Azure DevOps

In this tutorial, you’ll learn how to:

1. Integrate NightVision DAST scans into your CI/CD pipelines to automatically find exploitable vulnerabilities within minutes.
2. Use NightVision’s API Extraction to scan the source code to find the attack vector in the file and origin of code.
3. Create Azure Board Issues so developers can view the vulnerabilities directly in Azure DevOps.

Workflow File:

## SETUP

## Run before activating pipeline
# nightvision target create javaspringvulny-api https://127.0.0.1:9000 --type api
# nightvision auth playwright create javaspringvulny-api https://127.0.0.1:9000

## Optional steps can be preformed locally or in the pipeline
# nightvision swagger extract . javaspringvulny-api --lang spring
# nightvision scan javaspringvulny-api

trigger:
- main

pool:
  vmImage: 'ubuntu-latest'

variables:
  NIGHTVISION_TARGET: javaspringvulny-api
  NIGHTVISION_AUTH: javaspringvulny-api
  TARGET_URL: https://localhost:9000

stages:
- stage: Test
  jobs:
  - job: BuildAndTest
    steps:
    - checkout: self
      displayName: 'Clone Code'

    - script: wget -c https://downloads.nightvision.net/binaries/latest/nightvision_latest_linux_amd64.tar.gz -O - | tar -xz; sudo mv nightvision /usr/local/bin/
      displayName: 'Install NightVision'

    - script: nightvision swagger extract ./ -t $NIGHTVISION_TARGET --lang java
      displayName: 'Extract API Documentation from Code'
      env:
        NIGHTVISION_TOKEN: $(NIGHTVISION_TOKEN)

    - task: DockerCompose@1
      displayName: 'Start the app with Docker Compose'
      inputs:
        action: 'run services'
        detached: true
        buildImages: true

    - script: sleep 20; curl --retry 30 --retry-all-errors --retry-delay 1 --fail -k $TARGET_URL
      displayName: 'Wait for the app to start'

    - script: |
        nightvision scan $NIGHTVISION_TARGET --auth $NIGHTVISION_AUTH > scan-results.txt
        nightvision export sarif -s "$(head -n 1 scan-results.txt)" --swagger-file openapi-spec.yml
      displayName: 'Scan the API'
      env:
        NIGHTVISION_TOKEN: $(NIGHTVISION_TOKEN)

    - task: UsePythonVersion@0
      inputs:
        versionSpec: '3.11'
        addToPath: true

    - script: |
        python -m pip install --upgrade pip
        pip install sarif-manager
        sarif-manager azure create-work-items results.sarif \
          --write-logs \
          --org $(echo $(System.CollectionUri) | cut -d'/' -f4) \
          --project $(System.TeamProject) \
          --token $AZURE_DEVOPS_ACCESS_TOKEN
      displayName: 'Create Work Items in Azure DevOps'
      env:
        AZURE_DEVOPS_ACCESS_TOKEN: $(AZURE_DEVOPS_ACCESS_TOKEN)

Preview: Example results

Here’s what the results will look like:

Developers can see the exploitable vulnerability by navigating to Azure pipeline. No noise!

NightVision explains how the vulnerability was exploited, why it matters, and where to fix it.

---

Tutorial

1. Once you run your first Public Web App Scan or Public API Scan this will create App and Target objects needed for scanning.

2. Create a NIGHTVISION_TOKEN secret by clicking the Generate API token button under your profile.

3. Add a azure-pipelines.yaml pipeline file to any Azure DevOps repository.

yaml

## SETUP

## Run before activating pipeline
# nightvision target create javaspringvulny-api https://127.0.0.1:9000 --type api
# nightvision auth playwright create javaspringvulny-api https://127.0.0.1:9000

## Optional steps can be preformed locally or in the pipeline
# nightvision swagger extract . javaspringvulny-api --lang spring
# nightvision scan javaspringvulny-api

trigger:
- main

pool:
  vmImage: 'ubuntu-latest'

variables:
  NIGHTVISION_TARGET: javaspringvulny-api
  NIGHTVISION_AUTH: javaspringvulny-api
  TARGET_URL: https://localhost:9000

stages:
- stage: Test
  jobs:
  - job: BuildAndTest
    steps:
    - checkout: self
      displayName: 'Clone Code'

