Rapid7 InsightAppSec Extension
The Rapid7 InsightAppSec Extension for Azure DevOps allows application and security teams to embed Dynamic Application
Security Testing (DAST) into their build and release pipelines.
More information about InsightAppSec can be found here: https://www.rapid7.com/products/insightappsec/
The extension is designed with the following features in mind:
- Launch a new InsightAppSec scan during build or release
- Perform scan monitoring
- Enforce scan gating based on vulnerability query filtering
- Provide a metrics report of scan results
- Provide raw scan results
The following steps can be used in installing the shared extension within an organization.
From the Visual Studio Marketplace page, select
Get it free
Select the proper Azure DevOps organization followed by
The Rapid7 InsightAppSec extension and task will now be available to add in build and release pipelines.
The following steps can be used in configuring the extension within a project's build or release pipeline. If a Service
Connection has already been configured for InsightAppSec, the
Service Connection section can be skipped.
Before configuring the build or release pipeline, first generate an Insight platform API key. This API key is used to
authorize the Azure DevOps Extension to interact with the InsightAppSec API. Steps for creating an organization or user
API key can be found here.
Once an API key has been generated, a Service Connection in Azure DevOps used for connecting to the InsightAppSec API
can be configured:
Navigate to the desired project in Azure DevOps
Select Project Settings > Service Connections
+ New service connection
Rapid7 InsightAppSec from the dropdown
Enter the connection name, InsightAppSec region, and API key accordingly
Save the connection and ensure it appears in the list of service connections for that project
After a Service Connection has been created, the InsightAppSec extension can be implemented within build and release
pipelines. The steps below are generalized for adding to either a build or release pipeline:
From within Azure DevOps, create or find the pipeline where the task will be added
Edit the pipeline within scope
Identify the agent used for running the task and select the
Search or scroll the list tasks until you find
Rapid7 InsightAppSec and select
For the newly added task, enter all required parameters as desired (see below for details on parameters)
Save your pipeline to keep the changes
||The name of the task as it will appear in the pipeline.
||A service connection that allows for connection and authentication to the InsightAppSec API. Drop-down menu containing the connection that was shown configured in a previous step.
||A drop-down menu to select the InsightAppSec application that will be scanned.
||A text field to input the InsightAppSec scan configuration that will be utilized in the scan.
|Wait for scan completion?
||Option used to determine whether the pipeline will continue to the next step after launching the scan, or whether it will wait for its completion.
|Scan Status Interval
||The frequency (in minutes) that the scan’s status will be checked upon and logged. Dependent on the option
Wait for scan completion being checked.
|Generate findings report?
||Option used to generate a raw JSON report that contains all findings from a completed scan.
|Fail scan on timeout?
||Option used to determine whether the scan will be cancelled and marked as failed if it reaches the timeout limit (value set in minutes). Dependent on “Wait for scan completion” being checked.
||The timeout for the scan completion (in minutes). Dependent on the option
Fail scan on timeout being checked.
||Option used to determine whether the build will fail if the provided query returns results.
||The query executed against the completed scan's findings to retrieve any matching vulnerabilities. Dependent on the option
Scan Gating being checked.
DEVELOPMENT and CONTRIBUTIONS
If you would like to contribute to this project, it can be found on GitHub at https://github.com/rapid7/insightappsec-azure-devops-extension.
Contributions typically come in the form of filed bugs/issues or pull requests (PRs). Once approved and merged,
contributions will be included with tagged releases and published to the Visual Studio Marketplace.