It would be great if the Microsoft Security DevOps plugin supported Azure DevOps Server 2022.
I saw #14 , but I didn't really see a feature request to add support. Seems like I'm not the only one who would like this added.

Thank you!

Previously when using the Microsoft Security Code Analysis (MSCA) extension there was an option to specify the suppressions file path.
What would be the right way to use suppressions files in the Microsoft Security DevOps extension?

Unfortunately, the documentation over here https://github.com/microsoft/security-devops-action/wiki#how-to-configure-analyzers does not provide any examples.

This one https://learn.microsoft.com/en-us/azure/defender-for-cloud/detect-exposed-secrets#suppress-false-positives only suggests adding inline suppressions, but that's not a scalable and maintainable solution.

Looking forward for your suggestions.

Our organization has "Disable Node6 tasks" turned on for security reasons at organization level. With this turned on, pipeline won't even start execution because of an error which says

"The pipeline is not valid. Job Job: Step 'MicrosoftSecurityDevOps' references task 'MicrosoftSecurityDevOps' at version '1.6.0' contains an execution handler that relies on NodeJS version '6' which is restricted by your administrator."

Hi,

We use a self-hosted Agent in Azure to support our Azure DevOps CI/CD.

When I run the security devops task as such:

The task fails, I get this result:

Tools Applicability Infomation:
Found no applicable tools.

##[error]RunCommandNoOptionsException: No applicable tools were detected. Run requires at least one configuration to run. Provide at least one Guardian config or tool with --config or --tool.
##[error]MSDO CLI exited with an error exit code: 2

I understood that when passing no tool, all of them should be used?
Do we need to install these tools ourselves?

To output write to .sarif and output the results under the scan section in the pipeline you need to enable --report-format Sarif. To do that you can add an ReportFormat argument in the *.gdnconfig file as following:

This argument is missing from the current documentation in the wiki. Also Sarif is only outputted if there are no errors in the TemplateAnalyzer.

Pipeline:

trigger: none
pool:
  vmImage: 'windows-latest'
steps:
- task: UseDotNet@2
  displayName: 'Use dotnet'
  inputs:
    version: 3.1.x
- task: UseDotNet@2
  displayName: 'Use dotnet'
  inputs:
    version: 5.0.x
- task: UseDotNet@2
  displayName: 'Use dotnet'
  inputs:
    version: 6.0.x
- task: MicrosoftSecurityDevOps@1
  displayName: 'Microsoft Security DevOps'
  inputs:
    break: true
    tools: 'eslint,credscan'

Output of eslint:

    Running ESLint 7.32.0.2
    ------------------------------------------------------------------------------
    D:\a\_msdo\packages\node_modules\eslint\eslint.cmd --no-eslintrc --config D:\a\_msdo\packages\node_modules\eslint/node_modules/@microsoft/eslint-plugin-sdl/config/required.js --ext .js --ext .ts --ignore-pattern *.d.ts --format D:\a\_msdo\packages\node_modules\eslint\node_modules\@microsoft\eslint-formatter-sarif\sarif.js --output-file D:\a\1\s\.gdn\.r\eslint\001\eslint.sarif **/*.{js,ts}
    ------------------------------------------------------------------------------
    ESLint completed with exit code 1

There are a lot of .js & .ts files in the repo, even in the root folder of the repo, all of them with issues, but none were detected
Are there any configurations that I should make?

Is it possible to publish results for both Terrascan and CredScan in ADO Pipeline (PFB image)
I'm using below -

      - task: MicrosoftSecurityDevOps@1
        displayName: Credential Scanner- CredScan
        inputs:
          categories: 'secrets, code, artifacts, IaC, containers'
          tools: 'Credscan'

      - task: MicrosoftSecurityDevOps@1
        displayName: Credential Scanner- Terrascan
        inputs:
          categories: 'secrets, code, artifacts, IaC, containers'
          tools: 'terrascan'

When working with the MSDO tool in our IaC Build Pipeline, we're experiencing an issue with our template : Error exit code 22: 22. Violation + Error

That is fine and understandable, but what's troubling is we're not able to view scan results in the Sarif Scan Tab, it seems the sarif files never get the chance to get loaded into the CodeAnalysisLogs artifact when this failure occurs. I'm wondering if this may be addressed in the code to allow for more meaningful error messages / remediation steps for these types of validation / error messages. to be displayed in this scans tab. Currently I'm having to sift through ~60,000 lines to find the error occurrence and it's hard to track down where in our files the failure is occurring.

Hello,

I'm configuring the task to run template-analyzer tool

- task: MicrosoftSecurityDevOps@1
      displayName: 'Microsoft Security DevOps'
      inputs:
        config: '$(Build.SourcesDirectory)/.gdn/.gdnsettings'
        tools: 'template-analyzer'

I created the gdnsettings using this example
https://github.com/microsoft/security-devops-azdevops/wiki#templateanalyzer-options

But when I execute the pipeline result this error

##[error]ConfigurationPathNotFoundException: A configuration file could not be found for: template-analyzer
##[error]MSDO CLI exited with an error exit code: 1

Can you please help me with this error?

Thank You

How can I make terrascan to not scan the node modules?

I ran this tool in my pipeline and have two methods to visualize results however none of them worked.

• Published Artifacts:

• Using SARIF SAST Scans Tab -- Nothing to see (sc attached)

• Connecting Microsoft Defender for Cloud | DevOps security (preview) Azure Repos -- No visibility there as well.

Any suggestions?

