Sonatype for Azure DevOps
The Sonatype for Azure DevOps extension integrates with the Azure DevOps pipeline to run policy evaluations in the build workspace. It adds a new step within the build, during which Sonatype IQ Server scans applications to identify any open-source security, license, or quality policy violations. It can be configured to fail the build or generate a warning. This allows the build maintainers to understand the reasons for build failures and plan a remediation strategy.
This extension wraps the Sonatype IQ CLI.
The Sonatype for Azure DevOps extension is available on the Visual Studio Marketplace.
Main Features
Perform a Sonatype IQ Server policy evaluation on files in the build workspace.
Display scan results within Azure DevOps pipeline report.
Provide a link to a comprehensive Sonatype Lifecycle policy evaluation report indicating violation details and remediation recommendations.
Installation and Configuration
Go to the Installation and Configuration page for steps to install and set up Sonatype IQ in your Azure DevOps pipelines.
Evaluating Policies
You can now start running policy evaluations as a part of your build.
Note that "NexusIqPipelineTask" appears as one of the tasks in the list while running a build:
Accessing/Viewing Results
Open NexusIqPipelineTask to view a console output with the results of the evaluation:
 |
The console output contains a summary of the policy evaluation and a link to the detailed report.
Click the link on the console output to view the detailed report in IQ Server.
Select the Sonatype IQ Build Report tab on the build for a detailed report with all the components and their correspondent violations:
 |
Select the Sonatype IQ Summary Report tab on the build to see a summary report for the policy evaluation for the scanned components:
Add dashboard widgets for Sonatype IQ
For ease of use, the following widgets for Sonatype IQ can be added to the Azure DevOps dashboard.
Sonatype IQ Policy Evaluation widget: shows the policy evaluation results for the latest build.
Trends for Sonatype IQ Policy Evaluation: shows a historical trend of Sonatype IQ Policy evaluations of the last 5 builds.
How to add Sonatype IQ widgets to the Azure DevOps Dashboard:
Go to "Overview" → "Dashboards" and click the "Edit" button.
On the right-hand side, under "Add Widget", search for "Sonatype IQ":
Select the appropriate widget and click the "Add" button at the bottom right corner of the page. Click the "Done editing" button.
Sonatype IQ widget now displays the dashboard showing the results summary for the latest build and the historical summary for the last 5 builds.
Running Sonatype IQ in Azure Self-Hosted Agents
If you’re using an HTTP proxy within your infrastructure and Azure self-hosted build agents, you can specify the Azure DevOps agent’s proxy settings. These settings will then be automatically applied when connecting to IQ. For more information, refer to Microsoft’s documentation.
In the Azure-provided sample command:
./config.sh --proxyurl http://127.0.0.1:8888 --proxyusername "myuser" --proxypassword "mypass"
This would appear in the scan output as it is passed through to the IQ scan client:
... -p 127.0.0.1:8888 -U myuser:*** ...
Git/jgit Configuration and Permissions
The Azure DevOps extension uses the Sonatype IQ CLI to perform scans.
During the scanning process, the CLI uses Git to detect the repository URL, commit hash, and branch name.
If native Git is available on the build agent, the CLI will use it; otherwise, it falls back to jgit (Java-based Git). When jgit is used, it attempts to create configuration files in the current user’s $HOME directory. If it doesn’t have permission to do so, you may see ERROR-level log messages—these are not critical to the scan and can be safely ignored. To avoid them, make sure native Git is installed on the build agent, or set the XDG_CONFIG_HOME environment variable to a directory that the build agent user can write to.