Invicti Platform Extension

Invicti Platform is a comprehensive dynamic application security testing (DAST) solution. It enables you to scan websites, web applications, and web services to identify security flaws.

Invicti can scan all types of web applications, regardless of the platform or the language with which they are built.

Key Features

This extension provides the following components:

• Launch a new DAST scan during build or release
• Select target and scan profile from your Invicti Platform account
• Perform instant scan monitoring
• Trigger scan only mode (start scan without waiting for results)
• Manage build fail and stop scan options by specifying severity
• Generate reports using available report templates

Getting Started

Installation

The following steps can be used in installing the shared extension within an organization.

1. From the Visual Studio Marketplace page, select Get it free.

2. Select the proper Azure DevOps organization followed by Install.

The Invicti Platform extension and task will now be available to add in build and release pipelines.

Configuration

The following steps can be used in configuring the extension within a project's build or release pipeline. If a Service Connection has already been configured for Invicti Platform, you can skip the Service Connection step.

Service Connection

Before configuring the build or release pipeline, first generate an Invicti Platform API Token. This API Token is used to authorize the Azure DevOps Extension to interact with the Invicti Platform API. For further information, see CI/CD Environment Variables.

Once an API Token has been generated, a Service Connection in Azure DevOps can be configured as follows:

1. Navigate to the desired project in Azure DevOps.

2. Select Project Settings, then Service Connections.

3. Select + New service connection.

4. In the search bar, enter Invicti Platform and select Invicti Platform. Then, click Next. The New Invicti Platform service connection window is displayed.
   • In the URL field, keep the default value (https://platform.invicti.com) or enter your preferred URL
   • In the API Token field, enter your Invicti Platform API token
   • In the Service Connection name, enter a friendly name

5. Click Save.

Please ensure Invicti Platform appears in the list of service connections for that project.

Pipeline Configuration

Once you created a service connection, you can add the Invicti Platform extension into the build and release pipelines. The steps below are generalized for adding to either a build or release pipeline:

1. From within Azure DevOps, create or find the pipeline where the task will be added.

2. Edit the pipeline within scope.

3. Identify the agent used for running the task and select the + (plus) icon.

4. Search or scroll the list of tasks until you find Invicti Platform and select Add.

5. Complete the required and optional fields:

   • Target: Select the target to scan from your Invicti Platform account
   • Scan Profile: Select the scan profile to use
   • Build Fail Settings: Optionally configure severity-based build failure
   • Report Settings: Optionally enable report generation with a template

6. Save your pipeline to keep the changes.

Scan Reports

You can generate reports once the scan is completed by selecting a report template from your Invicti Platform account. When the scan is completed, you can view the selected report in a new tab as "Invicti Platform Scan Report" in the Pipelines section.

More Information

• Integrate CI-driven Scans
• CI/CD Environment Variables

Release Notes

v1.0.0:

• Initial release of Invicti Platform extension for Azure DevOps.
• Support for DAST scanning with target and profile selection.
• Build failure based on vulnerability severity.
• Report generation with Platform report templates.
• Trigger scan only mode.
• Build results tab with scan report.