Getting started with the Security Report build task

The Security Report build task summarizes all issues found by security analysis tools run as part of the build definition.
Issues can be logged to the Azure DevOps Console and console log, a TSV file, and/or and HTML file for review after the build completes.
Users can choose to log all issues from all tools, or only issues from specific tools.

Prerequisites:

1. You are using the Azure DevOps Build system.
2. The Microsoft Security Code Analysis Extension installed in your account.
3. At least one Security Development Tool build task has been added to the build definition prior to this build task.

Setup:

1. Open your team project from your Azure DevOps Account.
2. Navigate to the Build tab under Build and Release
3. Select the Build Definition into which you wish to add the Security Report build task.
  • New - Click New and follow the steps detailed to create a new Build Definition.
  • Edit - Select the Build Definition. On the subsequent page, click Edit to begin editing the Build Definition.
4. Click + to navigate to the Add Tasks pane.
5. Find the Create Security Analsis Report build task either from the list or using the search box and then click Add.
6. The Create Security Analysis Report build task should now be a part of the Build Definition.
Add this task after all tools have completed, but before the Publish Security Analysis Logs build task; the report file that is created will be published to the artifacts along with other security analysis tool logs.

Customizing the Security Report Build Task:

1. Click the Security Analysis task to see the different options available.
2. Reports - Choose Report files to create; one will be created in each format Console, TSV, and/or HTML
3. Tools - Select the tools in your build definiton for which you would like a summary of issues detected. For each tool selected, there may be an option to select whether you would like to see Errors only or both Errors and Warnings in the report.
4. Advanced Options. You can choose to log a warning or an error (and fail the task) in case there are no logs for one of the tools selected.
You can customize the base logs folder where logs are to be found, but this is not a typical scenario.

Microsoft Corporation 2017