Azure DevOps
Basic example
Here's how you can integrate Escape with Azure DevOps:
trigger:
branches:
include:
- staging
pool:
vmImage: 'ubuntu-latest'
jobs:
- job: EscapeScan
displayName: 'Escape Scan'
dependsOn: deploy # name of your deployment job
variables:
ESCAPE_APPLICATION_ID: $(EscapeAppId) # Define these in the Azure DevOps Pipeline environment variables or in a variable group.
ESCAPE_API_KEY: $(EscapeApiKey)
steps:
- script: |
npm install -g @escape.tech/action
npm show @escape.tech/action version
escape-action
displayName: 'Run Escape Action'
env:
ESCAPE_APPLICATION_ID: $(EscapeAppId)
ESCAPE_API_KEY: $(EscapeApiKey)
continueOnError: true
Failure behavior
By default, Escape cli will fail if any High issues are flagged, and will exit with an error code 1.
Available variables
ESCAPE_APPLICATION_ID
string required
The id of the application on Escape that will be scanned continuously.
You can find it in your Escape application settings.
ESCAPE_API_KEY
string required
Your API key on the Escape platform.
You can find it in your Escape settings.
SCHEMA_URL
string
The URL to your API schema, that you want to upload to the specific application ESCAPE_APPLICATION_ID
SCHEMA_FILE
string
The filepath to your API schema, that you want to upload to the specific application ESCAPE_APPLICATION_ID
FAIL_ON_SEVERITIES
string
A csv-delimited string that should contain either of these severities to define a failure of the cli (exit code 1):
- HIGH
- MEDIUM
- LOW
- INFO
For example, export FAIL_ON_SEVERITIES=HIGH,MEDIUM
will make the cli fail if any HIGH or MEDIUM issues are flagged.
TIMEOUT
number
The timeout of the job. If set to 0, the scan will be started, but the job will not wait for it to be finished before terminating.
The triggered scan will run asynchronously on Escape, and your team will be notified once it is done using your desired notifications settings.
CONFIGURATION_OVERRIDE
string
See the configuration override section.
CONFIGURATION_OVERRIDE_PATH
string
See the configuration override section.
REF_NAME
string
See the commit identification section.
COMMIT_HASH
string
See the commit identification section.
USER_EMAIL
string
See the commit identification section.
INTROSPECTION_FILE
path
See the introspection update section.
Command-line options
--output <path>
string
The path to the output file that will contain the scan results.
--r
boolean
Include remediations in the report. Remediations are recommended actions that can be taken to address any security vulnerabilities that are found during the scan.
--pdf
boolean
Download a PDF report of the scan results.
--zip
boolean
Download a exchange archive (zip file) of the scan results.