Guides
Start typing to search…

Integrating the CLI with Azure DevOps

Manifest CLI is a tool that can be used to generate SBOMs and publish them into the Manifest Platform. Here's how you can integrate it with Azure DevOps.

Prerequisites

  1. An Azure DevOps account with permissions to create and manage pipelines
  2. A Manifest account with the necessary permissions to publish SBOMs
  3. A Manifest API key

Adding a Variable as Secret

Before using Manifest CLI in our pipeline, we must add our Manifest API key as a secret variable in Azure DevOps. Here's how:

  1. Go to your Azure DevOps project and navigate to Pipelines > Pipelines.
  2. Click on the > Edit to edit the selected pipeline.
  3. Click on Variables > + to create a new variable.
  4. Give your variable group a name, then click on Add to add a new variable.
  5. Set the variable's name to MANIFEST_API_KEY and paste your Manifest API key as the value.
  6. Check the Keep this value secret checkbox, then click on Save to save your changes.

Adding Manifest CLI to Your Pipeline

Now that we've added our Manifest API key as a secret variable, we can use Manifest CLI in our pipeline. Here's an example of how to use it in an Azure DevOps YAML pipeline:

trigger:

trigger:
- main

pool: 
  name: Local

steps:
- script: |
    # Install Manifest CLI using the provided script
    curl -sSfL <https://raw.githubusercontent.com/manifest-cyber/cli/main/install.sh> | sudo sh -s -- -b /usr/local/bin
  displayName: 'Install Manifest CLI'

- script: |
    # Install Syft, required for the Manifest CLI
    curl -sSfL <https://raw.githubusercontent.com/anchore/syft/main/install.sh> | sudo sh -s -- -b /usr/local/bin
  displayName: 'Install Syft'

- script: |
    # Generate SBOM with Manifest CLI
    manifest-cli sbom . --generator=syft --output=spdx-json --name=azure-test --file=bom.json --publish .
  displayName: 'Generate SBOM'
  env:
    MANIFEST_API_KEY: $(MANIFEST_API_KEY)
  
- task: PublishBuildArtifacts@1
  inputs:
    pathtoPublish: 'bom.json'
    artifactName: 'SBOM'
  displayName: 'Publish SBOM Artifact'

In this example, we install the manifest-cli and syft executables. Next, we pass the Manifest API key to the CLI, generate an SBOM in JSON format, and publish it to the Manifest Platform.

❗️

The example above relies on the Azure DevOps pool feature. Before attempting to use this, ensure that your agents and pools are properly configured.


Important Information

Make sure to keep your Manifest API key secret and secure. The example pipeline above is just one way to use Manifest CLI in Azure DevOps. You can customize it to fit your specific needs.

You can use many supported generators such as Trivy, Syft, cdxgen and spdx-sbom-generator.

Updated 8 days ago