Dev Sec Ops¶
Static code analysis¶
Static code analysis is used during compile time to find security issues and code vulnerabilities.
It runs on developer machines but also in Azure pipelines as part of the build process.
We're using the built-in .NET security analyzers (https://learn.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/security-warnings). They detects various security vulnerability patterns:
Configuration¶
All project should configure at least AnalysisModeSecurity and TreatWarningsAsErrors
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
<AnalysisModeSecurity>All</AnalysisModeSecurity>
NuGet vulnerability scan¶
Snyk statically analyzes our master branch to find vulnerable dependencies and suggests how to fix them.
It's configured to monitor our code daily for new vulnerabilities by executing the Minority Snyk dependency scan pipeline every night.
To view scan results click on a build and then click the tab Snyk Report.
We're currently using the Free account which includes 200 tests per month.
All Snyk features¶
- Scan for application dependencies
- Scan for container images, this will look at Docker images
- License compliance
- Kubernetes applications
To read more about Snyk click here.