I have a task for MicrosoftSecurityDevOps@1 in my build pipeline. It runs TerraScan, then generates reams of “warnings” for every folder and JSON file, complaining that no Terraform configuration is found in those files. Examples:

{ 
   "level": "warning",
   "message": {
      "text": "directory '/home/vsts/work/1/s/[...]' has no terraform config files"
   }
},
{
  "level": "warning",
  "message": {
    "text": "error while loading iac file '/home/vsts/work/1/s/[...].json', err: failed to find valid Resources key in file: /home/vsts/work/1/s/[...].json"
    }
}, 
  

This is not useful, as I’m not using Terraform in this repo. So, I would like to disable the TerraScan part of this tool. But the MS Security DevOps documentation (https://learn.microsoft.com/en-us/azure/defender-for-cloud/azure-devops-extension) contains no information on how to do this. I reported the lack of documentation here:

MicrosoftDocs/azure-docs#107268

Someone there suggested adding an input parameter of categories: "!IaC" to disable TerraScan, but this just led to a new error, one that was fatal for the build:

##[error]RunCommandNoOptionsException: No applicable tools were detected.
Run requires at least one configuration to run. Provide at least one Guardian
config or tool with --config or --tool.
##[error]MSDO CLI exited with an error exit code: 2

I also reported the issue on the DevCommunity site, and they directed me here:

https://developercommunity.visualstudio.com/t/Cannot-disable-TerraScan-in-MicrosoftSec/10326029

How can I continue to use this ADO plugin, but configure it correctly for my needs?

When I add CredScan to the tool param of the task on our Linex self-hosted agent, I get this message:

[error]ConfigurationPathNotFoundException: A configuration file could not be found for: credscan-linux

Hi

I am trying to use the Microsoft security devops extension to perform security analysis of my code. However eslint is not installing in my self hosted agent whereas credscan and other tools are installing successfully. Can anyone take a look at it and do the needful.

Logs for the security task:

Starting: Run Microsoft Defender for DevOps

Task : Microsoft Security DevOps
Description : Run the Microsoft Security DevOps CLI for static analysis.
Version : 1.7.2
Author : Microsoft Corporation
Help : Runs the Microsoft Security DevOps CLI for security analysis.

Installing Microsoft Security DevOps Cli version: Latest
Microsoft.Security.Devops.Cli.linux-x64 version 0.164.1 already installed

/home/myagent4/_work/_msdo/versions/Microsoft.Security.Devops.Cli.linux-x64.0.164.1/tools/guardian init --force
Init:
Creating guardian repo at: /home/myagent4/_work/51/s
A repository already exists at /home/myagent4/_work/51/s/.gdn.
Deleting existing guardian repository at: /home/myagent4/_work/51/s/.gdn
Removing Guardian repository at /home/myagent4/_work/51/s/.gdn
Created a settings file at: /home/myagent4/_work/51/s/.gdn/.gdnsettings
Added /home/myagent4/_work/51/s/.gdn/.gitignore file to ignore internal files. Please commit this file.
Guardian repository created at: /home/myagent4/_work/51/s/.gdn
Please commit everything in the .gdn folder to source control. You can now use "guardian run" to run tools.
/home/myagent4/_work/_msdo/versions/Microsoft.Security.Devops.Cli.linux-x64.0.164.1/tools/guardian run -p microsoft --rich-exit-code --logger-pipeline --export-breaking-results-to-file /home/myagent4/_work/51/a/.gdn/msdo.sarif --telemetry-environment azdevops
Run:
Installing Microsoft.Security.CodeAnalysis.Policy.Names

  GET https://pkgs.dev.azure.com/secdevtools/fbe8430b-c7d4-4187-8c71-a0083ead3d4b/_packaging/a2fd5474-7706-4971-8654-fd0403cf8e6a/nuget/v3/registrations2-semver2/microsoft.security.codeanalysis.policy.names/index.json
  OK https://pkgs.dev.azure.com/secdevtools/fbe8430b-c7d4-4187-8c71-a0083ead3d4b/_packaging/a2fd5474-7706-4971-8654-fd0403cf8e6a/nuget/v3/registrations2-semver2/microsoft.security.codeanalysis.policy.names/index.json 81ms
Attempting to gather dependency information for package 'Microsoft.Security.CodeAnalysis.Policy.Names.1.0.2' with respect to project '/home/myagent4/_work/_msdo/packages/nuget', targeting 'Any,Version=v0.0'
Gathering dependency information took 30 ms
Attempting to resolve dependencies for package 'Microsoft.Security.CodeAnalysis.Policy.Names.1.0.2' with DependencyBehavior 'Lowest'
Resolving dependency information took 0 ms
Resolving actions to install package 'Microsoft.Security.CodeAnalysis.Policy.Names.1.0.2'
Resolved actions to install package 'Microsoft.Security.CodeAnalysis.Policy.Names.1.0.2'
Found package 'Microsoft.Security.CodeAnalysis.Policy.Names 1.0.2' in '/home/myagent4/_work/_msdo/packages/nuget'.
Package 'Microsoft.Security.CodeAnalysis.Policy.Names.1.0.2' already exists in folder '/home/myagent4/_work/_msdo/packages/nuget'
Successfully installed 'Microsoft.Security.CodeAnalysis.Policy.Names 1.0.2' to /home/myagent4/_work/_msdo/packages/nuget
Executing nuget actions took 33 ms

Installing Microsoft.Security.CodeAnalysis.Policy.Microsoft

  GET https://pkgs.dev.azure.com/secdevtools/fbe8430b-c7d4-4187-8c71-a0083ead3d4b/_packaging/a2fd5474-7706-4971-8654-fd0403cf8e6a/nuget/v3/registrations2-semver2/microsoft.security.codeanalysis.policy.microsoft/index.json
  OK https://pkgs.dev.azure.com/secdevtools/fbe8430b-c7d4-4187-8c71-a0083ead3d4b/_packaging/a2fd5474-7706-4971-8654-fd0403cf8e6a/nuget/v3/registrations2-semver2/microsoft.security.codeanalysis.policy.microsoft/index.json 127ms
Attempting to gather dependency information for package 'Microsoft.Security.CodeAnalysis.Policy.Microsoft.1.2.7' with respect to project '/home/myagent4/_work/_msdo/packages/nuget', targeting 'Any,Version=v0.0'
Gathering dependency information took 2 ms
Attempting to resolve dependencies for package 'Microsoft.Security.CodeAnalysis.Policy.Microsoft.1.2.7' with DependencyBehavior 'Lowest'
Resolving dependency information took 0 ms
Resolving actions to install package 'Microsoft.Security.CodeAnalysis.Policy.Microsoft.1.2.7'
Resolved actions to install package 'Microsoft.Security.CodeAnalysis.Policy.Microsoft.1.2.7'
Found package 'Microsoft.Security.CodeAnalysis.Policy.Microsoft 1.2.7' in '/home/myagent4/_work/_msdo/packages/nuget'.
Package 'Microsoft.Security.CodeAnalysis.Policy.Microsoft.1.2.7' already exists in folder '/home/myagent4/_work/_msdo/packages/nuget'
Successfully installed 'Microsoft.Security.CodeAnalysis.Policy.Microsoft 1.2.7' to /home/myagent4/_work/_msdo/packages/nuget
Executing nuget actions took 0.7 ms

