Closed ktran1005 closed 10 months ago
followed up with this issue. When I use tools parameter to specify binskim then I received this error. **##[error]Error running binskim job: 1 of 1
steps:
- task: MicrosoftSecurityDevOps@1
displayName: 'Run Microsoft Defender for DevOps'
inputs:
tools: 'binskim, terrascan, credscan'
Can you please check if there are any .dll and/or .exe files in the default working directory? If there is no such file, then the above error you hit is expected and the BinSkim tool is regarded as not applicable for your case/scenario, which is why the BinSkim tool was not run in the first place. Please check and let us know. Thanks.
Hi @JiandongJiang. Thanks for the response. I was using the binskim tasks earlier without no issues but wanted to switch to MicrosoftSecurityDevOps task. In my binskim task, I downloaded my artifact and stored it into a specific directory, and I was able to specify the path of the directory and pass it to binskim to scan (this method ran without any issues). I wonder if we have something similar to that. Below is the way that I use BinSkin task in my yaml.
- task: BinSkim@3
displayName: 'Run BinSkim'
continueOnError: true
inputs:
InputType: 'Basic'
Function: 'analyze'
AnalyzeTarget: '$(Build.ArtifactStagingDirectory)/binskim/${{ parameters.binskimPath }}'
AnalyzeVerbose: true
AnalyzeRecurse: true
I did try something similar but still received the same error with MicrosoftSecurityDevOps@1 task by changing the target as:
- task: MicrosoftSecurityDevOps@1
displayName: 'Microsoft Security DevOps'
inputs:
tools: 'binskim, TemplateAnalyzer'
Target: '$(Build.ArtifactStagingDirectory)/binskim/${{ parameters.binskimPath }}'
I am not sure if this is the right way to it tho
updated part 3: I tried to use env variable to fix target path but had no luck too
- task: MicrosoftSecurityDevOps@1
displayName: 'Microsoft Security DevOps'
inputs:
tools: 'binskim'
env:
binskim_target: '$(Build.ArtifactStagingDirectory)\binskim\${{ parameters.binskimPath }}'
binskim_recurse: 'true'
binskim_verbose: 'true'
A few questions:
To narrow down the issue, I would suggest that you first copy a .dll or .exe file to a known location before running the MicrosoftSecurityDevOps@1 task and then hard code the GDN_BINSKIM_TARGET to point to that copied file path in the MicrosoftSecurityDevOps@1 task.
Hi @JiandongJiang, thanks for the response.
Yes. there is another task that download the .dll files from artifact and store it into the $(Build.ArtifactStagingDirectory)\binskim directory. I was using the BinSkim@3 task and specify the path that I stored .dll files and it worked. Therefore, I assume that it will work if I use MicrosoftSecurityDevOps@1 task.
steps:
- ${{ if ne( parameters.artifactName, '') }}:
- task: DownloadPipelineArtifact@2
displayName: 'Download Artifact'
inputs:
buildType: 'current'
artifactName: ${{ parameters.artifactName }}
targetPath: '$(Build.ArtifactStagingDirectory)/binskim'
- task: BinSkim@3
displayName: 'Run BinSkim'
continueOnError: true
inputs:
InputType: 'Basic'
Function: 'analyze'
AnalyzeTarget: '$(Build.ArtifactStagingDirectory)/binskim/${{ parameters.binskimPath }}'
AnalyzeVerbose: true
AnalyzeRecurse: true
UPDATE: Hi @JiandongJiang, I follow your suggestion by trying to copy a .dll file into a specific directory and hard-code the GDN_BINSKIM_TARGET to point to that copied file path in the MicrosoftSecurityDevOps@1 task and it works. However, I still don't know why when I try to scan from the download artifact then it didn't detect any .dll. But BinSkim task was able to scan wtih the same path as I passed above with BinSkim@3 task.
UPDATE: I made it to work.
Thanks for the updates and glad to know that it works for you now.
Hello everyone, I am trying to use task: MicrosoftSecurityDevOps@1 to scan through my code. I leave it as default which I assume that it will run all the tools it covers. However, when I run the pipeline, this is the tools it runs (it doesn't have binskim) . Anyone has any idea why this happened. Thanks!