Rapid7 InsightAppSec Extension
The Rapid7 InsightAppSec Extension for Azure DevOps allows application and security teams to embed Dynamic Application
Security Testing (DAST) into their build and release pipelines.
More information about InsightAppSec can be found here: https://www.rapid7.com/products/insightappsec/
Key Features
The extension is designed with the following features in mind:
- Launch a new InsightAppSec scan during build or release
- Perform scan monitoring
- Enforce scan gating based on vulnerability query filtering
- Provide a metrics report of scan results
- Provide raw scan results
GETTING STARTED
Installation
The following steps can be used in installing the shared extension within an organization.
From the Visual Studio Marketplace page, select Get it free
Select the proper Azure DevOps organization followed by Install
The Rapid7 InsightAppSec extension and task will now be available to add in build and release pipelines.
Configuration
The following steps can be used in configuring the extension within a project's build or release pipeline. If a Service
Connection has already been configured for InsightAppSec, the Service Connection section can be skipped.
Service Connection
Before configuring the build or release pipeline, first generate an Insight platform API key. This API key is used to
authorize the Azure DevOps Extension to interact with the InsightAppSec API. Steps for creating an organization or user
API key can be found here.
Once an API key has been generated, a Service Connection in Azure DevOps used for connecting to the InsightAppSec API
can be configured:
Navigate to the desired project in Azure DevOps
Select Project Settings > Service Connections
Select + New service connection
Select Rapid7 InsightAppSec from the dropdown
Enter the connection name, InsightAppSec region, and API key accordingly
Save the connection and ensure it appears in the list of service connections for that project
Pipeline Configuration
After a Service Connection has been created, the InsightAppSec extension can be implemented within build and release
pipelines. The steps below are generalized for adding to either a build or release pipeline:
From within Azure DevOps, create or find the pipeline where the task will be added
Edit the pipeline within scope
Identify the agent used for running the task and select the + icon
Search or scroll the list tasks until you find Rapid7 InsightAppSec and select Add
For the newly added task, enter all required parameters as desired (see below for details on parameters)
Save your pipeline to keep the changes
| Field |
Description |
Required |
| Display name |
The name of the task as it will appear in the pipeline. |
true |
| InsightAppSec Connection |
A service connection that allows for connection and authentication to the InsightAppSec API. Drop-down menu containing the connection that was shown configured in a previous step. |
true |
| Application |
A drop-down menu to select the InsightAppSec application that will be scanned. |
true |
| Scan Configuration |
A text field to input the InsightAppSec scan configuration that will be utilized in the scan. |
true |
| Wait for scan completion? |
Option used to determine whether the pipeline will continue to the next step after launching the scan, or whether it will wait for its completion. |
false |
| Scan Status Interval |
The frequency (in minutes) that the scan’s status will be checked upon and logged. Dependent on the option Wait for scan completion being checked. |
false |
| Generate findings report? |
Option used to generate a raw JSON report that contains all findings from a completed scan. |
false |
| Fail scan on timeout? |
Option used to determine whether the scan will be cancelled and marked as failed if it reaches the timeout limit (value set in minutes). Dependent on “Wait for scan completion” being checked. |
false |
| Timeout |
The timeout for the scan completion (in minutes). Dependent on the option Fail scan on timeout being checked. |
false |
| Scan Gating |
Option used to determine whether the build will fail if the provided query returns results. |
false |
| Vulnerability Query |
The query executed against the completed scan's findings to retrieve any matching vulnerabilities. Dependent on the option Scan Gating being checked. |
false |
DEVELOPMENT and CONTRIBUTIONS
If you would like to contribute to this project, it can be found on GitHub at https://github.com/rapid7/insightappsec-azure-devops-extension.
Contributions typically come in the form of filed bugs/issues or pull requests (PRs). Once approved and merged,
contributions will be included with tagged releases and published to the Visual Studio Marketplace.