The target directory is not provided. Defaults to the working directory: /home/myagent4/_work/51/s.
The platform is not provided. Defaults to the current OS: Linux.
Starting tools applicability analysis...
Tools Applicability Infomation:
Applicable Tools:
Tool Name: terrascan
Tool Version: 1.18.0.1
Tool Config File Path: /home/myagent4/_work/51/s/.gdn/c/terrascan-linux.gdntool

Tool Name: credscan
Tool Version: 2.5.1.13
Tool Config File Path: /home/myagent4/_work/51/s/.gdn/c/credscan-linux.gdntool

Tool Name: eslint
Tool Version: 7.32.0.2
Tool Config File Path: /home/myagent4/_work/51/s/.gdn/c/eslint-linux.gdntool

Tool Name: templateanalyzer
Tool Version: 0.5.1
Tool Config File Path: /home/myagent4/_work/51/s/.gdn/c/templateanalyzer-linux.gdntool

Completed tools applicability analysis.
Install:
Installing Microsoft.Guardian.TerrascanRedist_linux_amd64
------------------------------------------------------------------------------
Attempting to gather dependency information for package 'Microsoft.Guardian.TerrascanRedist_linux_amd64.1.18.0.1' with respect to project '/home/myagent4/_work/_msdo/packages/nuget', targeting 'Any,Version=v0.0'
Gathering dependency information took 299 ms
Attempting to resolve dependencies for package 'Microsoft.Guardian.TerrascanRedist_linux_amd64.1.18.0.1' with DependencyBehavior 'Lowest'
Resolving dependency information took 0 ms
Resolving actions to install package 'Microsoft.Guardian.TerrascanRedist_linux_amd64.1.18.0.1'
Resolved actions to install package 'Microsoft.Guardian.TerrascanRedist_linux_amd64.1.18.0.1'
Found package 'Microsoft.Guardian.TerrascanRedist_linux_amd64 1.18.0.1' in '/home/myagent4/_work/_msdo/packages/nuget'.
Package 'Microsoft.Guardian.TerrascanRedist_linux_amd64.1.18.0.1' already exists in folder '/home/myagent4/_work/_msdo/packages/nuget'
Successfully installed 'Microsoft.Guardian.TerrascanRedist_linux_amd64 1.18.0.1' to /home/myagent4/_work/_msdo/packages/nuget
Executing nuget actions took 0.8 ms
------------------------------------------------------------------------------
Installing Microsoft.Security.CredScan
------------------------------------------------------------------------------
Attempting to gather dependency information for package 'Microsoft.Security.CredScan.2.5.1.13' with respect to project '/home/myagent4/_work/_msdo/packages/nuget', targeting 'Any,Version=v0.0'
Gathering dependency information took 142 ms
Attempting to resolve dependencies for package 'Microsoft.Security.CredScan.2.5.1.13' with DependencyBehavior 'Lowest'
Resolving dependency information took 0 ms
Resolving actions to install package 'Microsoft.Security.CredScan.2.5.1.13'
Resolved actions to install package 'Microsoft.Security.CredScan.2.5.1.13'
Found package 'Microsoft.Security.CredScan 2.5.1.13' in '/home/myagent4/_work/_msdo/packages/nuget'.
Package 'Microsoft.Security.CredScan.2.5.1.13' already exists in folder '/home/myagent4/_work/_msdo/packages/nuget'
Successfully installed 'Microsoft.Security.CredScan 2.5.1.13' to /home/myagent4/_work/_msdo/packages/nuget
Executing nuget actions took 6 ms
------------------------------------------------------------------------------
Installing eslint
------------------------------------------------------------------------------
npm install --loglevel error [email protected] [email protected] @microsoft/[email protected] [email protected] [email protected] @typescript-eslint/[email protected] @typescript-eslint/[email protected] @typescript-eslint/[email protected] @microsoft/[email protected] [email protected] --prefix /home/myagent4/_work/_msdo/packages/node_modules/eslint --global
------------------------------------------------------------------------------
##[warning]Failed to install from source npm with exception System.ComponentModel.Win32Exception (2): An error occurred trying to start process 'npm' with working directory '/home/myagent4/_work/_msdo/packages/node_modules'. No such file or directory
at System.Diagnostics.Process.ForkAndExecProcess(ProcessStartInfo startInfo, String resolvedFilename, String[] argv, String[] envp, String cwd, Boolean setCredentials, UInt32 userId, UInt32 groupId, UInt32[] groups, Int32& stdinFd, Int32& stdoutFd, Int32& stderrFd, Boolean usesTerminal, Boolean throwOnNoExec)
at System.Diagnostics.Process.StartCore(ProcessStartInfo startInfo)
at System.Diagnostics.Process.Start()
at System.Diagnostics.ProcessWrapper.Start()
at System.Diagnostics.ExecutableRunner.Run(String arguments, String workingDirectory, Boolean waitForExit)
at System.Diagnostics.ExecutableRunner.Run(String arguments, String workingDirectory)
at Microsoft.Guardian.Installers.NpmClient.Install(IList`1 packageList, String prefix, String workingDirectory, Boolean global, Boolean quiet, Boolean engineStrict)
at Microsoft.Guardian.Installers.NpmClient.Install(PackageConfig packageConfig, String outputDirectory)
##[error]PackageInstallerException: Failed to install Npm package: eslint v7.32.0
##[error]MSDO CLI exited with an error exit code: 1
Finishing: Run Microsoft Defender for DevOps

There is no way of suppressing JSON documents as they do not support comments. Or I have not found documentation on how to use .gdnconfig for CredScan so suppress files.

