Skip to main content

Azure DevOps (beta)

Beta Feature

This topic describes functionality that is currently in beta.

To integrate the Lacework IaC scanner with an Azure DevOps repository, you need to edit the azure-pipelines.yml file that is located in the root of your repository.

Obtain Secret Values

To integrate with Azure DevOps, you must first collect the values for LW_ACCOUNT, LW_API_KEY and LW_API_SECRET. To view this information:

  1. Log in to the Lacework Console.
  2. Click Settings > API keys.
  3. Select or create an API key.
  4. Click the download icon.
  5. Open the downloaded .json file to view your API Key and Secret.

Add Variables to Azure DevOps

Once you have obtained the values for LW_ACCOUNT, LW_API_KEY and LW_API_SECRET, you must add and set up the env to allow the scanning step to access them. Use the following steps to add the variables in Azure DevOps:

For each secret (LW_ACCOUNT, LW_API_KEY and LW_API_SECRET):

  1. Log in to Azure DevOps.
  2. Click Pipelines > Pipelines.
  3. On your pipeline, click the three dot more actions menu.
  4. Click Edit.
  5. Click Variables.
  6. Click New variable.
  7. Enter the name for the variable and the value.
  8. Click OK.
  9. Repeat for each variable and then click Save.

Example Azure DevOps Pipeline

The following example pipeline includes a single IaC scanning step.

trigger:
- main
pool:
 vmImage: ubuntu-20.04
steps:
- script: |
   echo "Running Lacework IaC checks."
   docker run \
         -e SCAN_COMMAND=tf-scan \
         -e LW_ACCOUNT=$(LW_ACCOUNT) \
         -e LW_API_KEY=$(LW_API_KEY) \
         -e LW_API_SECRET=$(LW_API_SECRET) \
         -v $(Build.SourcesDirectory):/app/src \
         -e WORKSPACE=src \
         -e EXIT_FLAG='high' \
         docker.io/lacework/codesec-iac:latest
note

The Lacework IaC scanner comes pre-packaged as a Docker container.

Usage Variables

The previous example uses SCAN_COMMAND, WORKSPACE and EXIT_FLAG. Visit CI/CD Usage for more information. You can use these variables to configure the behavior of the scanner depending on your scenario.

Results

To view the results of this CI/CD integration in the Lacework Console, you must follow the assessment URL which is output by the scanner.

note

The assessment is not displayed in the Assessments > Pipelines tab.