Azure DevOps

  • Updated on May 14, 2025
  • Published on Oct 10, 2023
  • 6 minute(s) read
Prev Next

Azure DevOps is a comprehensive set of development tools and services by Microsoft designed to help teams plan, build, test, and deliver software efficiently. It supports the implementation of DevOps practices by enabling seamless collaboration between development and IT operations teams and automates key parts of the software delivery lifecycle. It integrates with Azure cloud services and various third-party tools and platforms.

How does the Azure DevOps Extension Help?

Traceable’s Azure DevOps extension enables you to scan your build pipelines for active vulnerabilities and receive comprehensive reports. The scan result highlights the vulnerabilities and their severity levels based on the CVSS and CWE scores. This enables you to categorize issues accurately and understand the security impact of new code changes in the relevant builds.

What are the Benefits of using this Extension?

The key benefits of integrating the Traceable extension in your CI/CD pipeline include:

  • Seamless security integration — Execute security tests and functional tests in the same pipeline, providing complete automation.

  • Live traffic-based test generation — Leverage live functional traffic to generate targeted security tests based on real payloads, increasing test accuracy.

How does the Extension Work?

The extension operates in the following sequence after you set up the AST scan, ensuring accurate execution. The following steps highlight the detailed working of the extension:

  1. Fetching the Input — The extension retrieves the configuration parameters you define in Step 2 below.

  2. Input Validation — The configuration parameters are verified for completeness, formatting, and accuracy. This prevents scanning based on invalid configurations.

  3. Downloading CLI — Traceable downloads the required CLI based on the specified CLI version (default: latest). This ensures that the scans are executed on the specified or default version.

  4. Generating Commands — Based on the inputs, Traceable generates the appropriate CLI command to execute the desired scan operation.

  5. Command Execution — The command generated above is executed according to the defined configuration. This step is repeated until all steps are executed.

  6. Report Publishing — Once the scan is complete, Traceable sends the results to the platform. These include detected vulnerabilities, status, and metadata.

The following flowchart shows the working of the extension:

Working of the Azure DevOps Integration

Working of the Azure DevOps Integration

Before you begin

Make a note of the following before you proceed with the integration:

  • Make sure that you have the required permissions to add the Traceable extension and the various configurations.

  • Make sure that your CI/CD pipeline is already available.

  • Make sure that you have identified the repository to which you wish to add the Traceable extension.

  • The topic assumes that you have reasonable knowledge of Azure DevOps and know the different functions and features.

  • The Platform API Token is required during the AST extension configuration. To generate the token, navigate to My Account My Preferences API Tokens.

  • (Recommended but optional) Make sure that you already have a suite configured in AST. The name of this suite is used later to configure the AST extension in your pipeline.

Configuration

Configuring the Traceable extension in your Azure DevOps pipeline requires the following two steps:

  1. Adding Traceable extension from the Azure marketplace

  2. Adding AST (API security testing) scan task to the pipeline

Step 1 — Add the Traceable Extension

This section highlights the steps to add the Traceable AST scan task extension to your Azure DevOps account. This helps you set up your scan pipeline.

Complete the following steps:

  1. Log in to your Azure DevOps account.

  2. Navigate to your organization's homepage.

  3. In the page’s bottom left corner, click Organization Settings.

  4. On the Overview page, left navigation bar, click Extensions.

  5. In the page’s top right corner, click Browse marketplace.

  6. In the Azure marketplace, search for the AST extension and click the Traceable AST scan task widget.

  7. Click Get it free to add it to your organization.

  8. From the drop-down, select an Azure DevOps organization and click Install.

Azure DevOps shows the extension on the Extensions page, Installed tab.

Step 2 — Add the AST Scan Task to the Pipeline

This section highlights the steps to set up the AST scan in your Azure DevOps account. Once the scan is set up, Traceable executes it and shows the scan results on the Traceable platform.

Complete the following steps:

  1. Navigate to your organization's homepage and click a project.

  2. In the left navigation bar, click Pipelines.

  3. If you have an existing pipeline, select from one of them. Else, click Create Pipeline to create a new pipeline.

  4. Select the Repository Type where your code resides, for example, GitHub.

  5. Select a Repository from the list of repositories.

  6. Click Show assistant and search for and click AST scan task.

  7. Set up your AST task in either of the following ways:

    1. Using YAML (Recommended)

    2. Using the AST scan task UI

Set up the AST Scan

You can set up your AST scan using either the YAML or the AST scan task user interface.