I got the following error:
##[error]ConfigurationPathNotFoundException: A configuration file could not be found for: template-analyzer. This is often due to attempting to use a tool on a platform where it is not yet supported.

The tool currently uses Trivy v0.19.2, which is 2 years old. Can it please be updated to something more recent, current version being 0.41.0 ?

The task seems to be taking lot of time recently. We are using self-hosted agent.

- task: MicrosoftSecurityDevOps@1
  displayName: 'Microsoft Security DevOps'

It used to be pretty fast earlier as shown below.

Configured microsoft security DevOps task but it is breaking when we use 3rd party modules/private repositories.

Below is the Yaml i was using.

          - task: MicrosoftSecurityDevOps@1
            displayName: 'Microsoft Security DevOps'
            inputs:
              categories: 'IaC'
              publish: true
              artifactName: CodeAnalysisLogs

Tried with a private repository and it is breaking with the below error. Is there a way to skip for 3rd party modules?

module "lz_vending" {
  source  = "Azure/lz-vending/azurerm"
  version = "3.1.0"
}

Error

Error running terrascan job: 1 of 1Microsoft Security DevOps |   |  
-- | -- | --
  | GuardianErrorExitCodeException: terrascan completed with an Error exit code: 2. Unexpected exit code. Please check https://docs.accurics.com/projects/accurics-terrascan/en/latest/ for more information.Microsoft Security DevOps |   |  
  | Error running tool 1 of 2: terrascanMicrosoft Security DevOps |   |  
  | Error running terrascan job: 1 of 1Microsoft Security DevOps |   |  
  | GuardianErrorExitCodeException: terrascan completed with an Error exit code: 2. Unexpected exit code. Please check https://docs.accurics.com/projects/accurics-terrascan/en/latest/ for more information.Microsoft Security DevOps |   |  
  | BreakException: Guardian detected one or more breaking results.

Is there a way to fix or skip this?

Any help is appreciated.

Tried following:
"ExcludedPaths": "./dir"
"ExcludedPaths": "dir"
"ExcludedPaths": "dir/"
"ExcludedPaths": "./dir/*"

mb it's related to PyCQA/bandit#657
Please, upgrade bandit 1.6.3 to the newest version.

Hi

After some extensive testing I've found that having a variable called "packageVersion" causes the task to fail.
As far as I can tell this is because of nuget and it may be a env variable that it checks for?

FIX

We fixed this by simply setting the env variable on the task and set packageVersion to "".

LOGS

In this case we had variable packageVersion set to '0.0.dev0' as can be seen in the output below.
The logs can be found here:

Installing Microsoft Security DevOps Cli...
/usr/bin/dotnet restore /home/vsts/work/_tasks/MicrosoftSecurityDevOps_8d616517-6390-454f-b369-6fd038d8fe96/1.6.0/node_modules/microsoft-security-devops-azdevops-task-lib/msdo-task-lib.proj /p:MsdoPackageVersion=0.* --packages /home/vsts/work/_msdo/versions --source https://api.nuget.org/v3/index.json
  Determining projects to restore...
/usr/share/dotnet/sdk/7.0.203/NuGet.targets(132,5): error : '0.0.dev0' is not a valid version string. (Parameter 'value') [/home/vsts/work/_tasks/MicrosoftSecurityDevOps_8d616517-6390-454f-b369-6fd038d8fe96/1.6.0/node_modules/microsoft-security-devops-azdevops-task-lib/msdo-task-lib.proj]
/usr/bin/dotnet restore /home/vsts/work/_tasks/MicrosoftSecurityDevOps_8d616517-6390-454f-b369-6fd038d8fe96/1.6.0/node_modules/microsoft-security-devops-azdevops-task-lib/msdo-task-lib.proj /p:MsdoPackageVersion=0.* --packages /home/vsts/work/_msdo/versions --source https://api.nuget.org/v3/index.json
  Determining projects to restore...
/usr/share/dotnet/sdk/7.0.203/NuGet.targets(132,5): error : '0.0.dev0' is not a valid version string. (Parameter 'value') [/home/vsts/work/_tasks/MicrosoftSecurityDevOps_8d616517-6390-454f-b369-6fd038d8fe96/1.6.0/node_modules/microsoft-security-devops-azdevops-task-lib/msdo-task-lib.proj]
/usr/bin/dotnet restore /home/vsts/work/_tasks/MicrosoftSecurityDevOps_8d616517-6390-454f-b369-6fd038d8fe96/1.6.0/node_modules/microsoft-security-devops-azdevops-task-lib/msdo-task-lib.proj /p:MsdoPackageVersion=0.* --packages /home/vsts/work/_msdo/versions --source https://api.nuget.org/v3/index.json
  Determining projects to restore...
/usr/share/dotnet/sdk/7.0.203/NuGet.targets(132,5): error : '0.0.dev0' is not a valid version string. (Parameter 'value') [/home/vsts/work/_tasks/MicrosoftSecurityDevOps_8d616517-6390-454f-b369-6fd038d8fe96/1.6.0/node_modules/microsoft-security-devops-azdevops-task-lib/msdo-task-lib.proj]
Exception occurred while initializing MSDO:
##[error]Error: ENOENT: no such file or directory, scandir '/home/vsts/work/_msdo/versions/microsoft.security.devops.cli'
Finishing: Microsoft Security DevOps

Hi
I have been testing MSDO with Azure DevOps and looking specifically into terrascan, which I like a lot. I have noticed that terrascan is lacking in basic functionality and there seem not to be that great throughput in the project at the moment.

According to the version change log here https://runterrascan.io/docs/reference/ there has not been any new releases of terrascan for over a year.

My question is, will MSDO rely on terrascan as it continues or do you consider other options (like checkov or a like).

As an example, you can take a look at this issue: tenable/terrascan#1453 that I have worked on lately.

The reason I ask is that it seems to be hard to get in touch with the maintainers of the terrascan project as well.

Kind Regards
Jakub

Both Bandit and BinSkim are listed here as available tools.
However when I run extension with this config:

- task: MicrosoftSecurityDevOps@1
  displayName: 'Run Microsoft Defender for DevOps'
  inputs:
    tools: bandit

The run fails with:
##[error]bandit is missing required argument: Target
##[error]Error running bandit job: 1 of 1
##[error]AnalyzerMissingRequiredArgumentsException: bandit is missing one or more required arguments.

