Azure DevOps Extension Configuration Tips

Our InsightAppSec Azure DevOps extension has a good bit of flexibility in its configuration options for adding DAST as part of your pipelines in Azure. Some of those options are pretty self-explanatory (like application and scan config), but there are others that allow some additional customization within your pipelines. Let’s take a closer look at a couple of these.

Fail scan on timeout?
With this option checked, the Timeout field will become available. This is where you can input the maximum amount of time (in minutes) that the InsightAppSec scan can run for before it’ll be cancelled and result in the failure of this step in the pipeline. This is great for designating a reasonable time limit for scans based on the attack templates in scope for the scan configuration, as well as the type and scale of the application being scanned.

Generate findings report?
An option for generating a full report containing data on vulnerabilities found in the scan that’s performed. It contains raw JSON for every vulnerability and has a lot of useful info - things like severity, status, the attack performed, and the payload used. This can be great for creating custom reports that utilize and prettify this data, or harvesting additional data to use elsewhere for analysis or ticket creation. If you want to save this report as an artifact that’s associated with the pipeline for easy access, take a look at our full setup guide.

Scan Gating
Check this option and the Vulnerability Query field will become available. This is a powerful option for further customizing your pipeline and really automating the build/release process. The query that you enter here will be executed against the results of the scan once it completes. If any vulnerabilities match that query, then the step will fail. What this means is that you can determine what types of vulnerabilities you consider (un)acceptable in your application and use this query to gate your build/release with that in mind.

vulnerability.severity='HIGH'

The above would fail the step in the pipeline if the scan contains any vulnerabilities with a severity of HIGH, but would allow it to succeed otherwise. So if you’re concerned about high severity vulns in your app, go ahead and use this query for gating. Other query options can be found under the Useful Examples section here.

Of course, those are just a few of the configuration options for the Azure DevOps extension. Are there other settings that you have questions about? How have your pipelines changed with the addition of the extension? We’d love to hear feedback on how it’s working for you so we can continue to improve and enhance it.

2 Likes