AppCheck -> Azure Devops Pipeline integration
What is a pipeline?
DevOps is a set of practices that combines software development and IT operations. It aims to shorten the systems development life cycle and provide continuous delivery with high software quality.
One of the key tenets of DevOps is Continuous delivery (CD) or Continuous Integration (CI), closely coupled software engineering approaches that enable teams to produce software in short cycles, and releasing software with greater speed and frequency by providing a straightforward and repeatable deployment process via a defined set of sequenced steps together known as a "pipeline".
How can pipelines help?
Pipelines such as Azure Pipelines (part of Microsoft's Devops Services) are cloud-hosted pipelines that can be used to build web, desktop and mobile applications and then deploy to any cloud or on‑premises location.
Critically, in addition to simple steps such as build and deploy, other steps can be ingtegrated into a pipeline, such as executing a vulnerability scan of the code once it is deployed, using AppCheck.
How to integrate AppCheck with Azure Devops Pipeline
Install the extension
Go to https://marketplace.visualstudio.com/items?itemName=AppCheck-NG.appcheck-integration and click “Get it free”.
On the next page, click “Install “ to install the extension for your organisation.
You should see a confirmation that the extension was installed and you can start using it in your DevOps Pipelines.
Add a new service connection
A service connection is a form used for specifying how to connnect to an external service such as the AppCheck scanner. They are added to individual projects.
To add a service connection, navigate to your Azure DevOps project and click “Project settings” at the bottom-left corner.
Click on the “Service connections” menu item found under “Pipelines”.
Click on “New service connection” at the top-right corner. Select “Appcheck-NG” from the window that will appear and click “Next”.
On the next page, fill in the “API Token” field. The value can be requested from AppCheck Support. Also, mention to them that the API token will be used in Azure DevOps Pipelines so they will know to whitelist the Azure IP ranges.
Also, specify “Service connection name” which can by any string that will help you identify the service connection you have created. We recommend naming it after your company as API tokens are issued on per-company basis.
Click “Save” when done.
Integrate AppCheck into your pipeline
The “AppCheck Integration” extension will add two tasks that you can use in your pipelines:
1. Start an existing scan
2. Check the status of a running scan
To demonstrate how these can be integrated into an existing pipeline, we will create a new release pipeline.
Go back to your project page. Expand the “Pipelines” menu item and click on “Releases”.
On the following page, create a new release pipeline. The location of the button depends on whether you already have existing release pipelines. On the next page, create two stages: “Beta” and “Production”. Here is what the end result may look like:
Add a new agentless job to Beta. Add a task called “AppCheck: start a scan” to the job.
Once the task is added you will see the text that reads “Some settings need attention” under the task name. Click on the task and populate the following fields:
• AppCheck Service Connection: that will be the service connection you created earlier.
• Scan ID. This will be the ID of the scan that you want the task to start. “AppCheck Scan ID” is the ID of the scan that will run when this build step executes. To find out what this ID is, go to “https://scanner.appcheck-ng.com/”, open the configuration page of the desired scan, and copy the last 16 characters of the page URL, as shown on the screenshot below.
Here is an example of the end result:
Go back to the screen that shows the stages of your pipeline and click on the lightning icon displayed to the left of the word “Production” (stage name). The “Pre-deployment conditions” screen will appear.
Toggle the switch next to “Gates” (can be at the botttom-right corner of the screenshot above).
Specify “the delay before evaluation”. The pipeline will start checking the status of the running scan after that amount of time. The maximum value is currently 48 hours. If your scan takes more than 48 hours to complete, we recommend that you set this value to 48 hours.
Next, click on the “Add” link to add and configure the task that will be checking the scan status. Select “AppCheck: Check Scan Status” in the drop-down.
In the task settings, specify the service connection and the Scan ID. They will have the same values as the ones that you have specified in the task that starts the scan. Also, choose the appropriate failure condition in the “Failure condition” field.
Expand the “Evaluation options” section and review the fields there. Specifically, set “The timeout after which gates fail” to 15 days. If your pipeline stage requires a manual approval, review the value of “Gates and approvals”.
You’re all set! Save your pipeline and click “Create release” to verify that you have configured it correctly.