Same for BinSkim, if I run it like this:

- task: MicrosoftSecurityDevOps@1
  displayName: 'Run Microsoft Defender for DevOps'
  inputs:
    tools: binskim

The run fails with:
##[error]Error running binskim job: 1 of 1
##[error]InvalidResponseFileContentsException: Cannot create a response file with zero arguments. Ensure that your arguments are correctly set up.

Also when I run the task without specifying a tool (in which case all tools should be executed), bandit and binskim are missing:

Applicable Tools:
Tool Name: credscan
Tool Version: 2.5.0.5
Tool Config File Path: D:\a\1\s\.gdn\c\credscan.gdntool

Tool Name: eslint
Tool Version: 7.32.0.2
Tool Config File Path: D:\a\1\s\.gdn\c\eslint.gdntool

Tool Name: templateanalyzer
Tool Version: 0.3.1
Tool Config File Path: D:\a\1\s\.gdn\c\templateanalyzer.gdntool

Tool Name: terrascan
Tool Version: 1.14.0.1
Tool Config File Path: D:\a\1\s\.gdn\c\terrascan.gdntool

Tool Name: trivy
Tool Version: 0.19.2.1
Tool Config File Path: D:\a\1\s\.gdn\c\trivy.gdntool

Are Bandit and BinSkim supported or not?

We receive an error when the Sarif report is being build in the pipeline task.

` Detected 1 issue(s) in C:\a\10\s\src\Func.Importer\settings.json
NumberOfAsset : 14
NumberOfAssetScanned : 10
NumberOfAssetBytes : 12,939
NumberOfAssetBytesScanned : 4,670
NumberOfScanResult: 1
NumberOfRankedResult : 1
NumberOfCredentialRecord: 1
NumberOfSuppressedRecord: 0
NumberOfScanError: 0

Scan completed in 6.67 seconds
Tool run time: 6.7779605 seconds
------------------------------------------------------------------------------
Credential Scanner completed with exit code 4
------------------------------------------------------------------------------

Process:
Convert:
Converting any raw tool logs to Sarif format ...
Found 1 logs for tool credscan.
##[error]CredScanTsvUnknownHeaderException: Unknown header detected while attempting to read CredScan Tsv output.
##[error]Actual Header: TimeofDiscovery Source Searcher Description Line IsSuppressed HashKey SuppressJustification MatchingScore Severity
##[error]File Path: C:\a\10\s.gdn.r\credscan\001\credscan-matches.tsv
##[error]MSDO CLI exited with an error exit code: 1
`

I have the task setup for credscan, the tool has detected that there is a High Severity bug and the Scans tab shows it as bugs.
However it is not failing the build. Is there anything that I have to add to make the build fail ?

- task: MicrosoftSecurityDevOps@1
  displayName: 'Scan for Secrets in the repo'
  inputs:
    categories: 'secrets'

Similar case for terrascan as well

- task: MicrosoftSecurityDevOps@1
  displayName: 'Microsoft Security DevOps scan'
  inputs:
    categories: 'Iac'

This will be closed after the test is complete, please ignore.

When passing in the list of tools as ',' delaminated string "template-analyzer" is not recognized. Below is what I have and it fails:

parameters:
- name: config
  type: string
  default: '*.gdconfig'
- name: categories
  type: string
  default: 'all'
- name: languages
  type: string
  default: 'all'
- name: tools
  type: string
  default: 'bandit, binskim, eslint, template-analyzer, terrascan, trivy'
- name: break
  type: boolean
  default: false

steps:
- task: MicrosoftSecurityDevOps@1
  inputs:
    categories: ${{parameters.categories}}
    languages: ${{parameters.languages}}
    tools: ${{parameters.tools}}
    break: ${{parameters.break}}

When I remove the 'tools' argument it works.

We use a release pipeline to bundle up several artefacts that we would like to scan here rather than in the build pipeline
Received the following error

there is no path argument that I am able to specify

2023-07-12T12:59:12.5314019Z ##[section]Starting: Run Microsoft Defender for DevOps 2023-07-12T12:59:12.5419725Z ============================================================================== 2023-07-12T12:59:12.5419854Z Task : Microsoft Security DevOps 2023-07-12T12:59:12.5419919Z Description : Run the Microsoft Security DevOps CLI for static analysis. 2023-07-12T12:59:12.5420020Z Version : 1.7.2 2023-07-12T12:59:12.5420070Z Author : Microsoft Corporation 2023-07-12T12:59:12.5420133Z Help : Runs the [Microsoft Security DevOps CLI](https://aka.ms/msdo-nuget) for security analysis. 2023-07-12T12:59:12.5420233Z ============================================================================== 2023-07-12T12:59:12.7422939Z ##[error]TypeError [ERR_INVALID_ARG_TYPE]: The "path" argument must be of type string. Received undefined 2023-07-12T12:59:12.7431866Z ##[section]Finishing: Run Microsoft Defender for DevOps

I receive below error running the task on windows self-hosted agent. The error appeared starting 16th of June:

Installing Microsoft Security DevOps Cli version: Latest
##[debug]packageName = Microsoft.Security.Devops.Cli.win-x64
##[debug]agentDirectory = C:\agt_work_msdo
##[debug]agentPackagesDirectory = C:\agt_work_msdo\packages
##[debug]agentVersionsDirectory = C:\agt_work_msdo\versions
##[debug]MSDO CLI version contains a latest quantifier: Latest. Continuing with install...
##[debug]MSDO_MICROSOFTSECURITYDEVOPSCLIWINX64_LATESTVERSION=undefined
##[debug]Fetching service index for: https://api.nuget.org/v3/index.json
##[debug]GET https://api.nuget.org/v3/index.json
##[debug]Error: Error calling url: Error: connect ECONNREFUSED 13.107.246.67:443
##[debug]MSDO_MICROSOFTSECURITYDEVOPSCLIWINX64_LATESTVERSION=undefined
##[debug]Fetching service index for: https://api.nuget.org/v3/index.json
##[debug]GET https://api.nuget.org/v3/index.json
##[debug]Error: Error calling url: Error: connect ECONNREFUSED 13.107.246.67:443
##[debug]MSDO_MICROSOFTSECURITYDEVOPSCLIWINX64_LATESTVERSION=undefined
##[debug]Fetching service index for: https://api.nuget.org/v3/index.json
##[debug]GET https://api.nuget.org/v3/index.json
##[debug]Error: Error calling url: Error: connect ECONNREFUSED 13.107.246.67:443
Exception occurred while initializing MSDO:
##[debug]task result: Failed
##[error]Error: Failed to install the MSDO CLI nuget package.
##[debug]Processed: ##vso[task.issue type=error;]Error: Failed to install the MSDO CLI nuget package.
##[debug]Processed: ##vso[task.complete result=Failed;]Error: Failed to install the MSDO CLI nuget package.

