Integrating with Azure DevOps pipeline

How to integrate Kubescape to Azure DevOps pipelines

Use Azure DevOps pipelines to scan your YAML files for misconfigurations with Kubescape. Scan results are included as part of your pipelines.

Add scanning YAML files to your workflow

Scan your repository using either the YAML pipeline or the classic pipeline.

YAML pipeline

  1. In the root of your repository, create a file named azure-pipelines.yml.

  2. Add the following to the file to scan the Kubernetes objects in your YAML files.

    - master
      vmImage: 'ubuntu-18.04'
    container: jmferrer/azure-devops-agent:latest
    - script:  |
        mkdir $HOME/.local/bin
        export PATH=$PATH:$HOME/.local/bin
        curl -s | /bin/bash
        kubescape scan .  
      displayName: 'Run Kubescape'
  3. Run the pipeline, and view the results in the pipeline logs.

  4. Add a Publish Test Results task to allow the pipeline to parse your results.

    - task: PublishTestResults@2
       testResultsFormat: 'JUnit' 
       testResultsFiles: 'results.xml'
  5. Run the pipeline again to enable Azure DevOps to parse the results.

Classic pipeline

  1. Create a file in your code repository, and then add the following: (pointing to the YAML files you are about to scan in the command line instead of *.yaml )

    mkdir $HOME/.local/bin
    export PATH=$PATH:$HOME/.local/bin
    curl -s | /bin/bash
    kubescape scan --format junit --output results.xml .
  2. Add a bash script task and point it to

  3. Point to the file.

  4. Add a Publish Test Results task after the Kubescape scan task.

  5. Point to results.xml.

  6. Save and run the pipeline.

After the pipelines run, Azure DevOPs parses the scan results.