Azure DevOps

Mobb can be integrated into Azure DevOps via the official Mobb Autofixer plugin. This article will walk through the process of installing the plugin.

Pre-Requisites

The Mobb Azure DevOps Pipeline task is supported on the following ADO platforms:

• Azure DevOps Service (Cloud)

• Azure DevOps Server 2022.2

You will also need a Mobb API Token. To generate one, follow the steps outlined in the Access Token page.

Installing the plugin

1. Go to the Visual Studio Marketplace and search for the Mobb Autofixer plugin. The direct link is also available here.

2. Click on "Get it free"
3. Follow the instructions to install it in your Azure DevOps Service or Azure DevOps Server environment.

Setting up the Service Connection

To set up the service connection, first go your Azure DevOps organization. Click on Project Settings -> Service Connections -> New Service Connection.

Search for "Mobb" to locate "Mobb Autofixer Endoint". Afterwards, click "Next" to open the Endpoint service connection configurator.

Next, verify your Server URL, by default, it is set to https://app.mobb.ai, which is Mobb's public tenant URL. If you are using a single-tenant, please put in your single-tenant URL here. Click "Save" when you're done.

Creating a Mobb Autofixer Pipeline Using a Pre-configured Task

Creating a pipeline using a YAML

Begin by creating a pipeline. You can use an existing pipeline where SAST scans are already being conducted, or you can also use a starter YAML pipeline template.

To use the plugin, you will need to have Node.js version 18 or above installed. To do so, search for "Node.js tool" from the Task Assistant located on the top right.

In the Node.js configuration page, put 18.x (or anything above).

Next, we will add the "Mobb Autofixer" step. Search for "Mobb"

In the Mobb Autofixer configuration screen, provide the following info:

• Credential (Required) - Select the Credential you created earlier in the Project Service Connection page.

• SAST Report File Location (Required) - Provide the filename or the location + filename to the SAST report. For example "report.json" if it's located at the root of the working directory, or "subfolder/report.json" if it's nested in a subfolder.

• Repository URL (Optional) - Provide the URL to your git repository. If this is not provided, then the value from BUILD_REPOSITORY_URI will be used.

• Branch Name (Optional) - Provide the branch name where the SAST scan was conducted. If this is not provided, then the value from BUILD_SOURCEBRANCHNAME will be used.

• Repo Sub Folder Location (Optional) - By default this is set to the current working directory "./". Mobb will use this directory location to access the source code files to generate a fix report. If the repository is not checked out to the root working directory, then you can specify another directory here.

• Automatic PR (Optional) - This checkbox will enable Automatic PR according to your fix policy settings. To learn more about this feature, click here.

Click on "Add" when done.

Creating a pipeline using the Classic Pipeline Editor

To use the Mobb Autofixer plugin in the Azure DevOps Classic Pipeline Editor, first go to Pipelines -> New Pipeline.

Since we are configuring this using the classic editor, select "Use the Classic Editor". For YAML based configuration, you may skip to the section below.

Next, select the repository where this pipeline will run.

Next, you will need to select a template. In this example, we will start with an empty one.

Next, click on the "+" sign next to the Agent to configure what tasks run.

Let's first bring Node.js in, search fro "Node.js" and click on "Node.js tool installer".

Next, put "18.x" in the "Version Spec" field. You can actually use any Node.js instances as long as they are version 18 or above.

Next, we will bring in Mobb Autofixer, to do so, search for "Mobb" and click on "Mobb Autofixer".

Next, let's configure the Mobb Autofixer task:

• Credential (Required) - Select the Credential you created earlier in the Project Service Connection page.

• SAST Report File Location (Required) - Provide the filename or the location + filename to the SAST report. For example "report.json" if it's located at the root of the working directory, or "subfolder/report.json" if it's nested in a subfolder.

• Repository URL (Optional) - Provide the URL to your git repository. If this is not provided, then the value from BUILD_REPOSITORY_URI will be used.

• Branch Name (Optional) - Provide the branch name where the SAST scan was conducted. If this is not provided, then the value from BUILD_SOURCEBRANCHNAME will be used.

• Repo Sub Folder Location (Optional) - By default this is set to the current working directory "./". Mobb will use this directory location to access the source code files to generate a fix report. If the repository is not checked out to the root working directory, then you can specify another directory here.

• Automatic PR (Optional) - This checkbox will enable Automatic PR according to your fix policy settings. To learn more about this feature, click here.

Click on "Save and Queue" when done

Accessing the Mobb link

After the fix analysis is submitted to Mobb, a button to access the Mobb report will be available as a tab at the Pipeline Summary page: