Adding a DAST Automated assessment task

You can add the FoD DAST Automated assessment task to your pipeline using the classic editor or YAML editor in Azure DevOps. The following instructions describe how to add a DAST Automated assessment to a build pipeline through the YAML editor.

To add a DAST Automated assessment task:

1. In an Azure DevOps project, navigate to your existing build pipeline.
2. Click Edit.

3. Select FoD DAST Automated from the list.

   The DAST Automated assessment task settings appear.

4. Complete the following fields:

   Field	Description
   Fortify Connection	Select an existing service connection or click +New to add a new service connection. For more information, see Adding Fortify on DemandCredentials in Azure DevOps.

5. In the Application/Release Options section, select the method of identifying the release from the Pick a Release list:

   • Release ID
   • New Application and Release

6. Follow the procedure for the selected method:

   Method	Procedure
   Release Id	In the Release ID field, specify the release ID. The release must have saved scan settings in the portal in order for the release ID to be used as a token.
   New Application and Release	Complete the following fields to create an application and/or release: Application Name: specify the application name. If a unique value is provided, an application will be created. If you are working with an existing application, updates to application settings will be applied where applicable. Business Criticality: select the business criticality. Application Attributes: specify required and optional application attributes as <attributeName1>: <attributeValue1>; <attributeName2>: <attributeValue2>; ... Application Type (not applicable to existing applications): select the application type. Microservice Application (not applicable to existing applications): select the check box to scan the application as a microservice application. The microservice feature must be enabled for the tenant. Microservice Name: If the application consists of microservices, specify the microservice name. If a unique value is provided, a microservice will be created. An application can have a maximum of 10 microservices. Release Name: specify the release name. A unique value must be provided. SDLC Status: select the SDLC status. Owner ID: specify the owner ID.

7. In the Entitlement Options section, complete the following fields:

   Field	Description
   AssessmentType Id	Specify the DAST Automated assessment type ID.
   Entitlement ID	Specify the entitlement ID that the assessment will use.
   Entitlement Frequency	Specify the entitlement frequency: Single Scan, Subscription. Note that microservice applications are restricted to subscriptions.

8. In the Scan Options section, complete the following fields:

   Field	Description
   Choose Scan Settings Source	Select how scan settings are specified: Create/Override Existing Scan Settings if any (required if you are creating a release) Updates to scan settings are retained for subsequent scans. Use Existing Saved Scan Settings
   Scan Type	Select the dynamic scan type: Website: this scan is similar to a Dynamic Website scan. Workflow Driven: this scan is similar to a Dynamic Website scan that utilizes a workflow macro. API: this scan is similar to a Dynamic API scan.

9. If you selected Create/Override Existing Scan Settings if any, complete the following fields. Otherwise, skip to the next step. Fields are not described in the order of presentation in the UI.

