Appearance
Repo Registry
The repo registry is a YAML manifest that catalogues every repository participating in the Microtec DevSecOps pipeline. It serves as the single source of truth for which repositories receive security scanning, what tools they use, and how the shared pipeline template should be parameterized for each.
File Location
DevSecOps/
└── config/
└── repo-registry.ymlRegistry Schema
Each entry in the registry describes one repository:
yaml
# DevSecOps/config/repo-registry.yml
version: "1.0"
repositories:
- repoName: string # Azure DevOps repository name
language: string # Primary language: dotnet | typescript | dart | mixed
enabled: boolean # Whether DevSecOps is active for this repo
dockerfilePath: string # Relative path to primary Dockerfile
testProject: string # Test project path (dotnet) or test script (npm)
sonarProjectKey: string # SonarCloud project key
sonarScannerMode: string # MSBuild | CLI
integrationTestsEnabled: boolean
dastEnabled: boolean # OWASP ZAP (only for deployed services)
imageNamePrefix: string # ACR image name prefix
additionalExclusions: # Paths excluded from all scans
- stringCurrent Registry (Participating Repositories)
yaml
version: "1.0"
repositories:
# ─────────────────────────────────────────────────────
# Backend: ERP + Business Owner microservices
# ─────────────────────────────────────────────────────
- repoName: Platforms
language: dotnet
enabled: true
dockerfilePath: Src/AppsPortal/Accounting/AppsPortal.Apis/Dockerfile
testProject: Src/AppsPortal/Accounting/AppsPortal.Tests/AppsPortal.Tests.csproj
sonarProjectKey: microtec_platforms
sonarScannerMode: MSBuild
integrationTestsEnabled: true
dastEnabled: true
imageNamePrefix: mic-erp-be
additionalExclusions:
- Src/AppsPortal/*/Migrations/**
- Src/Shared/**
# ─────────────────────────────────────────────────────
# Infrastructure microservices (Notification, Workflow, etc.)
# ─────────────────────────────────────────────────────
- repoName: InfrastructureServices
language: dotnet
enabled: true
dockerfilePath: src/Notification/Dockerfile
testProject: src/Notification/Notification.Tests/Notification.Tests.csproj
sonarProjectKey: microtec_infrastructure_services
sonarScannerMode: MSBuild
integrationTestsEnabled: true
dastEnabled: true
imageNamePrefix: mic-erp-infra
additionalExclusions:
- src/*/Migrations/**
# ─────────────────────────────────────────────────────
# Blazor workflow designer
# ─────────────────────────────────────────────────────
- repoName: WorkflowDesigner
language: dotnet
enabled: true
dockerfilePath: WorkflowDesigner/Dockerfile
testProject: WorkflowDesigner.Tests/WorkflowDesigner.Tests.csproj
sonarProjectKey: microtec_workflow_designer
sonarScannerMode: MSBuild
integrationTestsEnabled: false
dastEnabled: false
imageNamePrefix: mic-erp-workflow
additionalExclusions:
- wwwroot/**
# ─────────────────────────────────────────────────────
# Keycloak custom SPI providers
# ─────────────────────────────────────────────────────
- repoName: KeycloakProviders
language: dotnet
enabled: true
dockerfilePath: Dockerfile
testProject: KeycloakProviders.Tests/KeycloakProviders.Tests.csproj
sonarProjectKey: microtec_keycloak_providers
sonarScannerMode: MSBuild
integrationTestsEnabled: false
dastEnabled: false
imageNamePrefix: mic-erp-keycloak
additionalExclusions: []
# ─────────────────────────────────────────────────────
# Angular micro-frontend apps
# ─────────────────────────────────────────────────────
- repoName: FrontApps
language: typescript
enabled: true
dockerfilePath: nginx.Dockerfile
testProject: npm test -- --watch=false --code-coverage
sonarProjectKey: microtec_frontapps
sonarScannerMode: CLI
integrationTestsEnabled: false
dastEnabled: false
imageNamePrefix: mic-erp-fr
additionalExclusions:
- dist/**
- node_modules/**
- projects/**/environments/**
