SOOS is an independent software security company, located in Winooski, VT USA, building security software for your team. SOOS, Software security, simplified.
Use SOOS to scan your software for vulnerabilities and open source license issues with SOOS Core SCA. Generate and ingest SBOMs. Export reports to industry standards. Govern your open source dependencies. Run the SOOS DAST vulnerability scanner against your web apps or APIs. Scan your Docker containers for vulnerabilities. Check your source code for issues with SAST Analysis.
Demo SOOS or Register for a Free Trial.
If you maintain an Open Source project, sign up for the Free as in Beer SOOS Community Edition.
This SOOS Azure DevOps Security Analysis Task is available on the Azure DevOps Microsoft VisualStudio Marketplace
Here is a README.md table for your task inputs, organized by parameter group. Each table includes the parameter name, description, and any default/initial value.
| Parameter Name | Description | Default/Initial Value |
|---|---|---|
apiKey |
SOOS API Key | Required |
clientId |
SOOS Client ID | Required |
scanType |
The type of scan to run. Options: SCA, DAST, CSA, SBOM, SAST | SCA |
projectName |
The name of the project (Defaults: Build.Repository.Name) |
N/A |
branch |
Branch name (Defaults: System.PullRequest.SourceBranch or Build.SourceBranch) |
N/A |
branchUri |
Link to the current branch (Defaults: Build.Repository.Uri) |
N/A |
commitHash |
Commit hash (Defaults: Build.SourceVersion) |
N/A |
buildVersion |
Current build version | N/A |
buildUri |
Link to the current build (Defaults: Build.BuildUri) |
N/A |
logLevel |
Minimum log level. Options: DEBUG, INFO, WARN, FAIL, ERROR | INFO |
onFailure |
Action when scan fails. Options: continue_on_failure, fail_the_build | continue_on_failure |
outputFormat |
Log the output to the console. Options: <Not Set>, SARIF |
not_set |
| Parameter Name | Description | Default/Initial Value |
|---|---|---|
packageManagers |
Package managers to include when searching for manifest files | Multi-select options available |
projectPath |
Relative path to the project root (Defaults: Build.SourcesDirectory) |
N/A |
excludedDirectories |
Directory glob patterns to exclude | "" |
excludedFiles |
File glob patterns to exclude | "" |
| Parameter Name | Description | Default/Initial Value |
|---|---|---|
projectPath |
Relative path to the project root (Defaults: Build.SourcesDirectory) |
N/A |
excludedDirectories |
Directory glob patterns to exclude | "" |
excludedFiles |
File glob patterns to exclude | "" |
| Parameter Name | Description | Default/Initial Value |
|---|---|---|
targetUri |
Target URL or path to spec file | Required |
scanMode |
Scan mode. Options: Baseline, Full, API, Active | N/A |
apiFormat |
API format (Visible if scanMode is apiscan) |
Options: OpenAPI, SOAP, GraphQL |
useAjaxSpider |
Use the AJAX spider for JavaScript-heavy apps | false |
scanDurationInMinutes |
Duration in minutes for spider (Visible if scanMode is fullscan) |
N/A |
disableRules |
ZAP rule IDs to disable | N/A |
debug |
Enable ZAP debug logging | false |
contextFile |
Path to the context file | N/A |
requestHeaders |
Request headers to include in every request | N/A |
bearerToken |
Bearer token for authentication | N/A |
authFormType |
Type of authentication form | Options: Simple, Wait for Password, Multi-Page |
authUsername |
Username for authentication | N/A |
authPassword |
Password for authentication | N/A |
authLoginURL |
Authentication login URL | N/A |
authUsernameField |
Username input ID | N/A |
authPasswordField |
Password input ID | N/A |
authSubmitField |
Submit button ID | N/A |
authSecondSubmitField |
Second submit button ID (for multi-page forms) | N/A |
authSubmitAction |
Submit button action | Options: Click, Submit |
authDelayTime |
Delay time (seconds) after form actions | N/A |
authVerificationURL |
URL to verify authentication success | N/A |
oauthTokenUrl |
OAuth token URL | N/A |
oauthParameters |
OAuth parameters | N/A |
otherOptions |
Additional options for ZAP or Syft | N/A |
workingDirectory |
Working directory for container (Defaults: Build.SourcesDirectory) |
N/A |
zapOptions |
Additional ZAP command-line options | N/A |
| Parameter Name | Description | Default/Initial Value |
|---|---|---|
otherOptions |
Additional options for ZAP or Syft | N/A |
targetToScan |
Docker image name to scan | Required |
workingDirectory |
Working directory for container (Defaults: Build.SourcesDirectory) |
N/A |
| Parameter Name | Description | Default/Initial Value |
|---|---|---|
sbomPath |
SBOM file or folder to scan | Root of the pipeline (if not specified) |
https://code.visualstudio.com/docs/typescript/typescript-compiling
https://docs.microsoft.com/en-us/azure/devops/extend/develop/add-build-task?view=azure-devops