WhiteSource Bolt is a security and open-source risk management solution that can be integrated into Azure DevOps pipelines to enhance security and compliance. It helps organizations identify and mitigate security vulnerabilities and open-source risks in their codebase. Here’s how WhiteSource Bolt can be used with Azure DevOps:

1. Installation and Configuration:

   • To get started, you can install the WhiteSource Bolt extension from the Azure DevOps Marketplace. Once installed, you’ll need to configure it by providing your WhiteSource API token and project details.

2. Scanning Code Dependencies:

   • WhiteSource Bolt scans your codebase and its dependencies to identify open-source components, libraries, and packages that are used in your project. It creates an inventory of these components.

3. Vulnerability Detection:

   • The tool checks the WhiteSource vulnerability database to identify known security vulnerabilities associated with the open-source components in your project. It provides information about the severity of each vulnerability.

4. Policy Enforcement:

   • WhiteSource Bolt allows you to define policies and rules based on your organization’s security and compliance requirements. You can set policies to automatically fail a build if certain conditions are met, such as the presence of critical vulnerabilities.

5. Build Integration:

   • WhiteSource Bolt can be integrated into your Azure DevOps build pipelines. You can configure it to run as a build task, ensuring that code scans and vulnerability checks are performed as part of your CI/CD process.

6. Scan Results and Reports:

   • After a scan is performed, WhiteSource Bolt provides detailed reports that list the identified open-source components, their licenses, and any associated security vulnerabilities. These reports can be accessed within Azure DevOps.

7. Continuous Monitoring:

   • WhiteSource Bolt can be configured to monitor your codebase continuously. It can automatically trigger scans whenever new code changes are committed, ensuring that your project remains secure over time.

8. Compliance and Licensing:

   • In addition to security, WhiteSource Bolt helps you manage open-source licenses and compliance. It identifies licenses used by open-source components and flags any licensing issues that may need attention.

9. Alerts and Notifications:

   • WhiteSource Bolt can send alerts and notifications to relevant team members when security vulnerabilities or policy violations are detected. This ensures that the right people are informed promptly.

10. Remediation Guidance:

    • The tool provides guidance on how to remediate identified vulnerabilities. It suggests updates or patches for vulnerable components and helps you take action to resolve issues.

11. Integration with Azure Artifacts:

    • WhiteSource Bolt can integrate with Azure Artifacts to scan and assess the security of your private package feeds, ensuring that even internally developed packages meet security and compliance standards.

12. API Integration:

    • WhiteSource provides APIs that can be used for deeper integration with Azure DevOps or other systems. This allows for custom workflows and reporting.

In summary, WhiteSource Bolt enhances the security and compliance aspects of your Azure DevOps pipelines by automatically scanning and identifying security vulnerabilities and open-source risks in your codebase and dependencies. It helps organizations proactively address security concerns and maintain a strong security posture throughout the development lifecycle.