Hello,

The scanner was working fine, but the token was expired so we changed the token after that, we got the following error,

Sending scan report to extension storage
Scan result will be save with id: Phoenix_BuildId_259586_20-12-2023-11-27-15
{"$id":"1","innerException":null,"message":"Document size cannot be larger than 5244928B. Current size: 5289542B. ","typeName":"Microsoft.VisualStudio.Services.ExtensionManagement.WebApi.MaximumDocumentSizeException, Microsoft.VisualStudio.Services.ExtensionManagement.WebApi","typeKey":"MaximumDocumentSizeException","errorCode":0,"eventId":3000}
Cleaning logs from temp directory...
##[error]Unable to find type [VstsTaskSdk.TerminationException].
##[error]Exit code 1 returned from process: file name 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe', arguments '-NoLogo -Sta -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command ". ([scriptblock]::Create('if ([Console]::InputEncoding -is [Text.UTF8Encoding] -and [Console]::InputEncoding.GetPreamble().Length -ne 0) { [Console]::InputEncoding = New-Object Text.UTF8Encoding $false } if (!$PSHOME) { $null = Get-Item -LiteralPath ''variable:PSHOME'' } else { Import-Module -Name ([System.IO.Path]::Combine($PSHOME, ''Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1'')) ; Import-Module -Name ([System.IO.Path]::Combine($PSHOME, ''Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1'')) }')) 2>&1 | ForEach-Object { Write-Verbose $_.Exception.Message -Verbose } ; Import-Module -Name 'c:\agents\1_work_tasks\ADOSecurityScanner_0f42e73b-1b51-41b9-8bd2-c1a864393316\1.5.7\ps_modules\VstsTaskSdk\VstsTaskSdk.psd1' -ArgumentList @{ NonInteractive = $true } -ErrorAction Stop ; $VerbosePreference = 'SilentlyContinue' ; $DebugPreference = 'SilentlyContinue' ; Invoke-VstsTaskScript -ScriptBlock ([scriptblock]::Create('. ''c:\agents\1_work_tasks\ADOSecurityScanner_0f42e73b-1b51-41b9-8bd2-c1a864393316\1.5.7\ADOSecurityScannerSVTRuntime.ps1'''))"'.
Finishing: ADO Security Scanner

Hello,

I am getting high alert from ADO Scanner to enable "Enable policy to block pushes that contain credentials and other secrets. (ADO_Repository_DP_Enable_Credentials_And_Secrets_Policy)" but cannot find any instruction or information on how to enable this configuration. The ADO Scanner gives below information but I have no idea (and cannot find anything on google) how to get that credscan checkbox on repository policy settings.

1. Go to Project Settings --> 2. Repositories --> 3. Select a repository --> 4. Policies --> 5. Enable 'Check for credentials and other secrets' --> 6. Incase you are not able to locate this check, it means that CredScan has not been integrated for the ADO repositories. Make sure it has been integrated in your organization.

I'm running into an issue with committing my Attestation for my Organization ADO Security Scan. I've verified that I'm a project collection administrator at the organization level as well as the project administrator in the Attestation Host Project. The repository I've created in my host project is called ADOScannerAttestation. Are there permissions or a setting that I'm missing?

When attempting to run this utility, I run into the following error:
Get-AzSKADOSecurityStatus -OrganizationName "test" -ProjectNames "Test"

New-Object: D:\Documents\PowerShell\Modules\AzSK.ADO\1.3.0\Framework\Helpers\ContextHelper.ps1:47
Line |
  47 |  … arameters = New-Object Microsoft.IdentityModel.Clients.ActiveDirector …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Cannot find an overload for "PlatformParameters" and the argument count: "1".


StackTrace: at GetCurrentContext, D:\Documents\PowerShell\Modules\AzSK.ADO\1.3.0\Framework\Helpers\ContextHelper.ps1: line 47
at GetCurrentContext, D:\Documents\PowerShell\Modules\AzSK.ADO\1.3.0\Framework\Helpers\ContextHelper.ps1: line 16
at SetContext, D:\Documents\PowerShell\Modules\AzSK.ADO\1.3.0\Framework\Helpers\ContextHelper.ps1: line 126
at AzSKRoot, D:\Documents\PowerShell\Modules\AzSK.ADO\1.3.0\Framework\Abstracts\AzSKRoot.ps1: line 34
at SVTResourceResolver, D:\Documents\PowerShell\Modules\AzSK.ADO\1.3.0\Framework\Core\SVT\SVTResourceResolver.ps1: line 46
at Get-AzSKADOSecurityStatus<Process>, D:\Documents\PowerShell\Modules\AzSK.ADO\1.3.0\SVT\SVT.ps1: line 333
at <ScriptBlock>, <No file>: line 1

I ran Install-Module AzSK.ADO -Scope CurrentUser -AllowClobber -Force to get the latest version and have imported the module using Import-Module AzSK.ADO

This pipeline was working fine last year and it stopped working after we used almost after a year.
2023-06-27T17:58:43.3428652Z Querying api for resources to be scanned. This may take a while...
2023-06-27T17:58:43.4322375Z Getting project configurations...
2023-06-27T17:58:43.7144465Z Getting build configurations...
2023-06-27T17:58:44.2963382Z Getting release configurations...
2023-06-27T17:58:45.1232443Z Getting service endpoint configurations...
2023-06-27T17:58:45.3411403Z Getting agent pools configurations...
2023-06-27T17:58:45.4422973Z Getting variable group configurations...
2023-06-27T17:58:45.6192592Z Getting build configurations...
2023-06-27T17:58:47.0130284Z Getting release configurations...
2023-06-27T17:58:49.8810215Z Getting service endpoint configurations...
2023-06-27T17:58:51.6339431Z
2023-06-27T17:58:51.6343452Z The set of parameters provided would result in scanning a large number of objects (> 1000).
2023-06-27T17:58:51.6344581Z If this is not what you intended, use a parameter set that would narrow down your target set.
2023-06-27T17:58:51.6350610Z If you would still like to scan all objects, rerun this command with the '-AllowLongRunningScan' switch.
2023-06-27T17:58:51.7040978Z ##[error]Could not perform ADO Security SVTs scan. Please check if task configurations are correct.
2023-06-27T17:58:51.8249137Z ##[error]Unable to find type [VstsTaskSdk.TerminationException].
2023-06-27T17:58:52.0069994Z ##[error]Exit code 1 returned from process: file name 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe', arguments '-NoLogo -Sta -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command ". ([scriptblock]::Create('if ([Console]::InputEncoding -is [Text.UTF8Encoding] -and [Console]::InputEncoding.GetPreamble().Length -ne 0) { [Console]::InputEncoding = New-Object Text.UTF8Encoding $false } if (!$PSHOME) { $null = Get-Item -LiteralPath ''variable:PSHOME'' } else { Import-Module -Name ([System.IO.Path]::Combine($PSHOME, ''Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1'')) ; Import-Module -Name ([System.IO.Path]::Combine($PSHOME, ''Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1'')) }')) 2>&1 | ForEach-Object { Write-Verbose $_.Exception.Message -Verbose } ; Import-Module -Name 'D:\a_tasks\ADOSecurityScanner_0f42e73b-1b51-41b9-8bd2-c1a864393316\1.5.7\ps_modules\VstsTaskSdk\VstsTaskSdk.psd1' -ArgumentList @{ NonInteractive = $true } -ErrorAction Stop ; $VerbosePreference = 'SilentlyContinue' ; $DebugPreference = 'SilentlyContinue' ; Invoke-VstsTaskScript -ScriptBlock ([scriptblock]::Create('. ''D:\a_tasks\ADOSecurityScanner_0f42e73b-1b51-41b9-8bd2-c1a864393316\1.5.7\ADOSecurityScannerSVTRuntime.ps1'''))"'.
2023-06-27T17:58:52.0078576Z ##[section]Finishing: ADO Security Scanner

Hello,

I am looking for a proper Security Scanning Tool for my Azure DevOps organization, which uses mainly Bicep, PowerShell code, together with YAML files. I researched some tools, including ADOScanner, but I can't find any documentation about if it supports the previously mentioned technologies.

Does ADOScanner support these?

Hi,

My name is Luis and I’m testing ADO Security Scanner on a cloud ADO instance with an Azure Pipelines agent windows-2019.

I’m only experiencing the issue when the analysis is for all the resources, the analysis for Organization and Projects looks great.

