Integrate with Azure Boards

With an Azure Boards integration with Contrast, you can automatically generate tickets for bugtracking, synchronize comments and push notifications for your applications.

You will need:

  • Account credentials for Azure Boards or TFS: username and personal access token (PAT).

  • Scope to read and write work items with your PAT.

  • An Azure Boards or TFS instance, accessible by HTTP to Contrast.

  • An instrumented application in Contrast that is also associated to an Azure Boards project.

  • For more, see Microsoft's Azure Boards documentation.

Connect

To connect Contrast with Azure Boards:

  1. In Contrast, go to Organization settings > Integrations.

  2. For the Azure Boards integration, select Connect.

  3. Enter the following values:

    • Name: Label that will display when Contrast sends findings to bugtrackers in Azure Boards.

    • URL: Azure Boards or TFS URL. Contrast must be able to access this.

    • Version: Contrast uses API v2 to support Azure DevOps Services, TFS 2015 and TFS 2017.

    • Personal access token:An alternate password to authenticate to your host.

  4. Select Test connection. This may take a few minutes, depending on the number of Azure Boards or TFS projects. The test verifies that Contrast can reach the Azure Boards or TFS instance you entered, and it accepts the user's PAT to login.

  5. Once Azure Boards is connected, select the Contrast Applications you want to make available to this bugtracker.

  6. Enter values for Project, Assignee and Work Item Type.

  7. Select a Team, then select an Area within the team. This will send tickets to a specific backlog.

  8. Set the Default priority for vulnerability severity levels. This prioritizes tickets to fix vulnerabilities for the selected applications, based on severity. At this point, Contrast will make an API call and return a list of Azure Boards or TFS ticket states.

  9. You can also set up two-way integration (to automatically update vulnerability status in Contrast) or automatic ticket creation with Azure Boards.

Automatically create tickets

You can automatically create tickets every time Contrast discovers new vulnerabilities. To do this:

  1. In the Azure Boards integration panel, select Automatically create tickets for new vulnerabilities discovered. This displays a multi-select field for Rules and Severity.

  2. Select the rules or severity levels of vulnerabilities that should trigger a new ticket in Azure Boards or TFS. Critical and High are the default selections.

Note

This setting only works for new vulnerabilities discovered after you select it.

Two-way integration

You can use a two-way integration with Azure Boards. This will automatically update the status of a vulnerability in Contrast when you close or reopen an issue in Azure Boards or TFS that links to the vulnerability .

To do this:

  1. In the Azure Boards integration panel, select Enable two-way integration. This displays Vulnerability Status fields.

  2. Select the drop-down menus to set a vulnerability status for each Azure Boards or TFS ticket state.

  3. Save the two-way integration. Contrast will populate the vulnerability status in Azure Boards or TFS tickets.

  4. When you update the state of a ticket in Azure Boards or TFS, Contrast will automatically generate comments in the Discussion tab for that vulnerability. Each comment includes the name of the bugtracker and a link to the ticket.

Note

If you select the vulnerability status Not a problem as a ticket state in Azure Boards or TFS, Contrast also requires you to select a Reason. The default value is Other.

Caution

For multiple vulnerabilities sent to Azure Boards or TFS as a single issue, the ticket state applies to all vulnerabilities associated with that ticket. Conversely, when you link multiple tickets to a single vulnerability, you must update all associated tickets before you can update the vulnerability. For example, if you change a ticket state from New to Active, Contrast updates the vulnerability status only if all tickets related to that vulnerability also have an Active state.