As more and more software development teams move to the cloud, it is now more important than ever to ensure that only the best open source components make it into a final application. With a 71% increase in open source related breaches within the last 5 years and over 21,000 new open source releases happening every day, it’s impossible for organizations to keep track of their open source usage manually. Automated open source governance practices must be integrated into every stage of the SDLC, including CI/CD.
That’s why I am happy to announce that we just released a Nexus IQ Extension for Azure DevOps.
With this extension, a new step in the pipeline scans the build to identify any open source security, license, or quality policy violations. If a violation is found, Nexus Lifecycle can fail the build or generate a warning in Azure DevOps with a link to the Nexus Lifecycle policy report for violation details and expert remediation guidance.
Now, developers can easily see the components that violate policies directly within Azure Pipelines.
Or they can rest assured knowing that everything is fine when all of the open source components meet policy guidelines.
If there are open source policy violations, developers can clearly identify which components violate which policy and select the best version / component to generate a clean build.
The Nexus IQ Policy Evaluation report is also available in the Azure DevOps dashboard for a quick view into open source components used within the application.
In a DevOps world, the only way to deliver secure applications at scale is to rely on precise intelligence about the quality of the open source components used within those applications. Nexus Lifecycle provides the most precise intelligence regarding security vulnerabilities, license risk, and architectural quality of open (Read more...)
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Michelle Dufty. Read the original post at: https://blog.sonatype.com/nexus-lifecycle-now-integrates-with-azure-devops-to-secure-software-supply-chains-in-the-cloud