search

microsoft / security-devops-azdevops

Microsoft Security DevOps extension for Azure DevOps.
MIT License
60 stars 16 forks source link

Disable Terrascan option? #35

Closed richardtallent-erm closed 1 year ago

richardtallent-erm commented 1 year ago

I have a task for MicrosoftSecurityDevOps@1 in my build pipeline. It runs TerraScan, then generates reams of “warnings” for every folder and JSON file, complaining that no Terraform configuration is found in those files. Examples:

{ 
   "level": "warning",
   "message": {
      "text": "directory '/home/vsts/work/1/s/[...]' has no terraform config files"
   }
},
{
  "level": "warning",
  "message": {
    "text": "error while loading iac file '/home/vsts/work/1/s/[...].json', err: failed to find valid Resources key in file: /home/vsts/work/1/s/[...].json"
    }
},

This is not useful, as I’m not using Terraform in this repo. So, I would like to disable the TerraScan part of this tool. But the MS Security DevOps documentation (https://learn.microsoft.com/en-us/azure/defender-for-cloud/azure-devops-extension) contains no information on how to do this. I reported the lack of documentation here:

https://github.com/MicrosoftDocs/azure-docs/issues/107268

Someone there suggested adding an input parameter of categories: "!IaC" to disable TerraScan, but this just led to a new error, one that was fatal for the build:

##[error]RunCommandNoOptionsException: No applicable tools were detected.
Run requires at least one configuration to run. Provide at least one Guardian
config or tool with --config or --tool.
##[error]MSDO CLI exited with an error exit code: 2

I also reported the issue on the DevCommunity site, and they directed me here:

https://developercommunity.visualstudio.com/t/Cannot-disable-TerraScan-in-MicrosoftSec/10326029

How can I continue to use this ADO plugin, but configure it correctly for my needs?

lohithgn commented 1 year ago

@richardtallent-erm I looked at the source. Here is the information you are looking for: https://github.com/microsoft/security-devops-azdevops/blob/main/src/MicrosoftSecurityDevOps/v1/task.json#L52

According to the comments for the parameter categories: 

A comma separated list of analyzer categories to run. Values: `secrets`, `code`, `artifacts`, `IaC`, `containers`. Example: `IaC,secrets`. Defaults to all.

You need to provide atleast one analyzer. If you dont have IaC code then you should have from best practice perspective - secret, code, artifacts.

Error message is correct. When you dont provide a category - it defaults to running all analyzers. In your case you provide an explicit value to category parameter and that too gave it 1 value which happens to be not to run IaC. Now it has no configuration to run. So it is asking for at least 1 config value to run.

hope this helps.

richardtallent-erm commented 1 year ago

Confirmed, a categories value of "secrets,code,artifacts" works as expected. Thanks!

lohithgn commented 1 year ago

@richardtallent-erm great to hear it worked. Thanks for closing the issue.

davidxcheng commented 1 year ago

FWIW I solved it by explicitly listing the tools we wanted to run under tools since we wanted TemplateAnalyzer to scan our bicep files:

- task: MicrosoftSecurityDevOps@1
  displayName: 'Microsoft Security DevOps'
  inputs:
    tools: 'credscan,templateanalyzer'