Installing and using the Visual Studio Team Services plugin for use with the Static Analyzer Client Utility

This task describes how to install and use the Visual Studio Team Services (VSTS) plugin for scanning static, dynamic, or mobile VSTS and Team Foundation Server (TFS) projects.

Installing the VSTS/TFS plugin

Note: Visual Studio Team Services (VSTS) is now known as Azure DevOps. For consistency with user interface options, we continue to refer to it as VSTS here.

To use the VSTS/TFS plugin, you must first download the plugin from the VSTS marketplace and install it:

In VSTS, go to Manage Extensions > Browse Marketplace..
In the resulting window, search for HCL.
Select and install the Application Security Testing for VSTS by HCL Technologies plugin.

Note: For TFS, download the plugin from VSTS marketplace as instructed. Once done, go to Manage Extensions> Browse local extensions > Upload new extension and chose the downloaded extension to install.

Using the VSTS/TFS plugin

Adding a security test

To add a security test to a build process in VSTS/TFS:

Choose one of the following:
- For VSTS, choose Pipelines > Builds menu from your project home page.
- For TFS, choose Build and Release > Builds.
Edit the pipeline where you want to add the security test.
On the Tasks tab, click + to add a task.
Locate the plugin as installed (Application Security Testing by HCL Technologies), and click Add.
In your build process, click the newly added Application Security Test task.

Specify Task Settings

Type in a string for the Display Name.
This becomes the task name in the build process.
Select the appropriate Credentials from the list.
If the Credentials field is empty, see Adding a new service endpoint.
Select an application from the Application list.
The Application drop-down is populated based on the selected credentials.
Optionally, type in a name for the scan in then Scan Namefield.
This will be the name of the scan in the service.

Select a scan type from the Scan Type list:

Select Static Analyzer to run static analysis security testing.

Table 1. Static Analyzer Scan Parameters
Parameter	Description
Repository Subdirectory to Scan	Optionally, type in a value or select the value from the repository’s file browser dialog. By default, the service scans the entire repository. To limit the scan to a subdirectory, specify the relative path here.

Select Dynamic Analyzer to perform analysis of an application that runs in a browser.

Table 2. Dynamic Analyzer Scan Parameters
Parameter	Description
Starting URL	Enter the URL from which you want the scan to start exploring the site. If you select Additional Options, the following optional settings are available:
Site Type	Indicate whether your site is a Staging site (under development) or a Production site (live and in use), or choose NA.
Login User and Login Password	If the app requires login, enter valid user credentials.
Third Credential	If your app requires a third credential, enter it in this field.
Presence	If the app is not on the internet, enter the AppScan Presence Name. For information about creating an AppScan Presence, see Creating an AppScan Presence.
Scan File	If you have an AppScan Standard scan file, enter the relative path and file name in this field. To learn more about AppScan Standard scan files, see Using AppScan Standard scans or templates.

To learn more about dynamic analysis settings, see Scanning a web app.

Select Mobile Analyzer to run security analysis of an Android or iOS mobile application.

Table 3. Mobile Analyzer Scan Parameters
Parameter	Description
Application File	Enter the relative path and file name of the. apk or .ipa file that you want to scan. If you select the Additional Options, below optional settings are available:
Login User and Login Password	If the app requires login, enter valid user credentials.
Third Credential	If your app requires a third credential, enter it in this field.
Presence	If the app is not on the internet, enter the AppScan Presence ID. For information about creating an AppScan Presence, see Creating an AppScan Presence.

For more information about mobile analysis, see Scanning an Android mobile app and Scanning an iOS mobile app.

Advanced options

Advanced options are not required to use the VSTS/TFS plugin. To set advanced properties:

Click Advanced to display additional options.
Select the Email Notification checkbox to receive an email when the security analysis is complete. The email will be sent to the email address associated with the selected credentials.
Select Fail Build Configuration to specify conditions that will cause the build to fail based on results of the security test:
- Select For noncompliance with application policies to fail the build if any security issues are found that are out of compliance with the policies of the selected application.
- Select When the following conditions are true to fail the build based on the specified number of non-compliant Total security issues, High severity security issues, Medium severity security issues, or Low severity security issues. If multiple thresholds are specified, they are logically OR'd together.
Once a build completes, you can view or download the scan report from the Application Security Report tab on the Build Summary page.
The Application Security report and irx.generation logs are available as part of the Build logs and can be downloaded.

Adding a new service endpoint

If, in Task Settings, the Credentials field is empty, you must configure the service endpoint. To configure a service endpoint for using the VSTS/TFS plugin:

At Task Settings, click Manage above the empty Credentials field.
In the resulting window, click New Service Endpoint.
Click Application Security Test from the list of endpoints.

Fill in the details in the resulting dialog box and click OK:

Table 4. Service Endpoint Properties
Property	Value
Connection Name	A logical name for the connection.
Server URL	https://appscan.ibmcloud.com https://cloud.appsechcl.com
KeyID	Acquire a KeyID and KeySecret at https://appscan.ibmcloud.com/api/ideclientuilogin
KeySecret