# ─────────────────────────────────────────────────────
# Flutter mobile apps (no container, SAST + deps only)
# ─────────────────────────────────────────────────────
- repoName: BoMobileApp
language: dart
enabled: true
dockerfilePath: "" # No container
testProject: flutter test
sonarProjectKey: microtec_bo_mobile
sonarScannerMode: CLI
integrationTestsEnabled: false
dastEnabled: false
imageNamePrefix: ""
additionalExclusions:
- .dart_tool/**
- build/**How the Template Consumes the Registry
The shared pipeline template reads the registry at runtime and selects the entry matching the current repository:
yaml
# DevSecOps/templates/security-pipeline-template.yml (conceptual)
parameters:
- name: repoName
type: string
steps:
- task: Bash@3
displayName: 'Load repo config from registry'
inputs:
script: |
CONFIG=$(python scripts/get-repo-config.py \
--registry config/repo-registry.yml \
--repo "$(repoName)")
echo "##vso[task.setvariable variable=dockerfilePath]$(echo $CONFIG | jq -r '.dockerfilePath')"
echo "##vso[task.setvariable variable=testProject]$(echo $CONFIG | jq -r '.testProject')"
echo "##vso[task.setvariable variable=sonarProjectKey]$(echo $CONFIG | jq -r '.sonarProjectKey')"
echo "##vso[task.setvariable variable=dastEnabled]$(echo $CONFIG | jq -r '.dastEnabled')"How to Onboard a New Repository
Follow these steps to add a new repository to the DevSecOps program:
Step 1: Add Entry to Registry
Open DevSecOps/config/repo-registry.yml and add a new entry:
yaml
- repoName: MyNewService
language: dotnet
enabled: true
dockerfilePath: src/MyNewService/Dockerfile
testProject: src/MyNewService.Tests/MyNewService.Tests.csproj
sonarProjectKey: microtec_my_new_service
sonarScannerMode: MSBuild
integrationTestsEnabled: true
dastEnabled: true
imageNamePrefix: mic-erp-mynewservice
additionalExclusions:
- src/*/Migrations/**Step 2: Create SonarCloud Project
- Log in to sonarcloud.io with the
microtecorganization account. - Create a new project with the
sonarProjectKeyvalue from Step 1. - Add
.sonarcloud.propertiesto the repository root (see sonarcloud.md).
Step 3: Add .gitleaks.toml and .trivyignore
Copy the baseline files from another repository:
bash
cp Platforms/.gitleaks.toml MyNewService/.gitleaks.toml
cp Platforms/.trivyignore MyNewService/.trivyignoreStep 4: Extend the Consumer Pipeline
In the new repository, create azure-pipelines.yml that extends the shared template:
yaml
# MyNewService/azure-pipelines.yml
trigger:
branches:
include:
- main
- stage
- preprod
- uat
- production
paths:
exclude:
- docs/**
- '*.md'
pr:
branches:
include:
- main
resources:
repositories:
- repository: DevSecOps
type: git
name: microtec/DevSecOps
ref: refs/heads/main
extends:
template: templates/security-pipeline-template.yml@DevSecOps
parameters:
repoName: 'MyNewService'
environment: '$(targetEnvironment)'Step 5: Raise a PR to DevSecOps Repository
Submit a PR to the DevSecOps repository with:
- The registry entry (Step 1)
- Any Microtec-specific Gitleaks rules needed
- A brief description of the new service and its security surface
The security team reviews and merges.
Step 6: Verify First Run
After the PR is merged, trigger a manual pipeline run and confirm:
- All 16 stages appear in the pipeline run
- SonarCloud receives analysis and creates quality gate status
- Gitleaks scan shows no findings
- Trivy reports are published as artifacts
Registry Validation
A validation script runs on every PR to the DevSecOps repository to ensure registry entries are well-formed:
bash
python DevSecOps/scripts/validate-registry.py \
--registry DevSecOps/config/repo-registry.yml \
--schema DevSecOps/config/repo-registry-schema.jsonValidation checks:
- All required fields present
sonarProjectKeymatches pattern^microtec_[a-z_]+$dockerfilePathis non-empty whendastEnabled: trueimageNamePrefixmatches naming convention^mic-erp-[a-z]+$