Does it have to do with your update? The agent version is the latest 2.218.1

How to suppress the security violation that is captured in template-analyzer in the below task

  - task: MicrosoftSecurityDevOps@1
        continueOnError: true
        displayName: Templates Analyser Scanner- TemplatesScan
        inputs:
          categories: 'IaC'
          break: true

I don't find any option to do that if using this task in azure devops
Please suggest

There is a significant gap in parameter input documentation.

Currently the only place to find this information I am aware of is through the UI and hover over the info indicators:

This is a huge learning curve/hurtle for customer adoption.

Here is an example from other MS tasks: https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/reference/azure-resource-manager-template-deployment-v3?view=azure-pipelines

# ARM template deployment v3
# Deploy an Azure Resource Manager (ARM) template to all the deployment scopes.
- task: AzureResourceManagerTemplateDeployment@3
  inputs:
  # Azure Details
    deploymentScope: 'Resource Group' # 'Management Group' | 'Subscription' | 'Resource Group'. Required. Deployment scope. Default: Resource Group.
    azureResourceManagerConnection: # string. Alias: ConnectedServiceName. Required. Azure Resource Manager connection. 
    #subscriptionId: # string. Alias: subscriptionName. Required when deploymentScope != Management Group. Subscription. 
    #action: 'Create Or Update Resource Group' # 'Create Or Update Resource Group' | 'DeleteRG'. Required when deploymentScope = Resource Group. Action. Default: Create Or Update Resource Group.
    #resourceGroupName: # string. Required when deploymentScope = Resource Group. Resource group. 
    #location: # string. Required when action = Create Or Update Resource Group || deploymentScope != Resource Group. Location. 
  # Template
    #templateLocation: 'Linked artifact' # 'Linked artifact' | 'URL of the file'. Required when action = Create Or Update Resource Group || deploymentScope != Resource Group. Template location. Default: Linked artifact.
    #csmFileLink: # string. Required when templateLocation = URL of the file && action = Create Or Update Resource Group || deploymentScope != Resource Group. Template link. 
    #csmParametersFileLink: # string. Optional. Use when templateLocation = URL of the file && action = Create Or Update Resource Group || deploymentScope != Resource Group. Template parameters link. 
    #csmFile: # string. Required when templateLocation = Linked artifact && action = Create Or Update Resource Group || deploymentScope != Resource Group. Template. 
    #csmParametersFile: # string. Optional. Use when templateLocation = Linked artifact && action = Create Or Update Resource Group || deploymentScope != Resource Group. Template parameters. 
    #overrideParameters: # string. Optional. Use when action = Create Or Update Resource Group || deploymentScope != Resource Group. Override template parameters. 
    #deploymentMode: 'Incremental' # 'Incremental' | 'Complete' | 'Validation'. Required when action = Create Or Update Resource Group || deploymentScope != Resource Group. Deployment mode. Default: Incremental.
  # Advanced
    #deploymentName: # string. Optional. Use when action = Create Or Update Resource Group || deploymentScope != Resource Group. Deployment name. 
    #deploymentOutputs: # string. Optional. Use when action = Create Or Update Resource Group || deploymentScope != Resource Group. Deployment outputs. 
    #addSpnToEnvironment: false # boolean. Optional. Use when action = Create Or Update Resource Group || deploymentScope != Resource Group. Access service principal details in override parameters. Default: false.

Hi,

I am trying to use the Microsoft Security DevOps extension for Azure Devops on a self-hosted machine that runs behind the proxy.
The Azure Devops agent configuration has veen done using the proxy configuration (--proxyurl http://:8080)

Looks to me the proxy is non used by the scanner.

I see in the log:
2023-01-11T09:23:35.820+0100 error cli/init.go:42 failed to initialize terrascan. error : could not connect to github.com
2023-01-11T09:23:35.820+0100 error cli/init.go:42 failed to initialize terrascan. error : could not connect to github.com

Kind regards
Gianluca

Issue

Currently the configuration items for the Template Analyzer through this app are defined here.

There is no way to add rule exclusions. This is useful in the case where some of the rules might not apply and we don't want them to fail the pipeline.

On the Template Analyzer application directly it does have support for rule exclusions via a configuration file as documented here.

Suggestion

Include a way to define rule exclusions that can be passed to the template analyzer app. Alternatively provide a way to provide a configuration file to the app (this will make the tool much more flexible).

I am getting the following warning when i use 'terrascan' tool in Azure DevOps pipeline.

But i am not using any latest version in my dockerfile, but still it refers 'base' and 'build' image variables declared and throwing this warning. Due to this warning, pipeline task is failing.

Refer the 'base' and 'build' image variable declaration in dockerfile, scanning this line and reporting that warning is fine if latest version is used. But it scans the image reference from 'base' and 'build' variables and throwing this warning

Refer the error throwing lines 32, 35

I think it consider this case and failing,
tenable/terrascan#1068 (comment)

How to overcome this? Whether this behavior is correct or not?

As part of Microsoft Security Code Analysis, AntiMalware Scanner Task is retired.

    - task: AntiMalware@3
      displayName: 'AntiMalware Scan'
      inputs:
        FileDirPath: '$(Build.ArtifactStagingDirectory)'

The Microsoft Security DevOps for Azure DevOps ADO Marketplace listing includes AntiMalware in its list of tags; however, I haven't found any options or documentation that launches an antimalware scan.

