I’m pleased to announce that the Qualys Web App Scanning Connector for Azure DevOps is now available. Similar to our connectors for Jenkins, Bamboo, and TeamCity, the Qualys WAS Connector for Azure DevOps is a native extension for the Azure DevOps platform that helps development teams build web application and API vulnerability scanning into their CI/CD pipelines.
Microsoft’s Azure DevOps is a platform for developers that provides a rich set of tooling such as version control, build & release pipelines, and collaboration tools. With a valid Qualys WAS subscription and API access, you can configure your pipeline to launch a scan and fail the build (“pipeline run”) if certain criteria are met such as presence of a high severity vulnerability or specific QIDs that violate your security policies. Scan results can be viewed directly in Azure DevOps and a link to the full scan report on the Qualys UI is also provided. The extension works with all Qualys shared platforms as well as for customers using a private cloud platform (PCP).
By automating dynamic application security testing (DAST) scans in your DevOps pipelines, app-layer vulnerabilities can be caught early in the SDLC and eliminated before they ever reach production. This is welcome capability considering digital transformation and the rapid pace at which applications and APIs are being developed today.
Please note our initial release of the extension supports the cloud-based (“Services”) version of Azure DevOps and not the on-premises (“Server”) version.