Integrating Invicti Enterprise with Azure Boards
Microsoft Azure is a cloud computing service that offers Azure Boards, an issue tracking system. Its purpose is to help businesses build, deploy, and manage web applications. Part of this web application management includes the ability to track work, issues, and code.
Invicti Enterprise has out-of-the-box support for resolving and reactivating Azure Boards issues according to the scan results, in addition to automatic issue creation. Invicti Enterprise uses user-provided resolved and reopened statuses in Azure Boards for this purpose.
To enhance issue synchronization support, Invicti Enterprise also offers webhook support. This enables you to detect any status changes in Azure Boards issues opened by Invicti Enterprise.
- Invicti Enterprise generates a Webhook URL after you save your integration settings. When you register this link as a webhook in your Azure Boards Project, and enter your preferred resolved and reopen statuses, you will complete Invicti Enterprise issue synchronization for your integration.
- When you change your Azure Boards issue’s status to your preferred Resolved status, the issue is automatically marked as Fixed (Unconfirmed) in Invicti Enterprise and a retest scan is started. And, when you change your Azure Boards issue’s status to your preferred Reopened status, your corresponding Invicti Enterprise issue is automatically marked as revived.
For further information, see What Systems Does Invicti Integrate With?.
This topic explains how to configure Invicti Enterprise to send a detected vulnerability to Azure Boards.
Azure Boards Fields
This table lists and explains the Azure Boards fields in the New Azure Boards Integration window.
Button/Section/Field |
Description |
Name |
This is the name of the configuration that will be shown elsewhere. |
Mandatory |
This section contains fields that must be completed. |
Project URI |
This is the Azure Boards project web address. |
Username |
This is the name of the user. If you are using a personal access token (see below), leave this field blank. |
Password or |
This is the password or the access token for the user. If the password is entered, you need to provide the username too. (You can generate an access token by navigating to Azure DevOps Services, and selecting Security on your Profile context menu, then Personal Access Tokens.)
|
Work Item |
This is the type of work item (bug, task). |
Title Format |
This is the strong format that is used to create the vulnerability title. |
Optional |
This section contains options fields. |
Domain |
This is the domain of the user. |
Assigned To |
This is the user to whom the issue is assigned. |
Tags |
These are the work item tags, separated by a semicolon (;). |
Reopen Status |
Reopen Statuses vary according to the project type. Please write the correct values for your project type. This is the status of the reopened issues or tickets. This field is mandatory for the webhook connection. |
Resolved Status |
Resolved Statuses vary according to the project type. Please write the correct values for your project type (This is the status name of the resolved issues or tickets. see Azure Boards State Categories). This field is mandatory for the webhook connection. |
Custom Fields |
This section contains user-defined custom fields. |
New Custom Field |
Select to create a new custom field. |
Name |
Enter a name for the new custom field identifier. |
Value |
Enter a value for the new custom field. |
Drop-down |
Select the drop-down to change the input type. The options are:
|
Create Sample Issue |
Once all relevant fields have been configured, select to create a sample issue. |
How to Integrate Invicti Enterprise with Azure Boards
- Log in to Invicti Enterprise.
- From the main menu, go to Integrations > New Integration.
- From the Issue Tracking Systems section, select Azure Boards.
- In the Name field, enter a name for the integration.
- In the Mandatory section, complete the connection details:
- Project URI
- Username
- Password or Access Token
- Work Item Type Name
- Title Format
- In the Optional section, you can specify:
- Domain
- Assigned To
- Tags
- Reopen Status
- Resolved Status
- Custom Fields
- Select Create Sample Issue to confirm that Invicti Enterprise can connect to the configured system. A confirmation message is displayed to confirm that the sample issue has been successfully created.
- In the confirmation message, select the Issue number link to open the issue in your default browser.
- Select Save to save the integration.
Looking for your personal access token in Azure Boards? See Use personal access tokens.
How to Edit the Azure Boards Integration
- Log in to Invicti Enterprise.
- From the main menu, select Integrations > Manage Integration.
- Next to the Azure Boards, select Edit.
- Make the necessary changes and select Save.
How to Delete the Azure Boards Integration
- Log in to Invicti Enterprise.
- From the main menu, select Integrations > Manage Integration.
- Next to the Azure Boards, select Delete.
- On the confirmation dialog, select Delete.
How to Export Reported Vulnerabilities to Projects in Azure Boards
There are several ways to send issues to Azure Boards with Invicti Enterprise:
- Once notifications have been configured, you can configure Invicti Enterprise to automatically send vulnerabilities to Azure Boards after scanning has been completed (see How to Configure a Notification to Report Vulnerabilities to an Issue Tracking System).
- You can send one or more issues from the Issues window:
- From the main menu, select Issues > All Issues.
- From the Issues window, select one or more issues you want to send.
- Select Send To > Azure Boards.
A pop-up is displayed, with a link to the issue you have sent to Azure Boards. If there is an error, this information will be displayed instead.
- You can also send an issue from the Recent Scans window:
- From the main menu, select Scans > Recent Scans.
- Next to the relevant scan, select Report.
- Scrolls down to the Technical Report section.
- From the list of detected vulnerabilities, select an issue and display its details.
- Select Send To > Azure Boards.
If you have previously submitted this vulnerability to Azure Boards, it will already be accessible. You cannot submit the same issue twice.
How to Register an Invicti Enterprise Azure Boards Integration Webhook
Before establishing the webhook, complete the following fields:
To the Reopen status, enter To Do.
To the Resolved status, enter Done.
- From the main menu, select Integrations > Manage Integrations.
- Next to the relevant Azure Boards integration, select Edit.
- In the Webhook URL field, select Copy to clipboard ().
- Enter your Azure project’s Reopen and Resolved statuses. They are case-sensitive. (You can copy these values from the State property.)
- Open Azure Boards.
- Select Project Settings from the menu, then select Service hooks. On the page that opens, select New Service Hooks Subscription.
- From the opened modal page, select the Web Hooks option, then Next.
- From the Trigger window, select Work item updated from the Trigger on this type of event drop-down. Next, from the Filters section, select the name of your project from the Area path drop-down.
- Paste the Webhook URL that you copied by Invicti Enterprise into the URL field on the Actions tab. And mark other areas as they appear in the screenshot. Then, you can end the configuration with the Finish button.
- The Service hooks you have defined will appear in the list. Then you can edit it as you wish.
- In Azure Boards, go to the Boards> Work Items window, then select the problem. From the State drop-down, select Done (or the Resolved option suitable for your project) and then Save.
- The Webhook is triggered, and Invicti Enterprise initiates a new Retest process.
- In Invicti Enterprise, from the main menu, select Issues > Waiting For Retest. The Issues window is displayed, showing the issues waiting to be rescanned. The scanning process will begin soon, depending on the availability of the scanning agents.
If the problem is found again, the status will be withdrawn to the value you have specified in the Reopen status. However, for this to happen, please add your integrations in the ‘Integration Endpoint’ field of the Notification > Manage Notification > Scan Completed event.
For further information, see Managing Notifications.