50Wliu
commented
1 month ago Hi @ritesh-harry, it sounds like you'll probably want to file a feature request at https://aka.ms/devcom asking for the "Advanced Security Perform CodeQL analysis" task to support a variable implementing what you're describing.
This extension does fairly minimal parsing of the SARIF file after the pipeline run finishes, before passing it further down the line to https://github.com/microsoft/sarif-web-component, so there isn't anything we can do here :/.
Hello,
I wanted to find out if there is a way to check/read the SARIF file regarding the detection of any vulnerabilities in a pipeline run?
To provide some context I have implemented GHAS for Azure DevOps in all my yaml pipelines and I would like to use a condition or set some checks in the same pipeline to check whether or not the Advanced Security Perform CodeQL analysis task has detected any vulnerabilities and depending on whether or not there are vulnerabilities detected I can choose to run or skip a subsequent task(s) in the same pipeline, or, for example, force the pipeline to complete with issues etc. There does not seem to be any sort of 'out of the box' way to do this.
I noticed that whether or not the task has found any vulnerabilities, the task has a built-in variable which it always sets to 'true', and it will publish a SARIF file (variable shown below). In the scans tab of the pipeline, if no vulnerabilities are detected, it will display a "No results found..." image. It would have been great if that variable would be set to false if no vulnerabilities were found as I could use that to determine whether or not to run or skip a subsequent task(s) in the same pipeline.
##[debug]Processed: ##vso[task.setvariable variable=advancedsecurity.codeql.results.published;isOutput=false;issecret=false;]true
To try and explain better of what I am trying to achieve, I am currently doing something similar with the Advanced Security Dependency Scanning task whereby I am reading the log file from the task which actually states if any vulnerabilities have been found. For example, the log file contains the below if vulnerabilities have been found,
[WRN] Dependency Scanning has detected
Depending on whether or not the Advanced Security Dependency Scanning task has detected any vulnerabilities, I can set a custom variable which I can use in subsequent task(s) in the same pipeline, for example, forcing the pipeline to complete with issues if there are any dependency vulnerabilities detected.
If you can provide any ideas on how I can achieve what I am trying to do that will be greatly appreciated.
Apologies if I have not raised this is the correct place. If you can redirect me that would be great.
Thank you.