Puma Scan’s 0.9.0.1 release introduces several new features including a new Azure DevOps marketplace extension, repository or solution specific settings file that can live with a single application or service, and more advanced false positive suppression capabilities.
Introducing an application specific settings file (.pumafile) allowing custom scanner configuration per repository / application. More details can be found in the User Guide.
False positive suppression is now handled in the application’s .pumafile. False positives can be documented in the Exceptions block by adding a new Exception with the project, relative path, start line, end line, code checksum, approver, reason, and timestamp. More details can be found in the User Guide.
Puma Scan artifacts (licenses, settings, log files) were moved from the %appdata%\Microsoft\VisualStudio\Puma.Security.Rules directory to the %appdata%\PumaSecurity\PumaScan directory.
Enhanced logging functionality for better troubleshooting. Log files are stored in the %localappdata%\PumaSecurity\PumaScan directory.
Create a .pumafile in each repository to apply custom configuration and false positive exceptions per application.
Document false positives during development in the .pumafile and obtain approval from security prior to running through the build pipeline.
The first official release of the Microsoft Azure DevOps Puma Scan extension hit the marketplace. Pricing is by # of pipelines with your first 5 pipelines covered by the base license.
Install the extension on the Azure DevOps Marketplace.
Purchase and download Azure DevOps Licenses on the Puma Scan Purchasing Site.