Dependency and security scanning

In modern DevOps, continuously checking for outdated or vulnerable components is essential. Dependency scanning inspects your code’s libraries, frameworks, and packages against live vulnerability databases. Security scanning extends this coverage to source code flaws and infrastructure misconfigurations. Together, they form a critical part of any secure CI/CD workflow—and feature prominently on the AZ-400 exam.

The image is an introduction to dependency scanning in Azure Pipelines, showing a computer screen with code and a label indicating "Dependency scanning." It highlights the identification of outdated or vulnerable libraries and dependencies in code.

By integrating specialized tools into Azure Pipelines, you automate these checks during build and release stages. This “shift-left” approach catches issues early, reduces manual effort, and delivers rapid feedback to developers.

The image is a diagram illustrating the process of dependency scanning in Azure Pipelines, showing integration with tools and automation of processes to ensure secure, up-to-date components.

Dependency Scanning Tools

Azure Pipelines offers a range of extensions and tasks for open-source and commercial scanners. Below is a quick comparison:

Tool	Database Type	Integration	Key Output
WhiteSource Bolt	Proprietary OSS DB	Extension / Task	Severity reports & remediation
Snyk	Community & Commercial	Task + Policy Check	Fix suggestions & policy alerts
OWASP Dependency Check	NVD & Community	CLI task	CVE-based findings & CSV/HTML

WhiteSource Bolt

Automated open-source vulnerability analysis with continuous database updates. Generates severity-ranked reports, displays affected components, and recommends fixes. Integrates as a build or release task in Azure Pipelines.

The image is an infographic about "WhiteSource Bolt," a tool for dependency scanning that detects open-source vulnerabilities and generates comprehensive reports.

Snyk

Real-time monitoring of dependencies for known vulnerabilities. Provides actionable remediation advice—package updates, code patches, or workarounds. Embeds into your pipeline to enforce policy-based blocking of risky dependencies.

OWASP Dependency Check

Open-source scanner that compares project libraries against the National Vulnerability Database (NVD) and community feeds. Integrates via CLI or pipeline task to automate periodic scans and produce standardized reports.

The image is about "OWASP Dependency Check," a tool for detecting public vulnerabilities in dependencies, as part of tools for dependency scanning.

Setting Up Dependency Scanning in Azure Pipelines

Select the scanner that best fits your tech stack and reporting needs.
Install or add the extension/task to your pipeline YAML or Classic editor.
Configure authentication and project settings (API tokens, project keys).
Schedule scans on every build, nightly run, or on-demand.
Review findings and automate work items for high-severity issues.

Note

Automate recurring scans—even if dependencies haven’t changed—to catch newly disclosed vulnerabilities.

The image is a flowchart outlining steps for setting up dependency scanning in Azure Pipelines, including selecting a tool, configuring it, scheduling scans, and reviewing findings.

Security scanning targets code and infrastructure weaknesses—identifying injection flaws, insecure configurations, and runtime threats before deployment.

Code analysis for SQL injection, cross-site scripting (XSS), insecure patterns
Infrastructure audits of cloud resources, container images, IaC templates

The image is an introduction to security scanning, illustrating the detection of security flaws in codebases and infrastructure. It shows a flowchart with icons representing these concepts.

Embedding security scans in your CI/CD pipeline delivers continuous feedback. Pipelines can block a release on critical findings or generate alerts for remediation.

The image is an introduction to security scanning, highlighting two key aspects: facilitating early detection and resolution of security issues.

Security Scanning Tools

Tool	Focus	Scan Types	Integration
SonarQube	Code Quality & SAST	Vulnerabilities, Debt	Marketplace Task
Aqua Security	Container & Runtime	Image & Config scans	CLI / Task
Fortify	SAST & DAST	Static & Dynamic	REST API / Task

The image lists three tools for security scanning: SonarQube, Aqua Security, and Fortify, each with their respective logos.

SonarQube

Analyzes code for security vulnerabilities (e.g., XSS, SQL injection), code smells, duplication, and complexity. Quality gates enforce blocking builds until issues are resolved.

The image is a diagram showing SonarQube's process of analyzing source code to identify security vulnerabilities, code quality, and technical debt issues.

Aqua Security

Specializes in container image security—scanning during build, pre-push, and at runtime for vulnerabilities, malware, and misconfigurations. Ideal for AKS and Kubernetes pipelines.

The image is a slide about Aqua Security, featuring a logo and a description stating it specializes in container security to ensure images are free of vulnerabilities before deployment.

Fortify

Combines static application security testing (SAST) with dynamic analysis (DAST). Static scanning finds code-level flaws; dynamic scanning probes a running application for runtime issues.

The image is a diagram showing two types of testing, static and dynamic, both leading to the identification of security flaws.

Implementing a Security Scanner in Azure Pipelines

Choose a scanner based on supported languages and vulnerability focus.
Add the respective task or script to your YAML pipeline.
Configure credentials, endpoints, and thresholds.
Run the pipeline, analyze scan output, and triage issues.
Automate periodic scans and keep scanner definitions up to date.

The image outlines four steps to implement a security scanning tool, including selecting a scanner, integrating it into Azure Pipelines, testing, and establishing guidelines for regular updates.

Example: SonarQube Integration

Select your SonarQube edition (Community or Developer).
Provision and configure the SonarQube server.
In Azure DevOps, install the SonarQube extension.

In your pipeline YAML:

- task: SonarQubePrepare@5
  inputs:
    SonarQube: 'YourServiceConnection'
    scannerMode: 'CLI'
    configMode: 'manual'
    cliProjectKey: 'my-project'
    cliSources: '.'
- task: SonarQubeAnalyze@5
- task: SonarQubePublish@5

Define quality gates in the SonarQube dashboard to fail on critical issues.

Continuous dependency and security scanning is a DevSecOps imperative. Automate both open-source component checks and code/infrastructure vulnerability scans to:

Catch issues earlier and reduce remediation costs
Enforce policy gates to prevent insecure releases
Maintain an audit trail of findings and fixes

By mastering these tools and patterns, you’ll be well-equipped for the AZ-400 exam and for designing robust, secure CI/CD pipelines in Azure DevOps.

The image contains a slide titled "Conclusion and Best Practices," highlighting the importance of dependency and security scanning for software integrity, and the need for continuous updates to address evolving security threats.

Watch Video

Watch video content