Azure DevOps is a web-based DevOps manager that provides CI/CD pipeline features called Azure Pipelines.
You can integrate Invicti Enterprise with Azure Pipelines using cURL or PowerShell scripts generated by our Integration Script Generator, in order to enable our advanced integration functionality.
Opted for using the Invicti Enterprise Extension for Azure Pipelines? Then, from the Invicti Enterprise main menu, go to Integrations > New Integration > Azure Pipelines. And, select View Extension in the Use Extension section.
For further information about installation and configuration, see Invicti Enterprise Extension.
For further information, see What Systems Does Invicti Integrate With?.
Azure Pipelines Fields
This table lists and explains the Azure Pipelines fields in the New Azure Pipelines Integration window.
This is the type of scan:
For further information, see Types of Scans.
Click to select the URL of the website that will be scanned.
Click to select the Scan Profile that will be used. (If you selected Full (With primary profile) as the Scan Type, this is not displayed.)
cURL / PowerShell
Add the information in this script to the corresponding fields in the config.yml file in your project. Use variables for Invicti Enterprise and API credentials.
Generating and Using Invicti Enterprise’s Azure Integration Scripts
Invicti Enterprise uses cURL and PowerShell command-line tools to integrate with Azure Pipelines. In order to integrate with Invicti Enterprise, the Pipeline agent’s execution environment must support cURL or PowerShell.
These instructions are based on PowerShell, but the same can be applied for cURL.
How to Generate Invicti Enterprise's Azure Pipelines Integration Scripts
- Log in to Invicti Enterprise.
- From the main menu, go to Integrations > New Integration > Azure Pipelines.
- From the Integration Script Generator section, select the relevant Scan Settings:
- From the Scan Type field, select an option
- From the Website drop-down, select a website
- From the Scan Profile drop-down, select a scan profile (this is not displayed if you select Full with Primary Profile as the Scan Type)
- Enable the Stop the scan if the Build fails, if required
- Enable the Fail the Build if one of the selected scan severity is detected, if required
- Enable the Fail the Build if one of the selected scan severity is detected
- Enable the Fail the Build if one of the selected scan severity is detected, if required (For further information, see Using Build Fail in Azure Pipelines Project.)
- In the PowerShell field, click Copy to copy the PowerShell script. You will then paste this into the file described in How to Use Invicti Enterprise’s Azure Pipeline Integration Script Step 6.
How to Use Invicti Enterprise's Azure Pipeline Integration Script
- Log in to your Azure DevOps account.
- Navigate to your Azure DevOps Project window.
- Go to Pipelines > Select a Pipeline > Edit.
- Add PowerShell Task to the pipeline.
- Add the PowerShell script copied from the Integration Script Generator. (See How to Generate Invicti Enterprise’s Azure Pipelines Integration Scripts.)
- Select Variables. Add your Invicti Enterprise API credentials as USERID and APITOKEN variables.
- From the Save & Queue drop-down, select Save.
Using Build Fail in Azure Pipelines Project
It is possible to configure a failure in the Azure Pipelines build to stop the scan when a vulnerability severity is detected.
The build fail parameters operate in the AND logic. To fail a build, all selected parameters have to be met. For instance, if you select Critical from the severity drop-down and select the Confirmed checkbox, the build fails only if these two conditions are met.
This can be configured using the Severity, Confirmed, False Positive, and Accepted Risk parameters.
- Scan Severity: With this option, you choose which severity will fail this build when found in a related scan. If you choose “DoNotFail”, the detected vulnerability does not affect your Azure build.
The options for Scan Severity are:
- High or above
- Medium or above
- Low or above
- Best Practice or above
- Confirmed: With this option, you choose to fail this build when a vulnerability found in a related scan is confirmed.
For example, if you choose the Medium or above option from the Scan Severity drop-down and select the Is Confirmed checkbox, the build fails only if the vulnerability has medium or higher severity and that vulnerability is confirmed. Otherwise, the build continues.
- False Positive: With this option, you choose not to fail this Azure build when the scan identifies a vulnerability set as a False Positive.
For example, if you choose the Medium or above option from the Scan Severity drop-down and select the False Positive checkbox, the build will not fail if the vulnerability has medium or higher severity and that vulnerability is false positive. Otherwise, the build fails.
- Accepted Risk: With this option, you choose not to fail this Azure build when the scan identifies a vulnerability set as an Accepted Risk.
For example, if you choose the Medium or above option from the Scan Severity drop-down and select the Accepted Risk checkbox, the build will not fail if the vulnerability has medium or higher severity and that vulnerability is accepted risk. Otherwise, the build fails.