Could you point me to guidance on executing an antimalware scan with this extension or another supported option for a malware scan?

Hello Team,
I am not able to install extensions on my org. It is giving me the following error message:

Azure DevOps version: Server 2020 Version 1.2

I install this Extension. And use the Agent pool is azure pipeline. I don't finish to run it. I got these error message.
BinSkim completed with exit code 1
##[error]Error running binskim job: 1 of 1
##[error]GuardianErrorExitCodeException: binskim completed with an Error exit code: 1. BinSkim failed. Verify the target(s) to be scanned. BinSkim targets must be a specific filename, or a pattern with a wildcard like *.dll, dir*.dll, or dir*
------------------------------------------------------------------------------

##[error]Error running tool 1 of 4: binskim
##[error]Error running binskim job: 1 of 1
##[error]GuardianErrorExitCodeException: binskim completed with an Error exit code: 1. BinSkim failed. Verify the target(s) to be scanned. BinSkim targets must be a specific filename, or a pattern with a wildcard like *.dll, dir*.dll, or dir*
##[error]MSDO CLI exited with an error exit code: 1

I'm testing out the anti-malware scan using the ubuntu-latest Azure pipeline image and finding that the error message says this is unsupported on Linux. Over in #26, @sukhans mentioned that Linux should be working with all of the tools now, is that in fact the case or are some tools still unsupported? If the anti-malware scan is supported, are the pre-requisite steps required to get this functioning properly and could you please share them?

- task: MicrosoftSecurityDevOps@1
inputs:
  tools: 'antimalware'

##[error]ConfigurationPathNotFoundException: A configuration file could not be found for: antimalware-linux. This is often due to attempting to use a tool on a platform where it is not yet supported.
##[error]MSDO CLI exited with an error exit code: 1
Finishing: MicrosoftSecurityDevOps

Suppose I am running MSDO using a task in my ADO build pipeline. Suppose Terrascan reports an issue? Suppose that we accept the risk of this issue and no longer want MSDO to report it? How can I configure this ADO task to ignore the Terrascan rule? Terrascan has ways to allow this (see: https://runterrascan.io/docs/policies/policies/), but I don't see how to do this with MSDO. TIA.

After the update to the 1.7.x version, the MicrosoftSecurityDevOps@1 started to fail in Azure DevOps self-hosted agents configured behind a proxy
It's failling in both Windows and Linux agents. The below logs are from Windows2022 agents

In previous versions, 1.6.x ,when it had dependency on dotnet, execution was fine

Example failing task

  - task: MicrosoftSecurityDevOps@1
    displayName: Secret scanner
    inputs:
      categories: 'secrets'
      break: true
      publish: true
      artifactName: CodeAnalysisLogs

Log:

##[debug]Evaluating condition for step: 'Secret scanner'
##[debug]Evaluating: SucceededNode()
##[debug]Evaluating SucceededNode:
##[debug]=> True
##[debug]Result: True
Starting: Secret scanner
==============================================================================
Task         : Microsoft Security DevOps
Description  : Run the Microsoft Security DevOps CLI for static analysis.
Version      : 1.7.2
Author       : Microsoft Corporation
Help         : Runs the [Microsoft Security DevOps CLI](https://aka.ms/msdo-nuget) for security analysis.
==============================================================================
##[debug]Using node path: C:\agent01-2\externals\node16\bin\node.exe
##[debug]agent.TempDirectory=C:\agent01-2\_work\_temp
##[debug]loading inputs and endpoints
##[debug]loading ENDPOINT_AUTH_PARAMETER_SYSTEMVSSCONNECTION_ACCESSTOKEN
##[debug]loading ENDPOINT_AUTH_SCHEME_SYSTEMVSSCONNECTION
##[debug]loading ENDPOINT_AUTH_SYSTEMVSSCONNECTION
##[debug]loading INPUT_ARTIFACTNAME
##[debug]loading INPUT_BREAK
##[debug]loading INPUT_CATEGORIES
##[debug]loading INPUT_POLICY
##[debug]loading INPUT_PUBLISH
##[debug]loading SECRET_SYSTEM_ACCESSTOKEN
##[debug]loaded 9
##[debug]Agent.ProxyUrl=http://proxy:80
##[debug]Agent.ProxyUsername=undefined
##[debug]Agent.ProxyPassword=undefined
##[debug]Agent.ProxyBypassList=[".*\\.azurewebsites\\.net",".*\\.azure\\.net"]
##[debug]expose agent proxy configuration.
##[debug]expose agent certificate configuration.
##[debug]Agent.SkipCertValidation=undefined
##[debug]config=undefined
##[debug]policy=microsoft
##[debug]categories=secrets
##[debug]languages=undefined
##[debug]tools=undefined
##[debug]publish=true
##[debug]artifactName=CodeAnalysisLogs
##[debug]break=true
##[debug]sarifFile = C:\agent01-2\_work\69\a\.gdn\msdo.sarif
------------------------------------------------------------------------------
Installing Microsoft Security DevOps Cli version: Latest
##[debug]packageName = Microsoft.Security.Devops.Cli.win-x64
##[debug]agentDirectory = C:\agent01-2\_work\_msdo
##[debug]agentPackagesDirectory = C:\agent01-2\_work\_msdo\packages
##[debug]agentVersionsDirectory = C:\agent01-2\_work\_msdo\versions
##[debug]MSDO CLI version contains a latest quantifier: Latest. Continuing with install...
##[debug]MSDO_MICROSOFTSECURITYDEVOPSCLIWINX64_LATESTVERSION=undefined
##[debug]Fetching service index for: https://api.nuget.org/v3/index.json
##[debug]GET https://api.nuget.org/v3/index.json
(node:8784) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification.
(Use `node --trace-warnings ...` to show where the warning was created)
##[debug]Error: Error calling url: Error: connect ETIMEDOUT 152.199.23.209:443
##[debug]MSDO_MICROSOFTSECURITYDEVOPSCLIWINX64_LATESTVERSION=undefined
##[debug]Fetching service index for: https://api.nuget.org/v3/index.json
##[debug]GET https://api.nuget.org/v3/index.json
##[debug]Error: Error calling url: Error: connect ETIMEDOUT 152.199.23.209:443
##[debug]MSDO_MICROSOFTSECURITYDEVOPSCLIWINX64_LATESTVERSION=undefined
##[debug]Fetching service index for: https://api.nuget.org/v3/index.json
##[debug]GET https://api.nuget.org/v3/index.json
##[debug]Error: Error calling url: Error: connect ETIMEDOUT 152.199.23.209:443
Exception occurred while initializing MSDO:
##[debug]task result: Failed
##[error]Error: Failed to install the MSDO CLI nuget package.
##[debug]Processed: ##vso[task.issue type=error;]Error: Failed to install the MSDO CLI nuget package.
##[debug]Processed: ##vso[task.complete result=Failed;]Error: Failed to install the MSDO CLI nuget package.
Finishing: Secret scanner

Currently the extension scans the entire git repo.
It would be nice to be able to specify a specific path to scan as to not have to scan the entire repo on each pipeline run.

Since the update of the Azure DevOps "Microsoft Security DevOps" from v 1.6.0 to v1.7.1 we started getting the following error, when trying to execute the "MicrosoftSecurityDevOps@1" task in our pipelines with self-hosted agents.

Can you anybody help me out here? Any feedback is appreciated, thanks.

Regards,
Luca

Azure DevOps Log
log.txt

Hi,

Bringing a topic that I started on Github Community.

I want to bring up this topic because I believe that colleagues and professionals have similar opinions and maybe it can at least poke a good discussion about this.

We're facing the most challenging cybersecurity era, since our always-shortage of professionals, but also the rapid growth of attacks and requirements to reach continuous improvements during digital transformation. One of the biggest challenges is "connect the dots" and "build bridges" with all small or big tools that you already had and need to continue over your endless pipelines/processes/technologies/developers.....(you know, it's an infinite game)

Microsoft in the last years has had an important role in being more agnostic, multi-cloud, and absolutely more open to the community and open standards.

With the recent launch of Defender for DevOps we see how they're progressing in cover fast and broad as we can customers, businesses, and people.

Immediately you want to connect all your tools and you realize that to benefit from this Integration to push results to Github and finally MSDO of your results from 3rd party tools for secrets scanning, code scanning, and all others, you must have a GHAS.1 2

I believe that 99% of Github customers already have a security pipeline with 3rd party tools like SAST, DAST, IaC Scanners, Secrets Scanner, and other OpenSource tools, that support the SARIF format. I hope for good of the cybersecurity ecosystem, Github can allow customers that have more than 3 tools to do a complementary job, to improve better visibility for developers and education of cybersecurity in a broad and simpler way. It's not only for MSDO integration but also for helping security teams better communicate with developers. I don't think this reduces the GHAS product's value or its strong points, in opposite will enforce a healthy competition of tools, and in the last instance: improve customers' security. I can be wrong, but think was fair to bring some light to this topic with community members. 😉

Regards,

Hi there. I have a simple bicep pipeline running installing a scale set through modules that are sat in a private container registry. I have this working with PSRule and is working nicely.

I am getting a few errors while trying to get this working, and there is limited documentation. Any help would be great.

| Error running templateanalyzer job: 1 of 1Lint and scan code • Defender for DevOps • Microsoft Security DevOps |   |  
| GuardianErrorExitCodeException: templateanalyzer completed with an Error exit code: 21. Error: An error was encountered trying to analyze a templateLint and scan code • Defender for DevOps • Microsoft Security DevOps |   |  
| Error running tool 2 of 3: templateanalyzerLint and scan code • Defender for DevOps • Microsoft Security DevOps |   |  
| Error running templateanalyzer job: 1 of 1Lint and scan code • Defender for DevOps • Microsoft Security DevOps |   |  
| GuardianErrorExitCodeException: templateanalyzer completed with an Error exit code: 21. Error: An error was encountered trying to analyze a templateLint and scan code • Defender for DevOps • Microsoft Security DevOps |   |  
| MSDO CLI exited with an error exit code: 1Lint and scan code • Defender for DevOps • Microsoft Security DevOps

Regarding documentation each repo is checked out to a custom path $(Pipeline.Workspace)/s/RepoName if use multi-checkouts.
In scans result section filenames have wrong links with RepoName

so it causes the error I try to see the file in a repo:

This tool uses a very old version of trivy (v0.19.2), which causes issues because apps using package-lock.json lockfileVersion: 3 , are not supported and vulnerabilities aren't found.

When is this going to be updated? Having such a old version makes the tool hard to justify to use.

I have this task; (following the doc)

- task: MicrosoftSecurityDevOps@1
  inputs:
    categories: 'secrets'

This is the error messages I get from this basic setup; using ubuntu-22.04 (is a special MS hosted agent preferred).

##[error]RunCommandNoOptionsException: No applicable tools were detected. Run requires at least one configuration to run. Provide at least one Guardian config or tool with --config or --tool.
##[error]MSDO CLI exited with an error exit code: 2

Previously when using the Microsoft Security Code Analysis (MSCA) extension for Cred Scan it fails to detect the passwords in Python (*.py) files, so we planned to migrate the MicrosoftSecurityDevOps extension but it still fails to detect the password in Python files.

Also is there any option to specify the suppressions file path which was available in Microsoft Security Code Analysis (MSCA)?

Looking forward for your suggestions.

I'm using:

    - task: MicrosoftSecurityDevOps@1
      displayName: 'Secrets scanning with Microsoft Security DevOps'
      inputs:
        categories: 'secrets'
        break: true

I'd like to establish a baseline without halting my build.

I know i could simply turn break: false but I'm trying to stop any contributors from including. I'd like to follow the pattern that static analysis does with with a suppression file (like GlobalSuppressions.cs for static code analysis).

I can't find any documentation on suppression lists/files, the only docs I can find point me to comments in line:
#[SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine")] or #[SuppressMessage("Microsoft.Security", "CS002:SecretInLine")]

I have a few issues

1. It's bad form to include // or /**/ in json files (of which we have many)
2. I have false positives on a binary file, in which I can't write a comment

Does anyone have a way to specify files/lines to ignore outside of in-line comments?