Mobb User Docs
Start NowBlogsWatch NowContact Us
  • What is Mobb?
  • What's New with Mobb
  • Supported Fixes
  • Getting Started
    • System Requirements
    • Onboarding Guide
      • Registering a Mobb account
      • Try Mobb now!
      • Running Mobb against your own code
      • Automate Mobb in a CI/CD pipeline
    • Working with the Fix Report
    • Mobb CLI Overview
      • Analyze Mode
      • Scan Mode
      • Add SCM Token Mode
      • Review Mode
      • Common Deployment Scenarios
  • Mobb Dashboard
  • Integrating SAST Findings
    • Checkmarx
      • Generating Checkmarx One JSON Report from CLI
    • Snyk
    • SonarQube
      • Generating a SonarQube SAST Report
    • Fortify
    • CodeQL
    • Semgrep/Opengrep
      • Generating a Semgrep SAST Report
      • Generating an Opengrep SAST Report
  • CI/CD Integrations
    • GitHub Actions
      • GitHub Fixer for CxOne
      • GitHub Fixer for Opengrep
    • GitLab Pipeline
    • Azure DevOps
    • Jenkins
    • CircleCI
    • Bamboo
    • Bitbucket Pipeline
  • Administration
    • User Management
    • Project Settings
    • Access Tokens
    • Organization-Level Fix Policy
    • Integrations Page
    • SAML Single Sign-On Flow
  • More Info
    • Mobb Broker
      • Mobb Broker Token Rotation
      • Secure storage of Mobb broker in AWS Secrets Manager
    • Providing Fix Feedback
    • Frequently Asked Questions (FAQ)
    • Data Protection and Retention
    • Service Level Agreement
  • Fixing Guides
    • SQL Injection
    • Path Traversal
    • Log Forging
    • XSS
    • XXE
    • Server Side Request Forgery
    • HttpOnly Cookie Vulnerabilities
    • Hardcoded Domain in HTML
    • Hardcoded Secrets
    • HTTP Response Splitting Attacks
    • Insecure Cookie Vulnerabilities
    • Insecure Randomness
    • Missing Check against Null
    • Missing Rate Limiting
    • Regex Missing Timeout
    • System Information Leakage
  • Mobb REST API Guide
Powered by GitBook
On this page
  • Pre-Requisites
  • Installing the plugin
  • Setting up the Service Connection
  • Creating a Mobb Autofixer Pipeline Using a Pre-configured Task
  • Creating a pipeline using a YAML
  • Creating a pipeline using the Classic Pipeline Editor
  • Accessing the Mobb link
  • Publishing of Mobb Link in the PR comment section

Was this helpful?

  1. CI/CD Integrations

Azure DevOps

PreviousGitLab PipelineNextJenkins

Last updated 1 month ago

Was this helpful?

Mobb can be integrated into Azure DevOps via the official Mobb Autofixer plugin. This article will walk through the process of installing the plugin.

Pre-Requisites

The Mobb Azure DevOps Pipeline task is supported on the following ADO platforms:

  • Azure DevOps Service (Cloud)

  • Azure DevOps Server 2022.2

Installing the plugin

  1. Click on "Get it free"

  2. Follow the instructions to install it in your Azure DevOps Service or Azure DevOps Server environment.

Setting up the Service Connection

To set up the service connection, first go your Azure DevOps organization. Click on Project Settings -> Service Connections -> New Service Connection.

Search for "Mobb" to locate "Mobb Autofixer Endoint". Afterwards, click "Next" to open the Endpoint service connection configurator.

Next, verify your Server URL, by default, it is set to https://app.mobb.ai, which is Mobb's public tenant URL. If you are using a single-tenant, please put in your single-tenant URL here. Click "Save" when you're done.

Creating a Mobb Autofixer Pipeline Using a Pre-configured Task

Creating a pipeline using a YAML

Begin by creating a pipeline. You can use an existing pipeline where SAST scans are already being conducted, or you can also use a starter YAML pipeline template.

To use the plugin, you will need to have Node.js version 18 or above installed. To do so, search for "Node.js tool" from the Task Assistant located on the top right.

In the Node.js configuration page, put 18.x (or anything above).

