Using Open Source Components? Using TFS?
Back in March, I wrote about the WhiteSource Bolt extension for VSTS. This is a fantastic way to automate security checks for open source vulnerabilities in the release pipeline of your team project. The most frequent question Iâ€™ve received is, When can we have this for TFS too? Iâ€™m happy to announce that the extension now works with TFS on-prem TFS too. It comes with a 14-day trial, and if your using Visual Studio Enterprise, go to https://my.visualstudio.com for a 6-month activation code.
To remind you what WhiteSource Bolt provides, you drop the task in your build definition and it automatically inventories your open source components and tells you what vulnerabilities you have or licenses you may need to check. Hereâ€™s an example I did on a recent node.js project.Â The build task ran for 58 seconds, inventoried 689 components. I was impressed that WhiteSource found 12 vulnerabilities, 9 of which were not available in the National Vulnerability Database! And for each vulnerability, there is a direct link to the top rated fix.
If you’re using open source, or aren’t sure whether you are, you owe it to yourself to check out this extension.