Found no applicable tools

[janvanuytrecht]

Hi,

We use a self-hosted Agent in Azure to support our Azure DevOps CI/CD.

When I run the security devops task as such:

The task fails, I get this result:

Tools Applicability Infomation: Found no applicable tools.

[error]RunCommandNoOptionsException: No applicable tools were detected. Run requires at least one configuration to run. Provide at least one Guardian config or tool with --config or --tool.

[error]MSDO CLI exited with an error exit code: 2

I understood that when passing no tool, all of them should be used? Do we need to install these tools ourselves?

[lohithgn]

@janvanuytrecht hello. yes - you are responsible to make sure that the tools that extension supports should be installed on your agents. Since its self hosted agent - you are responsible to meet the pre-requisites. The MS hosted agents already have the tools required pre-installed.

If you read the extension document here: https://marketplace.visualstudio.com/items?itemName=ms-securitydevops.microsoft-security-devops-azdevops - it is already mentioned.

hope this helps.

[janvanuytrecht]

Hi,

Thanks for your reply. When I check the pre-installed software list of the MS hosted VMs, it does not include these tools, or is it that The hosted build agents add additional software on top of default windows VMs?

https://github.com/actions/runner-images/blob/main/images/win/Windows2019-Readme.md runner-images/Windows2019-Readme.md at main · actions/runner-images github.com

The list does not mention tools like CredScan, Trivy.

Where can I find the correct list?

Kind regards, Jan.

On 6 Apr 2023, at 09:20, Lohith @.***> wrote:

@janvanuytrecht https://github.com/janvanuytrecht hello. yes - you are responsible to make sure that the tools that extension supports should be installed on your agents. Since its self hosted agent - you are responsible to meet the pre-requisites. The MS hosted agents already have the tools required pre-installed.

If you read the extension document here: https://marketplace.visualstudio.com/items?itemName=ms-securitydevops.microsoft-security-devops-azdevops - it is already mentioned.

https://user-images.githubusercontent.com/2450336/230303649-e27c689f-7b15-4fbf-9e21-4985bca2ef86.png hope this helps.

— Reply to this email directly, view it on GitHub https://github.com/microsoft/security-devops-azdevops/issues/17#issuecomment-1498605762, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALXJKUSZ4FC6H6TJUWGIZTW7ZVEXANCNFSM6AAAAAARQ4WV4M. You are receiving this because you were mentioned.

[boAndron]

Hey, sorry for the delay. The action should be installing the tools by itself, so I don't think that's the problem. The auto-applicability detection is supposed to look at your repo and determine what tools it should run based of file types found. Are you by any chance running on an empty repo? Otherwise, are you setting the policy to 'none'? The policy can also affect which tools are chosen for auto-applicability. Can you run tools by specifying them (via a config, or the 'tools' input)? Thanks!