   Scan type	Field	Description
   All scan types	Environment Facing	Select whether the site is internal or external.
   All scan types	Time Zone	Select your location's time zone, which is used to schedule the scan's start time.
   All scan types	Request False Positive Removal (optional)	Select the check box to request false positive removal by the testing team once per application. Login macro generation and false positive removal are an optional service that is available once per application and consumes 1 additional assessment unit. If you want to request both login macro generation and false positive removal, you must select both options together; once a scan that includes either option has completed, both options will be disabled for subsequent scans.
   API	API Type	Select the API definition type: Postman, OpenApi, Graph QL, GRPC. Perform the relevant task based on your API definition type: OpenAPI Specification versions 2.0 and 3.0 are supported.
   		Postman Specify the file ID of the uploaded file in the Postman Collection field.
   		OpenAPI Select File or URL to the OpenAPI specification and perform the relevant task based on your selection. File Specify the file ID of the uploaded file in the OpenApi Json File field. If the API requires authentication, provide the API key value in the API Key field. The supported security scheme is API key. Multiple API keys in requests are not supported. URL to the OpenAPI specification Specify the OpenAPI document URL in the OpenApi Url field. If the API requires authentication, provide the API key value in the API Key field. The supported security scheme is API key. Multiple API keys in requests are not supported.
   		GraphQL Select File or URL and perform the relevant task based on your selection. File Specify the file ID of the uploaded file in the GraphQL Json File field. Select the API scheme in the API Scheme Type field: HTTP, HTTPS, HTTP and HTTPS. Specify the URL or hostname In the API Host field. Specify the directory path for the API service in the API Service Path field. URL Provide the GraphQL introspection endpoint URL in the GraphQL Url field. Select the API scheme in the API Scheme Type field: HTTP, HTTPS, HTTP and HTTPS. Specify the URL or hostname In the API Host field. Specify the directory path for the API service in the API Service Path field. The GraphQL API must have introspection enabled to download the schema contents for the scan.
   		gRPC Specify the file ID of the uploaded file in the GRPC Proto File field. Select the API scheme in the Scheme Type field: HTTP, HTTPS, HTTP and HTTPS. Specify the URL or hostname In the API Host field. Specify the directory path for the API service in the API Service Path field.
   Website	Dynamic Site URL	Provide your site's URL.
   Website	Scope	Select one of the following options: Scan entire host (<URL>) (default): the entire host will be scanned Example: Given https://foo.com/home, the following URLs will be included: https://foo.com/ https://foo.com/contact-us.html https://foo.com/folder/ https://foo.com/folder/folder2/page.aspx https://foo.com/home/folder/ https://foo.com/home/index.html Restrict scan to a URL or sub folder: only the directory denoted by the last slash in the URL and its subdirectories will be scanned. If you select this option, make sure the last slash denotes the directory to which you want the scan to be restricted. Example: Given https://foo.com/home/, the following URLs will be excluded: https://foo.com/ https://foo.com/folder/ https://foo.com/contact-us.html https://foo.com/folder/folder2/page.aspx
   Website	Redundant Page Direction (optional)	Select the check box to enable comparison of page structure to determine the level of similarity, allowing the sensor to identify and exclude processing of redundant resources. Redundant page detection works in the crawl portion of the scan. If the audit introduces a session that would be redundant, the session will not be excluded from the scan.
   Website	Exclude URLs (optional)	Specify full or partial URLs to exclude URLs matching the strings as <Url1>; <Url2>; <Url3>; ...The field is not case-sensitive.
   Options depend on scan type	Scan Policy	Select the policy (collection of vulnerability checks and attack methodologies that the sensor deploys against a Web application): Standard: A standard scan includes an automated crawl of the server and performs checks for known and unknown vulnerabilities such as SQL Injection and Cross-Site Scripting as well as poor error handling and weak SSL configuration at the web server, web application server, and web application layers. Criticals and Highs: Use the Criticals and Highs policy to quickly scan your web applications for the most urgent and pressing vulnerabilities while not endangering production servers. This policy checks for SQL Injection, Cross-Site Scripting, and other critical and high severity vulnerabilities. It does not contain checks that may write data to databases or create denial-of-service conditions, and is safe to run against production servers. Passive Scan: The Passive Scan policy scans an application for vulnerabilities detectable without active exploitation, making it safe to run against production servers. Vulnerabilities detected by this policy include issues of path disclosure, error messages, and others of a similar nature. API: The API policy contains checks that target various issues relevant to an API security assessment. This includes various injection attacks, transport layer security, and privacy violation, but does not include checks to detect client-side issues and attack surface discovery such as directory enumeration or backup file search checks. All vulnerabilities detected by this policy may be directly targeted by an attacker. This policy is not intended for scanning applications that consume Web APIs.
   Website API	Timebox Scan Duration (Hours)	Specify the maximum duration of the scan. If the scan is not completed at the end of the specified duration, the scan is terminated and partial results are available. If the scan is completed during the specified duration, then complete results are available. Incremental scanning is not supported.
   All scan types	Network Authentication (optional)	Select the check box if network authentication is required. Provide the authentication type, username, and password. The scan will be canceled if network authentication fails.
   Website	Site Authentication (optional)	Select the check box if site authentication is required. Specify the file ID of the uploaded file in the Login Macro File for Site Authentication field. Make preparations so that the user credentials remain valid for the scan duration, such as increasing the password expiration duration. The scan will be canceled if site authentication fails.
   Website	RequestForLoginMacroCreation(optional)	Select the check box to request generation of a login macro by the testing team once per application. Upon scan completion, the login macro will be available for download on the Scans page. Login macro generation and false positive removal are an optional service that is available once per application and consumes 1 additional assessment unit. If you want to request both login macro generation and false positive removal, you must select both options together; once a scan that includes either option has completed, both options will be disabled for subsequent scans.

10. In the Poll Options section, complete the following fields:

    Field	Description
    Polling Interval	Specify the length of time in minutes between polling for static and open source scan statuses and results. The default value is 1. A value of 0 disables polling. Polling stops once either the static or open source scan is canceled, paused, or completed.
    Action if Failing Policy	Select whether to complete the task and throw a warning or fail the task based on the application security policy set by your organization.

11. Click Add.

    The YAML code for the task is added to your build pipeline. The YAML code specifies the latest version of the extension.

12. Save the settings.

If a scan is successfully submitted during the pipeline run, the task will be marked as succeeded. If the scan is rejected, the build logs will display the appropriate error message.