Application Security Platform
Issue trackers

Azure Boards

This document is for:
Invicti Platform

Microsoft Azure is a collection of cloud-based services designed to help businesses build, deploy, and manage web applications. One component service is Azure Boards, an issue-tracking system that enables teams to track work, issues, and code efficiently.

Invicti Platform provides built-in support for automatically creating, resolving, and reactivating Azure Boards issues based on scan results. It utilizes the default priorities and user-defined in Azure Boards to determine when issues should be marked as resolved or reopened.

This document describes the steps you need to take to integrate Invicti Platform with Azure Boards for tracking issues.

Prerequisites

Before integrating Invicti with Azure Boards, ensure you have completed the following prerequisites:

  • Active Azure account: You must have an active Azure account.
  • Active Project: Create a project where all the found vulnerabilities are going to be sent.
  • An access token with the following custom defined scope is generated to secure communication between Invicti and Azure
  • Code: Read
  • Project and Team: Read
  • Work Items: Read & write
  • Custom Work Item (Issue) types: Configure custom issue labels unless you prefer Azure's default labels.
  • API Access Verification: Confirm that your Azure system allows incoming API requests. Follow the appropriate whitelisting instructions below:

Integrating Invicti with Azure Boards is a 3-step process:

Step 1: Create an access token

  1. In your Azure DevOps portal, select User settings > Personal access tokens.

  1. Click New token.

  1. On the Create a new personal token dialog, fill in the following fields:
  • Name: Enter a name for the token.
  • Organization: Select your organization from the drop-down list.
  • Expiration: Set an expiry date.
  • Scopes: Select Custom defined and select the following scope access
  • Code: Read
  • Project and Team: Read
  • Work Items: Read & write

  1. Select Create.
  2. Copy the access token a save it in a safe place. It will be used in step 2 of this integration.

Step 2: Configure Invicti

  1. In Invicti, select Integrations from the left-side menu.
  2. Switch to the All integrations tab.


  1. Scroll down to the Issues trackers and select Configure in the Azure Boards tile.

  1. In the Configure and authorize section
  • Enter a name for your integration. For this example, we have used Azure Boards and Invicti integration.
  • Fill in the Azure Boards base URL.

  • In the Authentication details, enter your Account Email and the Access Token you generated in Step 1.

  • Click Validate & load projects, to load your projects and issue details.
  1. In the Project configuration section, provide the following details:
  • Select a Project from the drop-down list. This is where the found vulnerabilities are going to be sent.
  • Specify the Work item type. Select an Issue, Epic, or a Task.
  • Work item title formatting: Choose the format for the work item title.
  • Included details: Use the drop-down menu to select the information to include in the work item details.
  • Optionally, select Yes to include a link to the report and attach a PDF report.

  • Click Next.
  1. In the Issue mappings section, assign Field values and Field mappings.
  • Field values: Select the Area ID and Iteration. They will be visible in Azure in the work item detail.

  • Field mappings: Map Invicti Vulnerability Severity levels to Azure Boards Work item Priorities.
  • By clicking Add new in the Field mappings, you can specify further items such as Vulnerability, Asset Name, Asset URL, Confidence, CVSS3 Score and Vector, and CVSS4 Score and Vector.

  1. Click Create sample issue to test the configuration. A green Success message appears at the top of the page.

  1. The vulnerability is now created and visible in your Work items list.

  1. In Invicti, click Save and finish to complete the GitHub integration.

Click Save and finish.

Step 3: Submit vulnerabilities to Azure Boards

After identifying vulnerabilities, you can forward them to the designated issue tracker. The process is consistent across all supported issue trackers. For detailed instructions, refer to the linked documents.


Share This Article