Azure DevOps
Last updated
Was this helpful?
Last updated
Was this helpful?
Mobb can be integrated into Azure DevOps via the official Mobb Autofixer plugin. This article will walk through the process of installing the plugin.
The Mobb Azure DevOps Pipeline task is supported on the following ADO platforms:
Azure DevOps Service (Cloud)
Azure DevOps Server 2022.2
Click on "Get it free"
Follow the instructions to install it in your Azure DevOps Service or Azure DevOps Server environment.
To set up the service connection, first go your Azure DevOps organization. Click on Project Settings -> Service Connections -> New Service Connection.
Search for "Mobb" to locate "Mobb Autofixer Endoint". Afterwards, click "Next" to open the Endpoint service connection configurator.
Next, verify your Server URL, by default, it is set to https://app.mobb.ai, which is Mobb's public tenant URL. If you are using a single-tenant, please put in your single-tenant URL here. Click "Save" when you're done.
Begin by creating a pipeline. You can use an existing pipeline where SAST scans are already being conducted, or you can also use a starter YAML pipeline template.
To use the plugin, you will need to have Node.js version 18 or above installed. To do so, search for "Node.js tool" from the Task Assistant located on the top right.
In the Node.js configuration page, put 18.x (or anything above).
Next, we will add the "Mobb Autofixer" step. Search for "Mobb"
In the Mobb Autofixer configuration screen, provide the following info:
Credential (Required) - Select the Credential you created earlier in the Project Service Connection page.
SAST Report File Location (Required) - Provide the filename or the location + filename to the SAST report. For example "report.json" if it's located at the root of the working directory, or "subfolder/report.json" if it's nested in a subfolder.
Repository URL (Optional) - Provide the URL to your git repository. If this is not provided, then the value from BUILD_REPOSITORY_URI will be used.
Branch Name (Optional) - Provide the branch name where the SAST scan was conducted. If this is not provided, then the value from BUILD_SOURCEBRANCHNAME will be used.
Repo Sub Folder Location (Optional) - By default this is set to the current working directory "./". Mobb will use this directory location to access the source code files to generate a fix report. If the repository is not checked out to the root working directory, then you can specify another directory here.
Click on "Add" when done.
To use the Mobb Autofixer plugin in the Azure DevOps Classic Pipeline Editor, first go to Pipelines -> New Pipeline.
Since we are configuring this using the classic editor, select "Use the Classic Editor". For YAML based configuration, you may skip to the section below.
Next, select the repository where this pipeline will run.
Next, you will need to select a template. In this example, we will start with an empty one.
Next, click on the "+" sign next to the Agent to configure what tasks run.
Let's first bring Node.js in, search fro "Node.js" and click on "Node.js tool installer".
Next, put "18.x" in the "Version Spec" field. You can actually use any Node.js instances as long as they are version 18 or above.
Next, we will bring in Mobb Autofixer, to do so, search for "Mobb" and click on "Mobb Autofixer".
Next, let's configure the Mobb Autofixer task:
Credential (Required) - Select the Credential you created earlier on the Project Service Connection page.
SAST Report File Location (Required) - Provide the filename or the location + filename to the SAST report. For example "report.json" if it's located at the root of the working directory, or "subfolder/report.json" if it's nested in a subfolder.
Repository URL (Optional) - Provide the URL to your git repository. If this is not provided, then the value from BUILD_REPOSITORY_URI will be used.
Branch Name (Optional) - Provide the branch name where the SAST scan was conducted. If this is not provided, then the value from BUILD_SOURCEBRANCHNAME will be used.
Repo Sub Folder Location (Optional) - By default, this is set to the current working directory "./". Mobb will use this directory location to access the source code files and generate a fix report. If the repository is not checked out to the root working directory, then you can specify another directory here.
Commit Directly (Optional) - This checkbox tells Mobb to commit the fix directly to the target branch. If the branch belongs to a PR, Mobb will also publish a comment in the PR to explain what was committed.
Click on "Save and Queue" when done.
After the fix analysis is submitted to Mobb, a button to access the Mobb report will be available as a tab at the Pipeline Summary page:
The extension will automatically publish the Mobb link in the PR comment section if the pipeline job is triggered by a pull request. However, you must set "Contribute to pull request" permission to "Allow" under the project setting.
Here are the steps:
First, navigate to Project Settings -> Repositories -> Click on your repository -> Security Tab
Here, select the Build Service User (Normally named as your project name followed by "Build Service")
Once the Build Service user is selected, toggle "Contribute to Pull Request" to "Allow.
You should now start to see Mobb's fix report URL published in the PR comments section as shown:
Additionally, if you have Commit Directly enabled, Mobb will also automatically publish the fixes that were committed in the PR comments as well:
You will also need a Mobb API Token. To generate one, follow the steps outlined in the page.
Go to the Visual Studio Marketplace and search for the Mobb Autofixer plugin. The direct link is also available .
Automatic PR (Optional) - This checkbox will enable Automatic PR according to your fix policy settings. To learn more about this feature, .
Automatic PR (Optional) - This checkbox will enable Automatic PR according to your fix policy settings. To learn more about this feature, .
