Closed grvillic closed 3 years ago
grvillic
commented
3 years ago 👋 @toelli-msft We are onboarding private MS repos to our new build time detection feature, and this repo seems to be good fit. Could you help us out by adding a secret to the repo to fetch our internal detector? I can provide it to you offline, let me know if you have any questions or concerns.
toelli-msft
commented
3 years ago @cgravill are you familiar with this at all?
cgravill
commented
3 years ago @toelli-msft I'm not, but it sounds positive. I have the rights to add secrets if we want to go ahead, @awf ?
@grvillic are there plans to cover GHAE?
grvillic
commented
3 years ago @cgravill - Yes, that has to be in our roadmap since most MS internal accounts will be hosted there post ADO migration. We are just waiting on Dependency Graph + GitHub Advisories services to be available for GHAE. Both teams are working on it to make that happen.
cgravill
commented
3 years ago Yes, sounds good. Colin, you didn't quantify "add a little time", but I'm assuming no more than 1 minute/5%?
On one instance, 12+1 seconds of a 41 seconds total.
Build time detection pilot
Description
Build time detection feature will allow GitHub to accurately collect an inventory of the components necessary to build your project. It is based on the same concept of Component Detection in ADO. As of today, we report to engineers in their build logs any introduced vulnerabilities. This delta will be shown within your PR and default branch builds. This feature was done as a collaboration between MS Open Source Engineering and GitHub's Dependency Graph team. This repo was selected because it meets our piloting criteria. Pilot repositories should:
Repo Admin TODO
Cloning our private repo will require a PAT named
GH_PRIVATE_REPO_PATwhich we can provide. Someone who has permissions to add secrets to the repo should reach out to either grvillic, tevoinea or via slack in#msft-ose. We have plans to open source this detector later this year, but as of now we are using a PAT to fetch it. Escape Hatch
If something goes wrong, please reach out to either of the 2 emails above and do not hesitate to remove the actions from your workflows to unblock.
FAQ
Q: Will this break my PR builds if I already had vulnerable components? A: No, we only pick up deltas between PR and latest master build. If a vulnerable package is found, we just drop a warning in your build logs, we do not enforce any broken builds just yet.
Q: Will this register components in my Component Governance? A: No, this project is separate from Component Governance and will only register components in GitHub.
Q: How to fix Dependency Detection Setup step failure with
Error: Input required and not supplied: token? A: If this log still happens AFTER repo admin added the secret to repository, it means we (PR authors) don't have write access. Our PR checks won't pass because we don't have privileges to pull secrets in our workflow updates. To fix this, a repository admin needs to recreate this exact same PR.Q: I see a warning after the first run with
Warning: Failed to apply policy? A: This is expected to happen the first time only. It happens because the build does not have a baseline to compare against. Another way this log could happen is if you haven't enabled Dependency Graph in your repo, most internal repos have this enabled by default. You can confirm by going to your repo's/network/dependencies, top menu "Insights -> Dependency Graph" (explicit message "the dependency graph is not enabled").