search

microsoft / security-devops-action

Microsoft Security DevOps for GitHub Actions.
MIT License
104 stars 47 forks source link

Error with specifying template analyzer environment variables #47

Open pamelafox opened 1 year ago

pamelafox commented 1 year ago

I am trying to use the action to analyze a single template, so I specified env variables that seem to correspond to the usage described in https://github.com/Azure/template-analyzer:

      - name: Run Microsoft Security DevOps Analysis
        uses: microsoft/security-devops-action@preview
        env:
          GDN_TEMPLATEANALYZER_VERBOSE: 1
          GDN_TEMPLATEANALYZER_ANALYZETEMPLATE: "infra/main.json"
          GDN_TEMPLATEANALYZER_PARAMETERSFILEPATH: "infra/main.parameters.json"
        id: msdo
        with:
          tools: templateanalyzer

However that results in a poorly formed command and subsequent error:

  Analyze:
    Using environment variable override: AnalyzeTemplate=infra/main.json
    Using environment variable override: ParametersFilePath=infra/main.parameters.json
    Using environment variable override: Verbose=1
    Running ARM Template Best Practice Analyzer 0.4.0
    ------------------------------------------------------------------------------
    /home/runner/work/_msdo/packages/nuget/Azure.Templates.Analyzer.CommandLine.linux-x64.0.4.0/tools/TemplateAnalyzer analyze-directory /home/runner/work/simple-fastapi-container/simple-fastapi-container --report-format sarif --output-file-path /home/runner/work/simple-fastapi-container/simple-fastapi-container/.gdn/.r/templateanalyzer/001/templateanalyzer.sarif analyze-template infra/main.json --parameters-file-path infra/main.parameters.json --verbose
    Unrecognized command or argument 'analyze-template'
    Unrecognized command or argument 'infra/main.json'
    analyze-directory:
    Unrecognized command or argument '--parameters-file-path'
    Unrecognized command or argument 'infra/main.parameters.json'

Here's the full workflow: https://github.com/pamelafox/simple-fastapi-container/actions/runs/4485952792/jobs/7887991866?pr=6

Can you clarify proper usage? Thanks!

JohnathonMohr commented 1 year ago

Hi @pamelafox, Template Analyzer supports only one of analyze-template and analyze-directory, but it looks like that scenario isn't handled properly here during invocation with environment variable overrides.

As a workaround, are you able to instead override the directory to the location of the infra directory so Template Analyzer finds that template and parameters file in a directory scan? (This would also result in scanning any other templates discovered in that directory or subdirectories.)

pamelafox commented 1 year ago

Thanks @JohnathonMohr for the suggestion. I've now run into this issue for a different repo where I need to specify a parameters file in a different location than the template, so that workaround won't work. (The reason for giving a different parameters file is that it's erroring on the standard one.)

Workflow: https://github.com/Azure-Samples/azure-search-openai-demo/actions/runs/5612499732/jobs/10270382709?pr=444#step:4:89