dariusz-bzowka-chain-insight
commented
6 months ago Ok. I took your script and rearange, and now I have what I need (works with regular powershell):
$pat = $env:PAT
$repository = $env:CHINS_REPOSITORY_NAME
$orgUri = 'https://vsrm.xxxxxxx'
$project = 'xxxxx'
$orgName = 'xxxxxx'
$headers = @{ Authorization = "Basic $([System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes( ":$pat" )))" }
# Report Configuration
$severities = @("critical", "high")
$states = @("active")
$alertTypes = @("code", "secret", "dependency")
$severityDays = @{
"critical" = 7
"high" = 30
"medium" = 90
"low" = 180
}
[System.Collections.ArrayList]$alertList = @()
$alertUri = $orgUri + ('/' * ($orgUri[-1] -ne '/')) + [uri]::EscapeUriString($project + '/_git/' + $repository + '/alerts')
$alerts = $null
$parsedAlerts = $null
$url = "https://advsec.dev.azure.com/{0}/{1}/_apis/alert/repositories/{2}/alerts?top={3}&api-version=7.2-preview.1" -f $orgName, $project, $repository, $maxAlertsPerRepo
try {
$alerts = Invoke-WebRequest -Uri $url -Headers $headers -Method Get -SkipHttpErrorCheck
if ($alerts.StatusCode -ne 200) {
# Check to see if advanced security is enabled for the repo - https://learn.microsoft.com/en-us/rest/api/azure/devops/management/repo-enablement/get?view=azure-devops-rest-7.2
$enablementurl = "https://advsec.dev.azure.com/{0}/{1}/_apis/management/repositories/{2}/enablement" -f $orgName, $project, $repository
$repoEnablement = Invoke-WebRequest -Uri $enablementurl -Headers $headers -Method Get -SkipHttpErrorCheck
$enablement = $repoEnablement.content | ConvertFrom-Json
if (!$enablement.advSecEnabled) {
Write-Error " Advanced Security is not enabled for $alertUri"
continue;
}
elseif ($alerts.StatusCode -eq 404) {
# 404 = Repo has no source code
Write-Error " Repo is empty for $alertUri"
continue;
}
else {
# 403 = Token has no permissions to view Advanced Security alerts
Write-Error " Error $($alerts.StatusCode) $($alerts.StatusDescription) getting alerts from Azure DevOps Advanced Security for $($alertUri)"
continue;
}
}
$parsedAlerts = $alerts.content | ConvertFrom-Json
}
catch {
Write-Error " Unhandled Exception getting alerts from Azure DevOps Advanced Security: $($_.Exception.Message), $($_.Exception.Response.StatusCode), $($_.Exception.Response.RequestMessage.RequestUri)"
continue;
}
$alertList += foreach ($alert in $parsedAlerts.value) {
# -and $alert.firstSeen -as [DateTime] -lt (Get-Date).ToUniversalTime().AddDays(-$slaDays) `
if ($alert.severity -in $severities `
-and $alert.state -in $states `
-and $alert.alertType -in $alertTypes) {
# use a custom object so we can control sorting
[pscustomobject]@{
"Alert Id" = $alert.alertId
"Alert State" = $alert.state
"Alert Title" = $alert.title
"Alert Type" = $alert.alertType
"Severity" = $alert.severity
}
}
}
if ($alertList.Count -gt 1) {
$alertList = $alertList | Sort-Object -Property "Alert Id"
}
if ($alertList.Count -gt 0) {
Write-Error " Allerts detected !!"
exit 1
}
else {
Write-Host "No alerts detected for at the scope:$scope ( org: $orgName$( $scope -in @('project','repository') ? ', project: ' + $project : '' )$( $scope -in @('repository') ? ', repository: ' + $repository : '' ))"
exit 0
}
Hello.
How can I prevent the release pipeline start based on codelql output?
4ex: I run the build pipeline with codeql tasks, if "high" level alerts detected I don't want to deploy with the release pipeline.