PlatformResourcesSign inSign Up

Azure Pipelines

Suggest Edits

Overview

Integrating Bridgecrew with Azure DevOps Pipelines allows you to scan your local Terraform and AzureRM templates as part of your normal CI / CD pipeline (e.g., on each commit, or on each merge) and report any violations to the Bridgecrew console, and, optionally, cause a build to fail.

In Bridgecrew

Get API Token

From Integrations, select API Token and copy the API key. Save the key in a Gitlab environment variable.

In Azure DevOps

  1. Create a new Pipeline or select an existing one.
  2. Add the following steps to your pipeline jobs or stages (depending on your existing configuration) in azure-pipelines.yml.
- task: UsePythonVersion@0
  inputs:
    versionSpec: '3.8'
  displayName: 'Install Python 3.8'
- script: pip install bridgecrew
  displayName: 'Install the Bridgecrew CLI'
- script: bridgecrew -d <directory> --bc-api-key <key> --repo-id <org/repo> --branch <branch>
  displayName: 'Scan with Bridgecrew'

Arguments:

  • <directory> - the directory containing IaC files to scan.
  • <key> - your Bridgecrew API key obtained earlier.
  • <repo> - the name of the org and repository, as in the value you would use in a git remote URL, e.g. your_org/your_repo.
  • <branch> - the name of the branch being scanned

If you just want to scan the build locally, but skip reporting violations to the Bridgecrew platform, you can omit the key, repo, and branch arguments.

If you want to scan the build but not make the build fail if there are violations, add the --soft-fail option.

An example pipeline for scanning a terraform module and applying it on a successful scan would look like this.

trigger:
  paths:
    include:
      - terraform/*

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: UsePythonVersion@0
  inputs:
    versionSpec: '3.8'
  displayName: 'Install Python 3.8'
- task: TerraformInstaller@0
  inputs:
    terraformVersion: 'v0.12.28'
  displayName: 'Install Terraform'
- task: TerraformCLI@0
  inputs:
    command: 'init'
    workingDirectory: 'terraform'
    backendType: 'azurerm'
    backendServiceArm: '...'
    backendAzureRmResourceGroupName: '...'
    backendAzureRmStorageAccountName: '...'
    backendAzureRmContainerName: '...'
    backendAzureRmKey: '...'
  displayName: 'terraform init'
- task: TerraformCLI@0
  inputs:
    command: 'validate'
    provider: 'azurerm'
    workingDirectory: 'terraform'
  displayName: 'terraform validate'
- script: pip install bridgecrew
  displayName: 'Install the Bridgecrew CLI'
- script: bridgecrew -d terraform --bc-api-key abcd1234 --repo-id my_org/my_repo --branch master
  displayName: 'Scan with Bridgecrew'
- task: TerraformCLI@0
  inputs:
    command: 'apply'
    workingDirectory: 'terraform'
    environmentServiceName: '...'
  displayName: 'terraform apply'

Updated over 2 years ago