How to configure Azure DevOps with S4
Please follow these steps to set up S4 to scan your Azure DevOps repository based on Azure DevOps events.
- First, you will need to retrieve an S4 Web Secret specific to your Salesforce org. Please use a browser to go to https://s4.digitsec.com and sign in.
- After logging in, find the Salesforce org you wish to scan. Click on the collapsible function menu to select Edit Org Info.
- On the Edit Org Information page, click on the Azure tab. When you enter here the first time, your Azure Secret should be visible in cleartext. Please use the clipboard icon to copy the field contents. You will need to use this key in Step 10.
- Open a new browser window and login into your Azure DevOps repository.
- In the lower left corner, please click on Project Settings
- Next, please click on Service Hooks
- Please click on the green Add button to create a new Hook
- An Add Hook dialog screen will appear, please use the scrolling navigation on the left-hand side to choose Web Hooks.
- Select the Triggers that correspond to the events that should execute an S4 scan of your repository. These are Pull Request Created and Pull Request Updated as follows:
- The next screen requests a URL. For this please use https://s4.digitsec.com/azure/webhooks/<Azure Secret>. Remember this URL (including the Azure Secret) has been copied to the clipboard in Step 3. You can paste that in the URL field on the screen below. Your webhook URL should be similar to the diagram below.
- You must now create a Personal Access Token (PAT). You will copy this token and enter it back into Edit Org Information Azure dialog screen we left open in Step 3. Please click the User Settings button in the top right corner of Azure DevOps.
- Then, click on Personal Access Tokens
- Then click New Token
- On the Personal Access Token (PAT) creation dialog screen, please set Name, Organization and Expiration parameters that meet your needs. To work with S4, set the Scope by selecting the Custom defined radio button, then the Read and Write radio button under the Code sub-header. Once the form is complete, press the Create button.
- Azure will present the PAT to you in cleartext. You should immediately copy it and save it to a local file. Azure will not display the PAT in cleartext again. Return to the window you opened in Step 3 and paste the Azure PAT into the corresponding field. Click Save.
- To verify this is working, please take an action that will activate the trigger you selected. Once you have finished this, the scan will have already begun. Scans typically take between 5 and 15 minutes. S4 will send a notification email once the scan has completed which will include a link to your S4 Findings Detail Report.
- The results from S4 will show up in the pull request comments as follows: