Integrating Invicti Enterprise with Azure Boards
Microsoft Azure is a collection of cloud-based services designed to help businesses build, deploy, and manage web applications. One component service is Azure Boards, an issue-tracking system that enables teams to track work, issues, and code efficiently.
Invicti Enterprise provides built-in support for automatically creating, resolving, and reactivating Azure Boards issues based on scan results. It utilizes user-defined statuses in Azure Boards to determine when issues should be marked as resolved or reopened. Our other Integrations can be viewed in the linked document.
This document explains how to integrate Invicti Enterprise with Azure Boards.
Integrate with Azure Boards
There are two steps to integrate Invicti Enterprise with Azure Boards:
- Step 1: Integrate Invicti Enterprise with Azure Boards
- Step 2: Register webhook for bi-directional integration (optional)
Step 1: Integrate Invicti Enterprise with Azure Boards
- Select Integrations > New Integration from the left-side menu.
- From the Issue Tracking Systems section, select Azure Boards.
- In the Name field, enter a name for the integration.
- In the Mandatory section, complete the connection details:
- Project URI - Azure Boards project web address.
- Username - the name of the user. If you are using a personal access token (see below), leave this field blank.
- Password or Access Token - the password or the access token for the user. If the password is entered, you need to provide the username too. To generate an access token navigate to Azure DevOps Services, and select Security on your Profile context menu, then Personal Access Tokens. Since March 2, 2020, Azure DevOps supports only Access Token.
- Work Item Type Name - the type of work item (bug, task).
- Title Format - the string format that is used to create the vulnerability title.
- In the Optional section, you can specify:
- Domain - the domain of the user.
- Assigned To - the user to whom the issue is assigned.
- Tags - the work item tags, separated by a semicolon (;).
- Reopen Status - the status of reopened issues or tickets. Reopen statuses vary according to the project type. Write the correct values for your project type. This field is mandatory for the webhook connection.
- Resolved Status - the status name of resolved issues or tickets. Resolved Statuses vary according to the project type. Write the correct values for your project type, as explained in Azure Boards State Categories. This field is mandatory for the webhook connection.
- In the Custom Fields section, specify:
- Name - name of the new custom field identifier.
- Value - value of the new custom field.
- Input type - select from dropdown (Text, Password, Textarea, File upload, Complex).
- Select Create Sample Issue to confirm that Invicti Enterprise can connect to the configured system. A confirmation message is displayed to confirm that the sample issue has been successfully created. In the confirmation message, select the Issue number link to open the issue in your browser.
- Click Save to finish the integration.
TIP: Looking for your personal access token in Azure Boards? Refer to Use personal access tokens. |
Step 2: Register webhook for bi-directional integration (optional)
Invicti Enterprise supports webhooks for enhanced issue synchronization, allowing you to detect status changes in Azure Boards issues. After saving your integration settings, Invicti Enterprise generates a Webhook URL. Register it in your Azure Boards project and set your preferred Resolved and Reopen statuses to complete synchronization.
- Resolved in Azure Boards → Fixed (Unconfirmed) in Invicti Enterprise, triggering a retest scan.
- Reopen in Azure Boards → Revived in Invicti Enterprise automatically.
IMPORTANT: Before establishing the webhook, complete the following fields:
|
- From the main menu, select Integrations > Manage Integrations.
- Next to the relevant Azure Boards integration, select Edit.
- In the Webhook URL field, select Copy to clipboard ().
- Enter your Azure project’s Reopen and Resolved statuses. They are case-sensitive. (You can copy these values from the State property.)
- In Azure Boards, select Project Settings from the menu, then select Service Hooks. On the page that opens, select New Service Hooks Subscription.
- From the opened modal page, select the Web Hooks option, then Next.
- From the Trigger window, select the Work item updated from the Trigger on this type of event dropdown. Next, from the Filters section, select the name of your project from the Area path dropdown.
- Paste the Webhook URL that you copied from Invicti Enterprise into the URL field on the Actions tab. And mark other areas as they appear in the screenshot. Complete the configuration with the Finish button.
- The Service hooks you have defined will appear in the list. You can edit them as you wish.
- In Azure Boards, go to the Boards > Work Items window, then click on the problem. From the State dropdown, select Done (or the Resolved option suitable for your project) and then Save.
- The Webhook is triggered, and Invicti Enterprise initiates a new Retest process.
- In Invicti Enterprise, from the main menu, select Issues > Waiting For Retest. The Issues window is displayed, showing the issues waiting to be rescanned. The scanning process will begin soon, depending on the availability of the scanning agents.
NOTE: If the problem is found again, the status will revert to what you have specified in the Reopen status. To make this happen, add your integrations in the ‘Integration Endpoint’ field of the Notification > Manage Notification > Scan Completed event. |
For more information, refer to the Managing Notifications document.
Manage Azure Boards integration
How to edit it
- Select Integrations > Manage Integration from the left-side menu.
- Next to the Azure Boards, select Edit.
- Make the necessary changes and click Save.
How to delete it
- Select Integrations > Manage Integration from the left-side menu.
- Next to the Azure Boards, select Delete.
- On the confirmation dialog, select Delete.
Export reported vulnerabilities to projects in Azure Boards
There are several ways to send issues to Azure Boards with Invicti Enterprise:
Automatic issue submission
- Once notifications have been configured, you can configure Invicti Enterprise to automatically send vulnerabilities to Azure Boards after scanning has been completed (refer to How to Configure a Notification to Report Vulnerabilities to an Issue Tracking System).
Send issues from the Issues page
To send one or more issues from the Issues page follow these steps:
- Navigate to Issues > All Issues from the left-side menu.
- Select one or more issues to send.
- Click Send To > Azure Boards.
Send issues from the Recent scans page
To send an issue from the Recent scans page follow these steps:
- Select Scans > Recent scans from the left-side menu.
- Next to the relevant scan, select Report and scroll to the Technical Report section.
- Select an issue from the list and view its details.
- Click Send To > Azure Boards
TIP: If the vulnerability has been submitted to Azure Boards, it will be accessible there. Duplicate submissions are not allowed. |
Prevent reopening issues in Azure Boards
When the option “Do not re-open issues marked as False Positive or Accepted Risk” is enabled and the vulnerabilities previously marked as False Positive or Accepted Risk are revived during scans, the system doesn’t reopen the issue in Azure Boards. This option is disabled by default.
How to enable the option
- Select Integrations > Manage Integrations from the left-side menu.
- Click Edit next to your Azure Boards integration.
- At the bottom of the Optional section, under Resolved Status enable the Do not re-open issues marked as False Positive or Accepted Risk checkbox.
- Click Save to close the settings.
NOTE: When reviewing the history of detected issues, a message will appear if the option is enabled: “The issue will not be reopened in the Issue Tracking System because it has been marked as either a False Positive or an Accepted Risk.” |
