search

microsoft / security-devops-action

Microsoft Security DevOps for GitHub Actions.
MIT License
97 stars 44 forks source link

Missing bimskin scanning when running as default #66

Closed ktran1005 closed 10 months ago

ktran1005 commented 10 months ago

Hello everyone, I am trying to use task: MicrosoftSecurityDevOps@1 to scan through my code. I leave it as default which I assume that it will run all the tools it covers. However, when I run the pipeline, this is the tools it runs (it doesn't have binskim) . Anyone has any idea why this happened. Thanks! image

ktran1005 commented 10 months ago

followed up with this issue. When I use tools parameter to specify binskim then I received this error. **##[error]Error running binskim job: 1 of 1

[error]AnalyzeArgumentNoValuesException: Argument Target has no values. Check your configuration. -- Additional arguments:Microsoft.Guardian.InvalidResponseFileContentsException: InvalidResponseFileContentsException: Cannot create a response file with zero arguments.**

steps:
- task: MicrosoftSecurityDevOps@1
  displayName: 'Run Microsoft Defender for DevOps'
  inputs:
    tools: 'binskim, terrascan, credscan'
JiandongJiang commented 10 months ago

Can you please check if there are any .dll and/or .exe files in the default working directory? If there is no such file, then the above error you hit is expected and the BinSkim tool is regarded as not applicable for your case/scenario, which is why the BinSkim tool was not run in the first place. Please check and let us know. Thanks.

ktran1005 commented 10 months ago

Hi @JiandongJiang. Thanks for the response. I was using the binskim tasks earlier without no issues but wanted to switch to MicrosoftSecurityDevOps task. In my binskim task, I downloaded my artifact and stored it into a specific directory, and I was able to specify the path of the directory and pass it to binskim to scan (this method ran without any issues). I wonder if we have something similar to that. Below is the way that I use BinSkin task in my yaml.

    - task: BinSkim@3
      displayName: 'Run BinSkim'
      continueOnError: true
      inputs:
        InputType: 'Basic'
        Function: 'analyze'
        AnalyzeTarget: '$(Build.ArtifactStagingDirectory)/binskim/${{ parameters.binskimPath }}'
        AnalyzeVerbose: true
        AnalyzeRecurse: true

I did try something similar but still received the same error with MicrosoftSecurityDevOps@1 task by changing the target as:

    - task: MicrosoftSecurityDevOps@1
      displayName: 'Microsoft Security DevOps'
      inputs:
        tools: 'binskim, TemplateAnalyzer'
        Target: '$(Build.ArtifactStagingDirectory)/binskim/${{ parameters.binskimPath }}'

I am not sure if this is the right way to it tho

ktran1005 commented 10 months ago

updated part 3: I tried to use env variable to fix target path but had no luck too

    - task: MicrosoftSecurityDevOps@1
      displayName: 'Microsoft Security DevOps'
      inputs:
        tools: 'binskim'
      env:
        binskim_target: '$(Build.ArtifactStagingDirectory)\binskim\${{ parameters.binskimPath }}'
        binskim_recurse: 'true'
        binskim_verbose: 'true'
JiandongJiang commented 10 months ago

A few questions:

  1. Is this running on Windows? ((just for confirmation)
  2. Before the MicrosoftSecurityDevOps@1 task in your YAML, is there another task that copies the file (i.e., ${{ parameters.binskimPath }}) to the $(Build.ArtifactStagingDirectory)\binskim directory?
  3. What value is the target path \$(Build.ArtifactStagingDirectory)\binskim\${{ parameters.binskimPath }} resolved to at runtime?
  4. Have you tried using the env variable GDN_BINSKIM_TARGET?

To narrow down the issue, I would suggest that you first copy a .dll or .exe file to a known location before running the MicrosoftSecurityDevOps@1 task and then hard code the GDN_BINSKIM_TARGET to point to that copied file path in the MicrosoftSecurityDevOps@1 task.

ktran1005 commented 10 months ago

Hi @JiandongJiang, thanks for the response.

  1. Yes. This is running on Windows.

  2. Yes. there is another task that download the .dll files from artifact and store it into the $(Build.ArtifactStagingDirectory)\binskim directory. I was using the BinSkim@3 task and specify the path that I stored .dll files and it worked. Therefore, I assume that it will work if I use MicrosoftSecurityDevOps@1 task.

    steps:
- ${{ if ne( parameters.artifactName, '') }}:
- task: DownloadPipelineArtifact@2
  displayName: 'Download Artifact'
  inputs:
    buildType: 'current'
    artifactName: ${{ parameters.artifactName }}
    targetPath: '$(Build.ArtifactStagingDirectory)/binskim'

- task: BinSkim@3
  displayName: 'Run BinSkim'
  continueOnError: true
  inputs:
    InputType: 'Basic'
    Function: 'analyze'
    AnalyzeTarget: '$(Build.ArtifactStagingDirectory)/binskim/${{ parameters.binskimPath }}'
    AnalyzeVerbose: true
    AnalyzeRecurse: true
  3. The ${{ parameters.binskimPath }} will be replaced by someFilesName*.dll at runntime and analyze from BinSkim (again this worked fine in BinSkim task)
  4. I have tried using the env variable GDN_BINSKIM_TARGET
ktran1005 commented 10 months ago

UPDATE: Hi @JiandongJiang, I follow your suggestion by trying to copy a .dll file into a specific directory and hard-code the GDN_BINSKIM_TARGET to point to that copied file path in the MicrosoftSecurityDevOps@1 task and it works. However, I still don't know why when I try to scan from the download artifact then it didn't detect any .dll. But BinSkim task was able to scan wtih the same path as I passed above with BinSkim@3 task.

ktran1005 commented 10 months ago

UPDATE: I made it to work.

JiandongJiang commented 10 months ago

Thanks for the updates and glad to know that it works for you now.