    - script: wget -c https://downloads.nightvision.net/binaries/latest/nightvision_latest_linux_amd64.tar.gz -O - | tar -xz; sudo mv nightvision /usr/local/bin/
      displayName: 'Install NightVision'

    - script: nightvision swagger extract ./ -t $NIGHTVISION_TARGET --lang java
      displayName: 'Extract API Documentation from Code'
      env:
        NIGHTVISION_TOKEN: $(NIGHTVISION_TOKEN)

    - task: DockerCompose@1
      displayName: 'Start the app with Docker Compose'
      inputs:
        action: 'run services'
        detached: true
        buildImages: true

    - script: sleep 20; curl --retry 30 --retry-all-errors --retry-delay 1 --fail -k $TARGET_URL
      displayName: 'Wait for the app to start'

    - script: |
        nightvision scan $NIGHTVISION_TARGET --auth $NIGHTVISION_AUTH > scan-results.txt
        nightvision export sarif -s "$(head -n 1 scan-results.txt)" --swagger-file openapi-spec.yml
      displayName: 'Scan the API'
      env:
        NIGHTVISION_TOKEN: $(NIGHTVISION_TOKEN)

    - task: UsePythonVersion@0
      inputs:
        versionSpec: '3.11'
        addToPath: true

    - script: |
        python -m pip install --upgrade pip
        pip install sarif-manager
        sarif-manager azure create-work-items results.sarif \
          --write-logs \
          --org $(echo $(System.CollectionUri) | cut -d'/' -f4) \
          --project $(System.TeamProject) \
          --token $AZURE_DEVOPS_ACCESS_TOKEN
      displayName: 'Create Work Items in Azure DevOps'
      env:
        AZURE_DEVOPS_ACCESS_TOKEN: $(AZURE_DEVOPS_ACCESS_TOKEN)

4. To trigger this pipeline regularly for automatic scan coverage, add a schedule:

trigger:
- main

schedules:
- cron: "0 0 * * *" # Adjust the cron expression as needed
  displayName: Daily midnight run
  branches:
    include:
    - main

---

Azure Boards Traceback to Code origin

Our optional Azure Boards integration will convert Sarif files produced by NightVision DAST scans into Azure Board Issues similar to GitHub Security Alerts!

Repository

• Azure Pipeline Integration Repository

Requirements

There are three required values to create Azure Board Issues from NightVision SARIF.

• Locate your Azure DevOps Organization Name
• Locate your Azure DevOps Project Name
• Create an Azure DevOps Personal Access Token and save that in your Pipeline Variables.

Usage Example

To run the nightvision_azure_importer.py script, you will need to specify the Azure DevOps organization, project, personal access token (PAT), and the path to the SARIF file containing the security findings. Here’s how you can execute the script from the command line:

Shell

    - script: |
        python -m pip install --upgrade pip
        pip install sarif-manager
        sarif-manager azure create-work-items results.sarif \
          --write-logs \
          --org $(echo $(System.CollectionUri) | cut -d'/' -f4) \
          --project $(System.TeamProject) \
          --token $AZURE_DEVOPS_ACCESS_TOKEN
      displayName: 'Create Work Items in Azure DevOps'
      env:
        AZURE_DEVOPS_ACCESS_TOKEN: $(AZURE_DEVOPS_ACCESS_TOKEN)

Instructions

1. Click on Boards on the left side of the screen.
2. This will open the Work Items page, showing a list of current vulnerabilities.
3. If you click on the Boards button below Work Items on the left side of the screen, it will show the issues in a To-do list fashion and which ones are being remediated.
4. Click on one of the Vulnerabilities. You will then see the same information about the vulnerability displayed on the NightVision platform. Also, at the top of the Description section, you will see the file path for the file on which the vulnerability was found and the specific line within the code from which it is coming. Clicking on the file path will take you to the origin of the code as seen in the images below.

NightVision’s Work items posted to Azure boards provide direct links to the relevant lines of code.

NightVision’s Work items posted to Azure boards trace any findings back to the origin of code.