Next, we will add the "Mobb Autofixer" step. Search for "Mobb"

In the Mobb Autofixer configuration screen, provide the following info:

  • Credential (Required) - Select the Credential you created earlier in the Project Service Connection page.

  • SAST Report File Location (Required) - Provide the filename or the location + filename to the SAST report. For example "report.json" if it's located at the root of the working directory, or "subfolder/report.json" if it's nested in a subfolder.

  • Repository URL (Optional) - Provide the URL to your git repository. If this is not provided, then the value from BUILD_REPOSITORY_URI will be used.

  • Branch Name (Optional) - Provide the branch name where the SAST scan was conducted. If this is not provided, then the value from BUILD_SOURCEBRANCHNAME will be used.

  • Repo Sub Folder Location (Optional) - By default this is set to the current working directory "./". Mobb will use this directory location to access the source code files to generate a fix report. If the repository is not checked out to the root working directory, then you can specify another directory here.

Click on "Add" when done.

Creating a pipeline using the Classic Pipeline Editor

To use the Mobb Autofixer plugin in the Azure DevOps Classic Pipeline Editor, first go to Pipelines -> New Pipeline.

Since we are configuring this using the classic editor, select "Use the Classic Editor". For YAML based configuration, you may skip to the section below.

Next, select the repository where this pipeline will run.

Next, you will need to select a template. In this example, we will start with an empty one.

Next, click on the "+" sign next to the Agent to configure what tasks run.

Let's first bring Node.js in, search fro "Node.js" and click on "Node.js tool installer".

Next, put "18.x" in the "Version Spec" field. You can actually use any Node.js instances as long as they are version 18 or above.

Next, we will bring in Mobb Autofixer, to do so, search for "Mobb" and click on "Mobb Autofixer".

Next, let's configure the Mobb Autofixer task:

  • Credential (Required) - Select the Credential you created earlier on the Project Service Connection page.

  • SAST Report File Location (Required) - Provide the filename or the location + filename to the SAST report. For example "report.json" if it's located at the root of the working directory, or "subfolder/report.json" if it's nested in a subfolder.

  • Repository URL (Optional) - Provide the URL to your git repository. If this is not provided, then the value from BUILD_REPOSITORY_URI will be used.

  • Branch Name (Optional) - Provide the branch name where the SAST scan was conducted. If this is not provided, then the value from BUILD_SOURCEBRANCHNAME will be used.

  • Repo Sub Folder Location (Optional) - By default, this is set to the current working directory "./". Mobb will use this directory location to access the source code files and generate a fix report. If the repository is not checked out to the root working directory, then you can specify another directory here.

  • Commit Directly (Optional) - This checkbox tells Mobb to commit the fix directly to the target branch. If the branch belongs to a PR, Mobb will also publish a comment in the PR to explain what was committed.

Click on "Save and Queue" when done.

Accessing the Mobb link

After the fix analysis is submitted to Mobb, a button to access the Mobb report will be available as a tab at the Pipeline Summary page:

Publishing of Mobb Link in the PR comment section

The extension will automatically publish the Mobb link in the PR comment section if the pipeline job is triggered by a pull request. However, you must set "Contribute to pull request" permission to "Allow" under the project setting.

Here are the steps:

  • First, navigate to Project Settings -> Repositories -> Click on your repository -> Security Tab

  • Here, select the Build Service User (Normally named as your project name followed by "Build Service")

  • Once the Build Service user is selected, toggle "Contribute to Pull Request" to "Allow.

You should now start to see Mobb's fix report URL published in the PR comments section as shown:

Additionally, if you have Commit Directly enabled, Mobb will also automatically publish the fixes that were committed in the PR comments as well:

You will also need a Mobb API Token. To generate one, follow the steps outlined in the page.

Go to the Visual Studio Marketplace and search for the Mobb Autofixer plugin. The direct link is also available .

Automatic PR (Optional) - This checkbox will enable Automatic PR according to your fix policy settings. To learn more about this feature, .

Automatic PR (Optional) - This checkbox will enable Automatic PR according to your fix policy settings. To learn more about this feature, .

Access Token
here
click here
click here
Example of a PR comment showing the committed fix