You can integrate your Acunetix Premium account with Azure DevOps Services for issue management and for CI/CD purposes. This article shows how to configure your Azure DevOps account and how to integrate with it in Acunetix Premium for CI/CD. If you want to know how to integrate with Azure DevOps services for issue management, read the article Step-by-step configuration with Azure DevOps services.
Integrating Acunetix with Azure DevOps services for continuous integration and deployment is a 2-step process:
Step 1: Prepare your Acunetix target information
- Log in to your Acunetix installation.
- Go to your list of targets and click on the target you wish to work with.
- Retrieve the target ID from the URL.
- Go to your Profile page and retrieve your API key.
Step 2: Configure Azure DevOps services to integrate with Acunetix
- Log in to your Azure DevOps services account.
- Go to your list of pipelines and click on the pipeline you wish to work with.
- Click on the Edit button to change your pipeline settings.
- Click on the + button on one of your Agent jobs.
- Select the Command line option, and click the Add button.
- Click on the new command line script; you can optionally give it a friendly name to reflect the task.
- Edit the Script field to read as follows:
curl -k -i --request POST --url https://online.acunetix.com/api/v1/scans --header "X-Auth: [API KEY]" --header "content-type: application/json" --data "{ \"profile_id\" : \"11111111-1111-1111-1111-111111111111\" , \"incremental\" : false , \"schedule\" : { \"disable\" : false , \"start_date\" : null , \"time_sensitive\" : false } , \"user_authorized_to_scan\" : \"yes\" , \"target_id\" : \"[Target ID]\" }"
- Replace the 3 highlighted fields:
- To set the correct X-Auth value, replace the
[API KEY]
text with the API key you retrieved in Step 1. - The suggested value for profile_id is
11111111-1111-1111-1111-111111111111
– this default value is for a Full Scan. If you wish to specify a different scan profile, you can set one of the following values:- For the online version of Acunetix:
- Full Scan: 11111111-1111-1111-1111-111111111111
- High Risk Vulnerabilities: 11111111-1111-1111-1111-111111111112
- SQL Injection Vulnerabilities: 11111111-1111-1111-1111-111111111113
- Weak Passwords: 11111111-1111-1111-1111-111111111115
- Cross-site Scripting Vulnerabilities: 11111111-1111-1111-1111-111111111116
- Crawl Only: 11111111-1111-1111-1111-111111111117
- Malware Scan: 11111111-1111-1111-1111-111111111120
- Full Web and Network Scan: 11111111-1111-1111-1111-211111111111
- Network Scan: 11111111-1111-1111-1111-211111111112
- Network Scan (Safe Checks): 11111111-1111-1111-1111-211111111113
- Network Scan Quick: 11111111-1111-1111-1111-211111111114
- For the on-premises version of Acunetix:
- Full Scan: 11111111-1111-1111-1111-111111111111
- High Risk: 11111111-1111-1111-1111-111111111112
- SQL Injection Vulnerabilities: 11111111-1111-1111-1111-111111111113
- Weak Passwords: 11111111-1111-1111-1111-111111111115
- Cross-site Scripting Vulnerabilities: 11111111-1111-1111-1111-111111111116
- Crawl Only: 11111111-1111-1111-1111-111111111117
- High / Medium Risk: 11111111-1111-1111-1111-111111111119
- Malware Scan: 11111111-1111-1111-1111-111111111120
- You can also use the scan profile ID of any custom scan profiles you may have created. You can retrieve the scan profile ID of custom scan profiles programmatically via the Acunetix API or by navigating to the custom scan profile, and checking the URL:
- For the online version of Acunetix:
- To set the correct target_id value, replace the
[Target ID]
text with the target id you retrieved in step 1.
- To set the correct X-Auth value, replace the
- Click on the Save & queue button, and in the drop-down menu again select Save & queue.
- In the Run pipeline window, click on the Save and run button.
- This will trigger a manual run of the pipeline, and therefore add an immediate scan request to Acunetix:
- All future pipeline runs will now also trigger a scan request to Acunetix.
Checking scan results
The Scans page lists all scans performed. By default, the most recently triggered scan will show at the top of the list.
- Click on the scan triggered by your Azure DevOps pipeline to go to the scan summary.
- The scan summary page gives you a birds-eye view of the vulnerability of your web application in the Scan Information tab.
- For a more detailed list of the issues that you need to work on, click on the Vulnerabilities tab. In this example, the first item listed is a directory traversal vulnerability.
Resolving vulnerabilities
In the list of vulnerabilities, click on the vulnerability you wish to investigate. This will provide more details about the vulnerability in question.
The important details of the vulnerability are listed in sections.
- The vulnerable URL and any vulnerable parameter passed to the URL
- The details of the payload sent to the URL to expose the vulnerability
- Where available, additional details that constitute proof of exploit
- A description of the vulnerability
- A summary of the possible ways an attacker can gain privileged access to the web application
- A generic description of the correct way to write source code to fix such vulnerabilities
If necessary, you can also expand the HTTP Request and HTTP Response sections. This will provide extra detail of the HTML exchange between the web application and the scanner, allowing a developer to view the result of the vulnerability when successfully exploited.
Stay secure
Keep in mind that performing a one-time scan on your target is not sufficient, even if your web application is in code freeze. As time goes by, new vulnerabilities are discovered, resulting in the need to remain vigilant.
In view of this, even if your web application is considered stable, you should still perform periodic scans outside your SDLC to ensure your web application, which was previously considered secure, has not become vulnerable to some newly discovered vulnerabilities.
One simple way to help you to keep your web applications safe is to set up a recurrent scan. Any vulnerabilities discovered during any of the scheduled scans will be notified via email for you to take action and remediate.
Get the latest content on web security
in your inbox each week.