AppCheck provides an extension in the VisualStudio Marketplace to integrate AppCheck into your Azure DevOps Pipeline.
Before you start setting up the integration you'll need to raise a ticket with AppCheck Technical Support to:
- Provide AppCheck with the source IP addresses(es) for your Azure DevOps servers so that they can be added to your account's API access allow-list.
- Request your AppCheck API Token.
There are three main steps to setting up the integration:
1. Install the extension
Go to https://marketplace.visualstudio.com/items?itemName=AppCheck-NG.appcheck-integration and click “Get it free”.
On the next page, click “Install “ to install the extension for your organisation.
You should see a confirmation that the extension was installed and you can start using it in your DevOps Pipelines.
2. Add a new service connection
A service connection is a form used for specifying how to connnect to an external service such as the AppCheck scanner. They are added to individual projects.
To add a service connection, navigate to your Azure DevOps project and click “Project settings” at the bottom-left corner.
Click on the “Service connections” menu item found under “Pipelines”.
Click on “New service connection” at the top-right corner. Select “Appcheck-NG” from the window that will appear and click “Next”.
On the next page, fill in the “API Token” field.
Specify “Service connection name” which can by any string that will help you identify the service connection you have created. We recommend naming it after your company as API tokens are issued on per-company basis.
Click “Save” when done.
3. Integrate AppCheck into your pipeline
The “AppCheck Integration” extension will add two tasks that you can use in your pipelines:
1. Start an existing scan
2. Check the status of a running scan
To demonstrate how these can be integrated into an existing pipeline, we will create a new release pipeline.
Go back to your project page. Expand the “Pipelines” menu item and click on “Releases”.
On the following page, create a new release pipeline. The location of the button depends on whether you already have existing release pipelines. On the next page, create two stages: “Beta” and “Production”. Here is what the end result may look like:
Add a new agentless job to Beta. Add a task called “AppCheck: start a scan” to the job.
Once the task is added you will see the text that reads “Some settings need attention” under the task name. Click on the task and populate the following fields:
• AppCheck Service Connection: that will be the service connection you created earlier.
• Scan ID. This will be the ID of the scan that you want the task to start. “AppCheck Scan ID” is the ID of the scan that will run when this build step executes. To find out what this ID is, go to “https://scanner.appcheck-ng.com/”, open the configuration page of the desired scan, and copy the last 16 characters of the page URL, as shown on the screenshot below.
Here is an example of the end result:
Go back to the screen that shows the stages of your pipeline and click on the lightning icon displayed to the left of the word “Production” (stage name). The “Pre-deployment conditions” screen will appear.
Toggle the switch next to “Gates” (can be at the botttom-right corner of the screenshot above).
Specify “the delay before evaluation”. The pipeline will start checking the status of the running scan after that amount of time. The maximum value is currently 48 hours. If your scan takes more than 48 hours to complete, we recommend that you set this value to 48 hours.
Next, click on the “Add” link to add and configure the task that will be checking the scan status. Select “AppCheck: Check Scan Status” in the drop-down.
In the task settings, specify the service connection and the Scan ID. They will have the same values as the ones that you have specified in the task that starts the scan. Also, choose the appropriate failure condition in the “Failure condition” field.
Expand the “Evaluation options” section and review the fields there. Specifically, set “The timeout after which gates fail” to 15 days. If your pipeline stage requires a manual approval, review the value of “Gates and approvals”.
You’re all set! Save your pipeline and click “Create release” to verify that you have configured it correctly.