When I try to run the analysis, I’ve checked all the resources to be scanned vía * (I’ve a total of 141 resources). The scan seems to be terminated (a total of 1880 issues are detected), but the error comes when sending scan to extension storage.

Could you help me??

================================================================================
AzSK.ADO Version: 1.17.0

Method Name: Get-AzSKADOSecurityStatus (gads)
Input Parameters:
Name Alias Value

OrganizationName oz CONFIDENTIAL
DoNotOpenOutputFolder dnof True
PATToken tk System.Security.SecureString
ProjectNames pn CONFIDENTIAL (ONLY ONE)
BuildNames bn *
ReleaseNames rn *
ServiceConnectionNames sc *
AgentPoolNames ap *
ResourceTypeName rtn Build_Release_SvcConn_AgentPool_VarGroup_User_CommonSVTResources
VariableGroupNames vg *
RepoNames rp *
SecureFileNames sf *
FeedNames fd *
EnvironmentNames en *

Status and detailed logs have been exported to path - C:\Users\VssAdministrator\AppData\Local\Microsoft\AzSK.ADOLogs\Org_CONFIDENTIAL\20220824_104837_gads_Build_Release_SvcConn_AgentPool_VarGroup_User_CommonSVTResources

Sending scan report to extension storage
Scan result will be save with id: CONFIDENTIAL_BuildId_500_24-08-2022-10-50-53
{"$id":"1","innerException":null,"message":"Value cannot be null.\r\nParameter name: document","typeName":"System.ArgumentNullException, mscorlib","typeKey":"ArgumentNullException","errorCode":0,"eventId":0}
Cleaning logs from temp directory...
##[error]The remote server returned an error: (400) Bad Request.

Thanks for you time and support
Best regards

Hi, I've setup a pipeline with the ADO task to scan the current organization from a Microsoft-hosted agent (windows-latest) then I get the below error:
Organization not found: Incorrect organization name or account does not have necessary permission to access the organization. Use -ResetCredentials parameter in command to login with another account

Full log in the attachment:
azsk-task-log.txt

From the docs I understand the only way to get the custom org-policy is to create a Git repository in my project and to upload the files there.

There's also the following note in the docs

Note: We will be treating PROJECT as a boundary to customize scanner behavior. Any customizations made will apply strictly only to the project (and its components) where the org-policy endpoint resides. We will be interchangeably using the terms 'org' and 'project'.

How can I apply the same custom policy to all projects in my organization without having to create a repo in each individual project?

We are in an organization which doesnt allow us to use Internet in the production environment, We need to scan out ADO organizations and its pipeline with ADO security Scanner. when we tried to install, the scanning task is looking for below package via internet and the task gets failed. So we coped all those package in this location "c:\agent_work_task\ADOSecurityScanner_xxxxxxxxxxxxxx\1.5.7\ps_modules"

Please list out the packages & its version to install for ADO security scanner. Also help us the way to run the ADO security scanner without internet in the agent.

We have been running the Azure DevOps Security Scanner for quite some time now on our organization. We're running it as part of a release pipeline and it has been running smoothly up until 2 weeks ago. Since then we've been receiving 401 Unauthorized error messages. Here are the logs:

