- Table of contents
- Prerequisites
- Installation
- Contributing
You will need an Azure Devops instance. The following configurations are supported:
- Azure DevOps Online
- Hosted Azure DevOps on Premise
Additional prerequisites for each task are specified below in each task's section.
You can install the extensions from the Azure DevOps MarketPlace https://marketplace.visualstudio.com/items?itemName=capgemini-msft-uk.build-release-task
Writes release notes to a designated Wiki Page within Azure DevOps. Upon adding a task to your pipeline, the variables are preconfigured with suggested values. If you have a custom release notes field, you must supply the field name e.g. Custom.ReleaseNoteField. This field is optional.
You must supply:
- Organisation Name (Which you can get from the Url of Azure DevOps)
- Wiki Path (Can be a nested path if you wish)
- Wiki release Notes root path (Top Level Path)
- User Name (This is a friendly name of your choice and will be shown in the release notes
The rest of the fields are pre-populated to make the installation much easier.
Using this task, you can run a security scan on API using OWASP zap and publish results to the pipeline. Upon adding a task to your pipeline, few variables are preconfigured with suggested values. You must supply:
- Azure Subscription (Azure Resource Manager subscription for the deployment)
- Name of the resource group (The name of the resource group that contains the storage account)
- Location (Location for deploying the container)
- API Swagger endpoint url (API Swagger endpoint url to scan)
- Name of the storage account (The name of the Storage Account to be used by the OWASP container to store the results of the OWASP Scan)
- Name of the File Share (The name of the file share in the Storage Account where the results of the OWASP Scan will be stored)
- Name of the OWASP Image (OWASP Scan image. It should be 'owasp/zap2docker-weekly')
- Path to Option file (The path to option file which will be used to prepare request headers require for the API scan. The name of the file must be 'options.prop')
The rest of the fields are pre-populated to make the installation much easier.
In addition to the an Azure Devops instance, you will require the following pre-requisities listed below to use this task.
- Storage Account, File Share
-
Virtual Network and Subnet. Azure Container Instances enables deployment of container instances into an Azure virtual network. A Virtual Network is used to ensure that access to the Storage account that stores the results of OWASP Scan can be restricted. You can either use Service Endpoints enabled on the Subnet or use a Private Endpoint for the Storage account. Note that build agent will need to be able to connect to the storage account to retrieve the results of the OWASP API Scan.
-
Option File (options.prop) - You will need to provide an option file (options.prop) that contains API Header Request configurations. The example below shows what the contents of this file look like. These are the request header parameters that will be included in the API requests when the OWASP API scan is running. You should modify this file to include any additional headers (e.g. include an Authorization Request Header that contains a bearer token and one for an API Management Subscription Header key 'Ocp-Apim-Subscription-Key' if you are using the Azure API Management.) This is a mandatory file, which you can generate dynamically during the build stage as a artifact.
replacer.full_list(0).description=ContentTypeHeader
replacer.full_list(0).enabled=true
replacer.full_list(0).matchtype=REQ_HEADER
replacer.full_list(0).matchstr=Content-Type
replacer.full_list(0).regex=false
replacer.full_list(0).replacement=application/json
replacer.full_list(1).description=AccceptHeader
replacer.full_list(1).enabled=true
replacer.full_list(1).matchtype=REQ_HEADER
replacer.full_list(1).matchstr=Accept
replacer.full_list(1).regex=false
replacer.full_list(1).replacement=application/json
Use the extension as a pipeline task in your azure devops yaml pipeline to run Security Scan on API's
You will also need to use PublishTestResults@2 task with this extension in order to publish test results after the scan is completed. Below is the example which shows how to use it in YAML pipeline.
- task: capgemini-uk-msft-owaspscan-extensions@0
inputs:
azureSubscription: '{azure connection name}'
ResourceGroupName: '{resource group name}'
Location: 'UK South'
VNet: 'aci-vnet'
Subnet: 'aci-subnet'
ApiEndpoint: 'https:{api base url}/swagger/v1/swagger.json'
StorageAccountName: '{storage account name}'
ShareName: 'owaspresults'
ImageName: 'owasp/zap2docker-weekly'
OptionFilePath: '$(System.ArtifactsDirectory)/drop/Options/options.prop'
- task: PublishTestResults@2
displayName: 'Publish Test Results **/Converted*.xml'
inputs:
testResultsFormat: NUnit
testResultsFiles: '**/Converted*.xml'
testRunTitle: 'OWASP API Tests'
searchFolder: '$(System.ArtifactsDirectory)'
You can read more about this extension and its usage on https://marketplace.visualstudio.com/items?itemName=capgemini-msft-uk.build-release-task
Upload whl files from a specified location to a Synapse workspace and apply it to all spark pools.
Allows you to enable and disable triggers before and after a release. Recommended by Microsoft.
Refer to the contributing guide.