Azure DevOps Pipelines & InsightAppSec

Automate Application Security Testing Within Your Build Pipeline

Application development moves at a blistering pace; releases that used to come out once or twice yearly now happen weekly, daily—even continuously. While modern web technologies and tools like continuous integration/continuous delivery (CI/CD) have helped accelerate the pace of development, these same forces also make it difficult for application scanners to crawl and test your modern apps.

Rapid7 InsightAppSec integrates with Azure DevOps Pipelines to empower development teams to autonomously test the integrity of their applications in runtime within their own CI/CD workflows. Using the extension within a pipeline gives security teams essential feedback regarding a web application’s security posture and risk status as part of existing processes; this way, your team can pass/fail builds and fix faster.

How It Works

The Azure DevOps extension utilizes the InsightAppSec RESTful API to dynamically retrieve applications, launch scans, monitor their progress, and generate reports based upon scan results. Leveraging this extension within Azure Pipelines will provide essential feedback regarding a web application’s security posture and vulnerability findings as an integrated CI/CD task.

This extension can be leveraged as both a Build and a Release task within Azure DevOps.

Key Capabilities

This extension is designed to:

• Launch new InsightAppSec scans during build or release
• Perform scan monitoring
• Provide reports of scan results
• Provide raw scan results
• Enforce scan gates based on vulnerability query filters

Scan Gating provides an automated way to fail tasks as part of a build, should scan results meet a defined vulnerability query. This stops certain identified risks from being promoted into production.