AZ-400: Designing and Implementing Microsoft DevOps Solutions
Implement Security and Validate Code Bases for Compliance
Evaluating Tools for Package Security and License Compliance
Ensuring that every software package in your CI/CD pipeline is free from vulnerabilities and compliant with licensing terms is a cornerstone of a robust DevOps security strategy. In this guide, we’ll cover two complementary approaches and highlight leading tools to help you secure your software supply chain.
Two Complementary Strategies
- Centralized Artifact Repository Scanning
All build artifacts are published to a single repository (e.g., Artifactory or Nexus), where they automatically undergo security and license compliance checks before release. - Build-Phase Tooling Integration
Security and license scans are embedded into each build job, enforcing compliance gates at build time and preventing non-compliant artifacts from ever reaching the repository.
Note
Combining both repository-based scans and build-phase tooling ensures maximum coverage and early detection of issues.
| Strategy | Description | Benefits |
|---|---|---|
| Centralized Artifact Repository Scan | Artifacts are scanned post-build in a central registry. | Consistent policy enforcement, audit trails |
| Build-Phase Tooling Integration | Scans occur during the build process (CI job). | Immediate feedback, prevents bad artifacts |
Key Tooling Solutions
Below is an overview of popular tools aligned to these strategies, each playing a distinct role in a comprehensive DevOps security workflow:
| Tool | Category | Primary Function |
|---|---|---|
| Artifactory | Artifact Repository | Stores binaries and dependencies; integrates with scanners |
| SonarQube | Static Code Analysis | Detects code smells, security vulnerabilities, and standards |
| Mend Bolt | Build Process Scanning | Enforces open-source vulnerability and license policies |
Artifactory
A universal repository manager that securely stores build artifacts, metadata, and container images. Integrates with security and license scanners to validate every component before release.
Learn more ›
SonarQube
Performs deep static analysis on your source code to catch security issues, code smells, and maintain code quality standards ahead of the packaging stage.
Learn more ›
Mend Bolt
(formerly WhiteSource Bolt) A lightweight scanner that plugs into CI pipelines—GitHub Actions, Azure DevOps, Jenkins—to automatically detect open-source vulnerabilities and licensing risks with each build.
Learn more ›
Each of these solutions helps enforce security and compliance controls as close to the source as possible, reducing risk and accelerating release velocity.
Links and References
Watch Video
Watch video content