Azure DevOps Pipeline Integration

The Mayhem for API CLI is built to run on any Continuous Integration platform. This guide will describe how to configure an Azure DevOps Pipeline to run Mayhem for API against your API.

• Configure secrets
• Configure your pipeline
• GitHub Example

Configure Secrets

You will need an API token to run Mayhem for API in your Azure DevOps pipeline:

1. Create a Service Account token for your organization
2. Add the newly created token as a "Secret variable" in the pipeline's variables named MAPI_TOKEN

Configure your pipeline

This will demonstrate how to run mAPI against an API that built and run in a Azure DevOps pipeline.

steps:
  - checkout: self
    clean: "true"
    # Fetch a deep enough history to compute the merge base of branches with the
    # default branch.  Alternatively, set to "0" to fetch the entire history.
    fetchDepth: "50"

  # 1. Build and test your API
  
  # 2. Run the API in debug mode. Output stack traces for better error reporting.
  
  # 3. Run Mayhem for API
  - script: |
      curl -Lo mapi https://mayhem4api.forallsecure.com/downloads/cli/latest/linux-musl/mapi \
        && chmod +x mapi

      ./mapi run azure-pipelines-example auto http://localhost:8000/openapi.json \
        --url 'http://localhost:8000' \
        --junit TEST-mapi.xml \
        --html mapi.html
    env:
      MAPI_TOKEN: $(MAPI_TOKEN)
    continueOnError: "true"
    displayName: Run Mayhem for API to check for vulnerabilities

  - task: PublishPipelineArtifact@1
    displayName: 'Publish Pipeline Artifact'
    inputs:
      path: 'mapi.html'
      artifact: mapi-html-report
    continueOnError: "true"

  - task: PublishTestResults@2

GitHub Example

A full working example is available on GitHub.