AST scan task for azure pipelines - Visual Studio Marketplace

Overview

In the cloud-native world, API security is an important concern as most microservices are exposed externally to users and to other internal services via APIs. Traceable AST complements the API Catalog in using the DNA to build intelligently targeted scans for detecting vulnerabilities at the API layer. It also helps close the loop of exploits found in production by running security scans in pre-prod environments. It helps in finding vulnerabilities in the early stages of SDLC, giving developers and Product security engineers more time and context to prioritize mitigation of vulnerabilities and build secure APIs.

Traceable’s Azure Devops extension can be used to continuously test your software builds for active vulnerabilities and get comprehensive reports which will help in deciding if a build should pass or not based on new or existing vulnerabilities exposed by the new code. It runs AST scans on triggers and maps scan results which include a list of vulnerabilities with severities based on CVSS and CWE scores to help categorize issues correctly and get a comprehensive understanding of risks added by new code added in the relevant builds.

What does Traceable xAST Azure Devops extension provide?

Extensive security testing coverage for microservices and APIs.
Generate tests from live functional traffic for targeted security testing based on actual payloads
Insertion into DevSecOps with Scan initiation and Vulnerability Management from scan findings.
Inserts security seamlessly into existing functional tests in the same pipeline with full automation.
Risk-based prioritization using asset inventory, threat intel, and predictive modeling.
Make a decision around passing or failing the build based on security issues introduced in it.

Getting started with Traceable AST extension

Understanding the inputs

Input	Description
stepName	Scan action: init/ run/ init and run/ stop
scanName	Name of the scan.
token	Access token from platform.
suite	Scan suite using which you want to run the scan.

Advanced Options

Input	Description
trafficEnv	Environment from where AST should observe traffic.
plugins	List of plugins you want to run the AST scan for.
includeUrlRegex	Include URL patterns to test.
excludeUrlRegex	Exclude URL patterns from scan.
postmanCollection	Specify a postman collection to run the scan.
postmanEnvironment	Specify postman environment file to run the postman collection.
openApiSpecFiles	Provide comma separated files of open api spec documents.
targetUrl	Target URL for the tests.
traceableServer	URL for traceable server, not applicable for SaaS customers.
idleTimeout	Scan timeout (minutes) for a scan when it goes in IDLE state.
scanTimeout	Scan timeout (minutes) in general.
maxRetries	Max retries for the scan after failure.
cliVersion	Version of CLI you want to use for AST. Default one is latest stable release.

Sample Azure Devops Extension Task Configuration

With Suite

- task: Scan@0
  inputs:
    stepName: 'initAndRun'
    scanName: 'test name'
    token: 'test token'
    suite: 'test suite'

Without Suite

- task: Scan@0
  inputs:
    stepName: 'initAndRun'
    scanName: 'test name'
    token: 'test token'
    trafficEnv: 'test env'
    plugins: 'plugin1, plugin2'
    openApiSpecFiles: 'file1, file2'
    targetUrl: 'test url'