WhiteSource for Azure Repos scans open source code for security vulnerabilities
WhiteSource has released an Azure DevOps repository integration, allowing Azure DevOps users to detect all open source components and automatically apply security policies directly from their repository.
Users can now receive vulnerability alerts along with detailed remediation information, including suggested fixes and prioritization tips, all from the comfort of their native environment, without having to learn a new user interface (UI) .
As the time to market for applications gets shorter every year, software development teams are challenged to speed up their processes without compromising security. Many software composition analysis (SCA) vendors scan the repository for vulnerabilities, but only provide results in their own user interface, which slows down the development process.
WhiteSource’s integration for Azure Repos automatically scans open source code for security vulnerabilities or license violations with every merge request, before the code is merged. If a merge request introduces a new error, the developer receives immediate feedback to resolve any newly introduced vulnerabilities. Positive feedback is given when a pull request resolves vulnerabilities.
This differential view between feature branches and master branches avoids interruptions in workflows. In addition to WhiteSource’s existing integrations with all major code repositories, including GitHub, GitHub Packages, JFrog, Bitbucket, and GitLab, the new WhiteSource integration for Azure Repos allows users to generate inventory, security, and compliance.
With WhiteSource’s cloud-based integration for Azure Repos, users can:
- Show automated correction suggestions — WhiteSource Enterprise automatically generates pull requests in the repository to update vulnerable open source components to the lowest non-vulnerable version.
- Apply policies – policies are automatically applied in the repository for each merge request. The status and results of each scan are displayed on the Commits page.
- Merge with confidence – WhiteSource’s “Merge Confidence” feature uses crowdsourced data to show the likelihood that an open source component can be updated without breaking the build. Merge Confidence includes age, adoption, and upgrade compatibility data to create a confidence score.
- Check for IaC configuration errors – Protect production environments and secure cloud, containers, and Kubernetes directly from Azure Repos.
“Scanning for vulnerabilities within the repository is the ‘leftmost’ of organizations that can shift their security efforts while enforcing policies and requiring all developers to scan their code,” said Ori Bach, Executive Vice President of Products at WhiteSource. “The cost of patching vulnerabilities is higher as you progress through your software development lifecycle. With the WhiteSource for Azure Repos integration, developers can receive feedback on their code when it’s fresh in their minds, making it easier to fix vulnerabilities while helping organizations save time and money .