Invicti Enterprise Extension

Invicti Enterprise is an automated, yet fully configurable, web application security scanner. It enables you to scan websites, web applications, and web services identify security flaws.

Invicti can scan all types of web applications, regardless of the platform or the language with which they are built.

Key Features

This extension provides the following components:

Launch a new scan during build or release
Perform instant scan monitoring
Manage build fail and stop scan options by specifying severity
Examine scan results with 10 different report options

Getting Started

Installation

The following steps can be used in installing the shared extension within an organization.

From the Visual Studio Marketplace page, select Get it free.
Select the proper Azure DevOps organization followed by Install.

The Invicti Enterprise extension and task will now be available to add in build and release pipelines.

Configuration

The following steps can be used in configuring the extension within a project's build or release pipeline. If a Service Connection has already been configured for Invicti Enterprise, you can skip the Service Connection step.

Service Connection

Before configuring the build or release pipeline, first, generate a Invicti Enterprise API key. This API key is used to authorize the Azure DevOps Extension to interact with the Invicti Enterprise API. For further information, see API Settings.

Once an API key has been generated, a Service Connection in Azure DevOps, that is used for connecting to the Invicti Enterprise API, can be configured as the following:

Navigate to the desired project in Azure DevOps.
Select Project Settings, then Service Connections.
Select + New service connection.

invicti-enterprise-add-service-endpoint

In the search bar, enter Invicti Enterprise and select Invicti Enterprise. Then, click Next. The New Invicti Enterprise service connection window is displayed.
- In the URL field, keep the default value or enter your preferred URL
- In the User ID and Token, enter the required information
- In the Service Connection name, enter a friendly name

invicti-enterprise-add-service-connection

Click Save.

Please ensure Invicti appears in the list of service connections for that project.

Pipeline Configuration

Once you created a service connection, you can add the Invicti Enterprise extension into the build and release pipelines. The steps below are generalized for adding to either a build or release pipeline:

From within Azure DevOps, create or find the pipeline where the task will be added.
Edit the pipeline within scope.
Identify the agent used for running the task and select the + (plus) icon.
Search or scroll the list tasks until you find Invicti Enterprise and select Add.

invicti-enterprise-add-extension

Complete the required and optional fields.
Save your pipeline to keep the changes.

invicti-enterprise-add-extension

Scan Reports

There are many report options that you can view once the scan is completed. However, this requires the scan to be completed successfully.

When the scan is completed, you can view the selected report in a new tab as "Invicti Enterprise Scan Report" in the Pipelines section.

Detailed Scan Report
SANS Top 25
OWASP Top Ten 2013
OWASP Top Ten 2017
WASC Threat Classification
PCI DSS Compliance
HIPAA Compliance
Executive Summary
Knowledge Base
ISO 27001 Compliance
Full Scan Detail

invicti-enterprise-pipelines-reporting

Release Notes :

v1.9.5:

Added support for Node.js v16 and Node.js v20.

v1.9.4:

Retry mechanism added for when Invicti Enterprise Web Application experience down time.

v1.9:

Security package updates were performed.

v1.8:

Fixed difference between UI and extension reports.

v1.7:

Fixed issue about generate report checkbox not working accordingly.

v1.6:

Added the scan report output to the release pipeline.

v1.5:

Updated extension version and brand change on file path.

v1.4:

Fixed the issue of build failing when source directory is missing.

v1.3:

When any report is selected for the scan result, the report is created even if the build fails.

v1.2:

Brand change has been made. ( Netsparker to Invicti)

v1.1:

Added Accepted Risk, Confirmed and False Positive as build fail options.
Allowed skipping scan stages in build steps.

Invicti Enterprise

Invicti Ltd