Integrating Acunetix 360 with Azure DevOps
Microsoft Azure is a cloud computing service that offers Azure DevOps, an issue tracking system. Its purpose is to help businesses build, deploy and manage web applications. Part of this web application management includes the ability to track work, issues and code.
This topic explains how to configure Acunetix 360 to send a detected vulnerability to Azure DevOps (including using the wizard).
Acunetix 360 has out-of-the-box support for resolving and reactivating Azure DevOps issues according to the scan results, in addition to automatic issue creation. Acunetix 360 employs user provided Resolved and Reopened statuses in Azure DevOps for this purpose.
To enhance issue synchronization support, Acunetix 360 also offers webhook support. This enables you to detect any status changes in Azure DevOps issues opened by Acunetix 360.
- Acunetix 360 generates a Webhook URL after you save your integration settings. When you register this link as a webhook in your Azure DevOps project, and enter your preferred Resolved and Reopen statuses, you will complete Acunetix 360 issue synchronization for your integration.
- When you change your Azure DevOps issue’s status to your preferred Resolved status, the issue is automatically marked as Fixed (Unconfirmed) in Acunetix 360 and a retest scan is started. And, when you change your Azure DevOps issue’s status to your preferred Reopened status, your corresponding Acunetix 360 issue is automatically marked as revived.
For further information, see What Systems Does Acunetix 360 Integrate With?.
Azure DevOps Fields
This table lists and explains the Azure DevOps fields in the New Azure DevOps Integration window.
This is the name of the configuration that will be shown elsewhere.
This section contains fields that must be completed.
This is the Azure DevOps project web address.
This is the name of the user. If you are using a personal access token (see below), leave this field blank.
Password or Access Token
This is the password or the access token for the user. If the password is entered, you need to provide the username too. (You can generate an access token by navigating to Azure DevOps Services, and selecting Security on your Profile context menu, then Personal Access Tokens.)
This is the strong format that is used to create the vulnerability title.
This section contains optional fields.
This is the domain of the user.
Work Item Type Name
This is the type of the work item (bug, task).
This is the user to whom the issue is assigned.
These are the work item tags, separated by a semicolon (;).
This is the status of reopened issues or tickets.
Reopen statuses vary according to the project type. Please write the correct values for your project type.
This is the status name of resolved issues or tickets.
Resolved Statuses vary according to the project type. Please write the correct values for your project type (see Azure DevOps State Categories).
This section contains user-defined custom fields.
New Custom Field
Click to create a new custom field.
Enter a name for the new custom field identifier.
Enter a value for the new custom field.
Click the dropdown to change the input type. The options are:
Create Sample Issue
Once all relevant fields have been configured, click to create a sample issue.
How to Integrate Acunetix 360 with Azure DevOps
- Log in to Acunetix 360.
- From the main menu, click Integrations, then New Integration.
- From the Issue Tracking Systems section, click Azure DevOps.
- In the Name field, enter a name for the integration.
- In the Mandatory section, complete the connection details:
- Project URI
- Password or Access Token
- Title Format
- Open Azure DevOps.
- From the upper right menu, click the user icon, and then click Personal access tokens. The current Personal Access Tokens are displayed. (Or you can create a new Personal Access Token by clicking New Token.)
- Copy the Token value from Azure DevOps (you will need it in the next step).
- In Acunetix 360, paste it into the Password or Access Token field.
- Click Create Sample Issue to confirm that Acunetix 360 can connect to the configured system. A confirmation message is displayed to confirm that the sample issue has been successfully created.
- In the confirmation message, click the Issue number link to open the issue in your default browser.
- If the Azure DevOps integration is not configured correctly, Acunetix 360 will correctly route the following descriptive error messages to you. Sample error messages may be displayed as illustrated:
- If any information is entered incorrectly
How to Export Reported Vulnerabilities to Projects in Azure DevOps
There are several ways to send issues to Azure DevOps with Acunetix 360:
- Once notifications have been configured, you can configure Acunetix 360 to automatically send vulnerabilities to Azure DevOps after scanning has been completed (see How to Configure a Notification to Report Vulnerabilities to an Issue Tracking System).
- You can send one or more issues from the Issues window:
- You must have Manage Issue permission.
- From the main menu, select Issues, then All Issues. The Issues window is displayed.
- Select one or more issues you want to send.
- Click Send To, then Azure DevOps
- A popup is displayed, with a link to the issue you have sent to Azure DevOps. If there is an error, this information will be displayed instead.
- You can also send an issue from the Recent Scans window:
- From the main menu, click Scans, the Recent Scans.
- Next to the relevant scan, click Report. The report is displayed.
- Scroll down to the Technical Report section.
- From the list of detected vulnerabilities, click to select an issue and display its details.
- Click Send To, then Azure DevOps
- If you have previously submitted this vulnerability to Azure DevOps, it will already be accessible. You cannot submit the same issue twice.
- If you view opened Work Items in Azure DevOps, they look like this.
- Work Items' details in Azure DevOps look like this.
How to Register an Acunetix 360 Azure DevOps Integration Webhook
- From the main menu, click Integrations, then Manage Integrations. The Integrations window is displayed.
- Next to the relevant Azure DevOps integration, click Edit. The Update Azure DevOps Integration window is displayed.
- Enter your Azure project’s Reopen and Resolved statuses. They are case sensitive. (You can copy these values from the State property.)
- In the Webhook URL field, click Copy to clipboard ().
- Open Azure DevOps.
- Click Project Settings from the menu, then click Service Hooks. In the page that opens, click New Service Hooks Subscription.
- From the opened modal page, select the Web Hooks option and click Next.
- In the next step, accurately identify the information requested from you, so that it is compatible with the Acunetix 360 side.
- Paste the Webhook URL that you copied from Acunetix 360 into the URL field on the Actions tab. And mark other areas as they appear in the screenshot. Then, you can end the configuration with the Finish button.
- The Service hooks you have defined will appear in the list. You can edit them as you wish.
- In Azure DevOps, go to the Boards > Work Items window, then click on the problem. From the State dropdown, select Done (or the Resolved option suitable for your project) and click Save.
- The Webhook is triggered, and Acunetix 360 initiates a new Retest process.
- In Acunetix 360, from the main menu, click Scans, then Waiting For Retest. The Issues window is displayed, showing the issues waiting to be rescanned. The scanning process will begin soon, depending on the availability of the scanning agents.
If the problem is found again, the status will revert to what you have specified in the Reopen status. To make this happen, please add your integrations in the ‘Integration Endpoint’ field of the Notification > Manage Notification > Scan Completed event.
For further information, see Managing Notifications.