2021-05-30T04:00:50.8971063Z ##[section]Starting: ADO Security Scanner
2021-05-30T04:00:51.1828293Z ==============================================================================
2021-05-30T04:00:51.1829147Z Task         : Azure DevOps (ADO) Security Scanner
2021-05-30T04:00:51.1829723Z Description  : Scan Azure DevOps components for security issues.
2021-05-30T04:00:51.1830040Z Version      : 1.4.0
2021-05-30T04:00:51.1830429Z Author       : azsdktm
2021-05-30T04:00:51.1831064Z Help         : [More Information](http://aka.ms/devopskit/ADOSecurity)
2021-05-30T04:00:51.1831949Z ==============================================================================
2021-05-30T04:01:00.4339702Z Installing Module AzSK.ADO...
2021-05-30T04:01:43.2181662Z WARNING: Both Az and AzureRM modules were detected on this machine. Az and AzureRM modules cannot be imported in the 
2021-05-30T04:01:43.2185265Z same session or used in the same script or runbook. If you are running PowerShell in an environment you control you can
2021-05-30T04:01:43.2189495Z  use the 'Uninstall-AzureRm' cmdlet to remove all AzureRm modules from your machine. If you are running in Azure 
2021-05-30T04:01:43.2191862Z Automation, take care that none of your runbooks import both Az and AzureRM modules. More information can be found 
2021-05-30T04:01:43.2193904Z here: https://aka.ms/azps-migration-guide
2021-05-30T04:01:54.1556256Z Successfully updated privacy settings.
2021-05-30T04:01:55.3962968Z Successfully changed policy settings
2021-05-30T04:01:55.4652994Z Log Analytics workspace logging is turned off.
2021-05-30T04:01:55.4676233Z Get-AzSKADOSecurityStatus -OrganizationName rr-wfm -DoNotOpenOutputFolder -PATToken $token -ProjectNames "RR" -BuildNames "*" -ReleaseNames "*" -ServiceConnectionNames "*" -AgentPoolNames "*" -ubc -ResourceTypeName All -IncludeAdminControls 
2021-05-30T04:01:56.3149259Z Using '*' can take a long time for the scan to complete in larger projects. 
2021-05-30T04:01:56.3151836Z You may want to provide a comma-separated list of projects, builds, releases, service connections, agent pools and variable groups. 
2021-05-30T04:01:56.3153126Z  
2021-05-30T04:01:58.5129988Z Organization not found: Incorrect organization name or you do not have necessary permission to access the organization.
2021-05-30T04:01:58.5614039Z InvalidOperation: The remote server returned an error: (401) Unauthorized.
2021-05-30T04:01:59.7932418Z ##[error]Could not perform ADO Security SVTs scan. Please check if task configurations are correct.
2021-05-30T04:01:59.9296947Z ##[error]ScriptHalted
2021-05-30T04:02:00.0766607Z ##[section]Finishing: ADO Security Scanner

As far as we can tell we haven't changed anything security related. We have a dedicated automation account for which we've created a Personal Access Token with the permissions described in the docs and we used that to establish the service connection. Verifying the service connection works as expected.

I did notice #23, but that seems to relate running the tool manually which is a different scenario I think.

Hi ADOScanner Dev Team, we received premier enterprise customer support request and can also reproduced this issue symptom.

Issue Symptom
On one self-hosted agent Windows machine, the agent is registered as Windows Service underneath the NetworkService account.

One pipeline only running this single ADOScanner task always gets the old az.resource 2.0.1 module installed o Windows service account profile directory NetworkService account folder, which blocks az.ps V5 task.

Another pipeline running az.ps v5 task will always get blocked due to this old az.resource 2.0.1 module.

I noticed the last updated date was 2022-09-29(from the market place this task page), is this ADOScanner task seems kind of in idle status in development to keep up with the latest ADO service releases? (https://marketplace.visualstudio.com/items?itemName=azsdktm.ADOSecurityScanner&ssr=false#overview)

In pipeline extension logs, i could see reports getting send to the extension data. But the dashboard not able to retrieve the same? What could be the issue?

Hi Folks,

I ran the scanner in my project and the return rule Consider adding static code analysis step in your pipelines (ADO_Build_Config_Add_Static_Code_Analyzer) with failure status

But my pipeline has a sonar task configured

My question is: What does this rule validate?

Thank you
Leandro Prado

Hi Folks,

Is there any way to run the scanner on Azure DevOps Server (on-premise)?

Thank you!

Want to know if ADOScanner still an active initiative as its seems part of AzSK and AzSK got sunset at the end of 2021 and AzSK is now replaced by AzTS. So please provide your input, So we can suggest customers if they can use ADOScanner or if there anything new under AzTS then please suggest new replacement of ADOScanner as well.

I'm running the command via PS console, but result the error:

Get-AzSKADOSecurityStatus -OrganizationName "........." -ProjectNames "......" -ScanAllResources -DetailedScan -ResetCredentials
Using '*' can take a long time for the scan to complete in larger projects.
You may want to provide a comma-separated list of projects, builds, releases, service connections, agent pools and variable groups.

Organization not found: Incorrect organization name or '............' account does not have necessary permission to access the organization. Use -ResetCredentials parameter in command to login with another account.
InvalidOperation: Invalid JSON primitive: .

What permissions does the user need to have in Azure DevOps?

Thank you
Leandro Prado