Azure DevOps Integration

Azure Devops Integration Setup Guide for API Scanner

Overview

This guide walks you through integrating API Scanner with your Azure DevOps Pipeline to automatically scan APIs for security vulnerabilities during your build process.

What You Can Achieve

  1. Automated Security Scanning: Run security scans automatically during your Azure DevOps Pipeline builds
  2. Pipeline Control: Choose whether to block or continue builds based on scan results
  3. Continuous Monitoring: Automatically scan newly added APIs in your collection
  4. Real-time Results: Get immediate feedback on your API security posture

Before You Start

Make sure you have the following ready:

Required Setup

  1. Azure DevOps Pipeline Setup: You need a working Azure DevOps Pipeline setup.
  2. API Collection in GitHub: Your API collection file should be stored in a GitHub repository that gets updated with new APIs
  3. Existing API Scanner Collection: You must have the same API collection already set up in API Scanner with proper authentication configured
  4. Include refresh tokens if your authentication tokens have short expiry times
  5. Running API Scanner: The API Scanner server must be running during pipeline builds

Step-by-Step Integration Process

Step 1: Configure Integration Settings

 1.Access Integration Module

  1. Open API Scanner in your browser
  2. Navigate to the Integration section

 2.Select Azure DevOps Integration

  1. From the available integrations list, click on Azure DevOps.

 3.Fill in Connection Details

 4.Enter the following information:

FieldDescriptionExample
Integration TitleA descriptive name for this integration"Production API Security Scan"
User NameYour name or the integration creator's name"John Doe"
Host URLThe URL where API Scanner is hostedhttp://103.81.38.252:9090/ or http://localhost:9090/
Repository URLYour GitHub repository URL containing the API collectionhttps://github.com/yourorg/api-collections
Branch NameThe branch where your API collection is storedmain, develop, or hotfix
API Collection File NameThe exact filename of your API collectionHair Store API-06-09-2024.json

 5.Save Configuration

  1. Click the "Create Connection" button to save your settings

Step 2: Configure Pipeline Behavior

 1.Select Your Collection

  1. Choose the API collection you want to integrate with Azure DevOps Pipeline from the "Validate Collection" dropdown

 2.Choose Pipeline Action

  Decide how the pipeline should behave when vulnerabilities are found:

 Option A: Do Not Block Pipeline

  1. The security scan will run, but the pipeline will continue regardless of results
  2. Use this for monitoring purposes without interrupting deployments

 Option B: Block Pipeline

  1. The pipeline will stop if vulnerabilities meet your specified criteria
  2. Set vulnerability thresholds for different severity levels:
  3. Critical: Enter number of critical vulnerabilities that will block the pipeline
  4. High: Enter number of high-severity vulnerabilities that will block the pipeline
  5. Medium: Enter number of medium-severity vulnerabilities that will block the pipeline

 Example: Setting "Critical > 0" will block the pipeline if even 1 critical vulnerability is found.

 6.Generate Integration Script

  1. Click the "Generate Script" button
  2. Copy the generated script to your clipboard

Step 3: Add Script to Azure DevOps Pipeline

 1.Open Azure DevOps 

  1. Navigate to your project where the pipeline is set up.
  2. Click the project to open it.

 2.Update Pipeline Script

  1. Choose the existing pipeline to add the security scan stage.
  2. Click the "View" button to edit the existing pipeline.
  3. Add the pipeline script to the existing script.

 3.Save Changes

  1. Click "Save" to apply the pipeline updates.

Integration Complete!

Your Azure DevOps Pipeline is now configured to automatically scan your APIs for security vulnerabilities. Here's what happens next:

  1. Automatic Scanning: Every pipeline build will trigger an API security scan
  2. Real-time Feedback: You'll receive immediate results about any vulnerabilities found
  3. Controlled Deployment: Based on your settings, the pipeline will either continue or stop depending on scan results

Troubleshooting Tips

  1. API Scanner Not Running: Ensure the API Scanner server is active before starting any pipeline builds.
  2. Authentication Issues: Verify that your API collection in API Scanner has proper authentication setup.
  3. File Not Found: Double-check that the API collection filename exactly matches what's in your GitHub repository.
  4. Connection Problems: Confirm that the Host URL is accessible from your Azure DevOps Pipeline.

Need Help?

If you encounter any issues during setup, verify that all prerequisite requirements are met and that the API Scanner server is running and accessible from your Azure DevOps Pipeline environment.



Discard
Save
Draft
Edit Page New Page Revisions Page Settings

Previous Page

Left

Next Page

Right

On this page