Azure DevOps
  • 18 Apr 2024
  • 3 Minutes to read
  • Dark
    Light
  • PDF

Azure DevOps

  • Dark
    Light
  • PDF

Article summary

Azure DevOps is a set of development tools and services provided by Microsoft that aim to help teams plan, develop, test, and deliver software more efficiently. It offers a comprehensive suite of tools for various aspects of the software development lifecycle. Software development teams often use Azure DevOps to implement DevOps practices, which involve the automation and collaboration of development and IT operations teams to improve the software delivery process. It integrates with Azure cloud services and a wide range of third-party tools and platforms.

You can use Traceable’s Azure DevOps extension to test your software continuously builds for active vulnerabilities and get comprehensive reports. The scan results include a list of vulnerabilities with severity based on CVSS and CWE scores to help categorize issues correctly and comprehensively understand risks added by new code added in the relevant builds. Following are a few of the benefits of adding Traceable extension:

  • Inserts security seamlessly into existing functional tests in the same pipeline with complete automation.

  • Generate tests from live functional traffic for targeted security testing based on actual payloads.


Before you begin

Make a note of the following before you proceed with the integration:

  • Make sure that you have the required permissions to add the Traceable extension and the various configurations.

  • Make sure that your CI/CD pipeline is already available.

  • Make sure that you have identified the repository to which you wish to add the Traceable extension.

  • The topic assumes that you have reasonable knowledge of Azure DevOps and know the different functions and features.

  • Copy the token. This would be required during AST extension configuration. Navigate to My Account My Preferences API Tokens.

  • Make sure that you already have a scan policy configured in AST. The name of this policy would be used later to configure the AST extension in your pipeline. This is an optional but recommended requirement.


Configuration

Configuring Traceable extension in Azure DevOps pipeline requires the following two steps:

  1. Adding Traceable extension from Azure marketplace

  2. Adding AST (API security testing) jobs in the pipeline.

Step 1 - Add Traceable extension

Complete the following steps to add Traceable extension to Azure DevOps:

  1. Log into your Azure DevOps account.

  2. Navigate to your organization's homepage.

  3. Select Organization Settings from the bottom-left corner.

  4. On the Overview page, click on Extensions under the General menu.

  5. Click on Browse marketplace.

  6. Search for AST extension in Azure marketplace.

  7. Click on Traceable's AST card.

  8. Click on the Get it free button to add it to the organization.

  9. Select an Azure DevOps organization and click on Install.

  10. The extension would be visible under the Extensions menu now.


Step 2 - Add AST job in the pipeline

Complete the following steps to add AST job in the pipeline:

  1. Navigate to your organization's homepage and click on a project.

  2. Click on Pipelines as shown below.

  3. On the next screen, click on Create Pipeline. If you have an existing pipeline, choose from one of them.

  4. Select the type of code repository where your code resides. In these steps, GitHub is chosen.

  5. Select a repository.

  6. Click on Show assistant and search for AST. 

  7. Select Init and Run radio button from Step Name. This is optional but recommended.

  8. Click on Add button.

  9. Click on Stop and Add button. A complete pipeline should always have a stop task.

  10. Click on Save and run.

Add token as a variable

In the above steps, when you add a token, it is visible as a plain text in pipeline and logs. To avoid this, you can add the token as a variable. Complete the following steps to add a token as a variable.

  1. Click on Variables

  2.  In the Variables window, click on New variable.

  3. Provide a name for the variable, for example, token, and paste the token value that you copied from the Traceable Platform in Before you being section. 

    Make sure to check the two checkboxes.

To use the variable, you would need to define the variable in your pipeline. See the example below to use the defined variable:

trigger:
- main

pool:
  vmImage: ubuntu-latest

variables:
  AST_TOKEN: $(token)

jobs:
- job: AST_action
  steps:
  - task: Scan@0
    inputs:
      stepName: 'initAndRun'
      suite: 'open-api'
      token: $(AST_TOKEN)
      traceableServer: 'api.traceable.ai'

  - task: Scan@0
    condition: always()
    inputs:
      stepName: 'stop'
      token: $(AST_TOKEN)

 Check the result of the scan in AST Dashboard.


Was this article helpful?