Comprehensive Analysis also provides best-in-class results of container security analysis. Moreover, it runs the analysis smoothly and continuously.

The Benefits of having Carbonetes Comprehensive Analysis in your Azure Pipelines

Carbonetes Comprehensive Analysis is built into your Azure pipelines. You don’t need to waste a lot of time building your code using various security software to detect specific aspects of it. Carbonetes Comprehensive Analysis can put together all container analysis into a particular function that joins with your actual development function. Carbonetes Scan can prompt a comprehensive container security analysis seamless and automatic. Upon building your images, it runs the analysis on your codes for security risks, checks the results against the policy, and builds or stops the build based on that policy evaluation.  For more information on our benefits, click here.

Getting Started

To enable Carbonetes Comprehensive Analysis right into your Azure Pipelines, you need to have an account on Azure DevOps [6].  In addition, valid credentials in Carbonetes are required.

If you haven't secured your credentials yet, you can register now.

See the table below for the required parameters.

username * The account username or email you use on Carbonetes.
password * The account password on Carbonetes.
registryUri * The registry uri is managed in Carbonetes.
repoImageTag * The image to be scanned under your registry.

Writing Configuration for Azure Pipelines

Modifying the azure-pipelines.yml file

In order for Carbonetes to trigger the analysis, you must first install the Carbonetes Comprehensive Analysis Task Extension [5]  within your Azure DevOps organization [7].

Carbonetes Comprehensive Analysis Task Extension

Proceed by following the steps to modify your azure-pipelines.yml file.

First, click the Pipelines section of the tab on the left side of the Azure DevOps interface.

Carbonetes Comprehensive Analysis

Then, click the Carbonetes Task Extension and supply the needed information and click the “Add” button below.

Carbonetes Task Extension

Below is the automatically generated code after you supply the needed information and click the “Add” button.

automatically generated code

After modifying the azure-pipelines.yml file, save the changes to trigger the pipeline.


Lastly, you can navigate to the Azure DevOps logs interface to review the results of the analysis.

Azure DevOps logs interface

Getting the Outcome

Results provided by Carbonetes Comprehensive Analysis

The table below illustrates the various results upon Carbonetes checking all the known vulnerabilities of a scanned image:

Result Description
Vulnerabilities A list of known security risks that can be exploited by a threat actor, listed with severities.
Software Compositions Software that might cause a security risk listed with severities.
Software Dependencies Pieces of software that rely on each other, listed with vulnerability counts.
Licenses Legal compliances that are found on each software of the scanned image.
Malware Virus threats that were found on the scanned image.
Secrets Secret data found on each software of the scanned image.
Bill of Materials A list of all the components that exist in software.
Policy Result The result of the policy evaluation `PASSED` or `FAILED`.
Final Action Decide if the build will `STOP` or `GO` based on the policy result.


[1]        https://azure.microsoft.com/en-us/services/devops/

[2]        https://docs.microsoft.com/en-us/azure/devops/pipelines/get-started/what-is-azure-pipelines?view=azure-devops

[3]        https://docs.microsoft.com/en-us/azure/devops/extend/overview?view=azure-devops

[4]        https://docs.microsoft.com/en-us/rest/api/azure/devops/?view=azure-devops-rest-6.1

[5]        https://marketplace.visualstudio.com/items?itemName=Carbonetes.carbonetes-comprehensive-analysis

[6]        https://dev.azure.com/

[7]        https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/create-organization?view=azure-devops

[8]        https://cloud.google.com/kubernetes-engine/docs/concepts/pod#:~:text=Pods%20are%20the%20smallest%2C%20most,and%20share%20the%20Pod's%20resources