To start executing scans with WhiteSource Bolt, perform the following actions:

1. Install the WhiteSource Bolt extension from the Azure DevOps marketplace.
2. Navigate to the WhiteSource Bolt menu under Pipelines.
3. Sign up and accept the license terms.
4. Add the WhiteSource Bolt scanning task to build or release definitions, as shown in the following screenshot:

5. Once a pipeline with the WhiteSource Bolt task installed has run, the page with the build results will contain an extra tab called WhiteSource Bolt Build Report that shows the results, as shown in the following screenshot:

This report provides a number of insights about the overall security and licensing risks of the scanned application build:

• The top row, with four widgets, provides an overview of the vulnerability score and three different breakdowns into how that score was calculated.
• Below this, all of the vulnerable packages are listed by name, with a reference to the dependency and a recommended mitigation.
• The  section at the bottom provides a list of all licenses used by the dependencies. This list is sorted from high risk to low risk.
• Below this overview, WhiteSource Bolt also generates a list of dependencies for which a newer version is available (this is not visible in the preceding screenshot).

The results shown in this report can also be accessed from the WhiteSource Bolt menu, under the Pipelines menu. In this view, all of the reports for all of the builds can be accessed. This view is great for those who are responsible for accessing security or licensing standards across a project or organization.

This completes our discussion on dependency scanning. As mentioned earlier, you can use these tools to your advantage to detect and scan all the dependencies that are used when building an application. In the next section, infrastructure compliance is introduced.