Option 1 — Using YAML (Recommended)

Copy and paste the following YAML into the codespace.

trigger:
- main

pool:
  vmImage: ubuntu-latest

variables:
  AST_TOKEN: $(token)

jobs:
- job: AST_action
  steps:
  - task: Scan@0
    inputs:
      stepName: 'initAndRun'
      suite: 'open-api'
      token: $(AST_TOKEN)
      traceableServer: 'api.traceable.ai'

  - task: Scan@0
    condition: always()
    inputs:
      stepName: 'stop'
      token: $(AST_TOKEN)

The following table explains the components of the above YAML:

Parent Component

Sub-Component

Description

trigger

main

Executes the pipeline every time a commit is pushed to the main branch.

pool

vmImage: ubuntu-latest

Specifies the build agent pool as the latest Ubuntu (ubuntu-latest) hosted by Microsoft.

variables

AST_TOKEN: $(token)

Defines a variable AST_TOKEN that stores the Traceable API token. For information on setting this up, see Add the Token as a Variable.

This token is used when adding an AST scan task.

jobs

- job: AST_action

Defines a job named AST_action that contains the scan steps.

steps:

- task: Scan@0

Defines a Traceable scan task using the Traceable DevOps extension.

inputs:

stepName: 'initAndRun'

Initiates and runs the scan using the suite you mentioned below.

suite: 'open-api'

Specifies the suite name you wish to use for the scan.

token: $(AST_TOKEN)

Authenticates the scan using the defined token.

traceableServer: 'api.traceable.ai'

Specifies the Traceable server for scan execution.

- task: Scan@0

condition: always()

Ensures that this step is executed even if the previous one fails.

inputs:

stepName: 'stop'

Stops the scan post-execution.

token: $(AST_TOKEN)

Authenticates the step using the token.

Now, modify the YAML code based on the components mentioned above. Once you have modified the code, in the page’s top right corner, click Save and run.

Once the scan is executed, you can see the scan results on the Traceable platform, under TestingSuites.

Option 2 — Using AST Scan Task UI

Complete the following steps to set up an AST scan:

  1. In the AST scan task section, add a step to set up a new scan. To do so, complete the following:

    1. (Recommended but Optional) Under Step Name, click Init and Run.

    2. (Optional) Specify the Scan Name.

    3. Specify the Token that you copied from the Traceable platform. This token is visible as plain text in the pipeline and logs. To prevent this, you can add the token as a variable. For the steps to do this, see Add the Token as a Variable.

    4. Specify the Suite where you wish to see the scan results in the Traceable platform.

    5. Click Add.

    Traceable generates the YAML based on the above details.

  2. In the AST scan task section, add a step to stop a scan. This prevents scans from running for an infinite duration. To do so, complete the following:

    1. Under Step Name, click Stop.

    2. (Optional) Specify the Scan Name.

    3. Specify the Token that you copied from the Traceable platform. This token is visible as plain text in the pipeline and logs. To prevent this, you can add the token as a variable. For the steps to do this, see Add the Token as a Variable.

    4. Specify the Suite where you wish to see the scan results in the Traceable platform.

    5. Click Add.

    Traceable updates the YAML with the above details.

  3. In the page’s top right corner, click Save and run.

Once the scan is executed, you can see the scan results on the Traceable platform, under TestingSuites.

Add the Token as a Variable

In the above steps, when you add a token, it is visible as plain text in the pipeline and logs. To avoid this, you can add the token as a variable. To do so, complete the following steps:

  1. Click Variables.

  2.  In the Variables window, click on New variable.

  3. In the New Variable window, complete the following:
     

    1. In the Name field, specify the variable name, for example, token.

    2. In the Value field, specify the token that you copied from the Traceable platform.

    3. Select the checkboxes as shown above.

    4. Click OK.

You can define this variable in your pipeline. For more information, see Option 1 — Using YAML.