Pipeline task 'MicrosoftSecurityDevOps@1' fails to detect the Secrets/passwords in Python files.

microsoft / security-devops-azdevops

Microsoft Security DevOps extension for Azure DevOps.

MIT License

60 stars 16 forks source link

Pipeline task 'MicrosoftSecurityDevOps@1' fails to detect the Secrets/passwords in Python files. #51

Open rahul-subash opened 1 year ago

rahul-subash commented 1 year ago

Previously when using the Microsoft Security Code Analysis (MSCA) extension for Cred Scan it fails to detect the passwords in Python (*.py) files, so we planned to migrate the MicrosoftSecurityDevOps extension but it still fails to detect the password in Python files.

Also is there any option to specify the suppressions file path which was available in Microsoft Security Code Analysis (MSCA)?

Looking forward for your suggestions.

boAndron commented 1 year ago

Hello, We are planning on adding options to specify baseline / suppression files to this task soon. For the time being, you can take advantage of the fact that the /.gdn/.gdnsuppress file is automatically loaded and used, without specifying it. In the case of Azure Devops, since MSDO runs one level above the Build.SourcesDirectory, you will need to copy the suppression file from your source($(Build.SourcesDirectory)/) to $(Build.SourcesDirectory)/../.gdn/.gdnsuppress.

As for credscan, can you please provide an example / file of something you'd expect to trigger a failure? Thanks!

rahul-subash commented 1 year ago

Hi @boAndron ,

You can find the example Python file with the password hardcoded in the below screenshot

Looking forward to your suggestions.

boAndron commented 1 year ago

Hello @rahul-subash! I will send this to the CredScan team, but if I remember correctly this is by design. Some strings like "test_password" (and variants) are intentionally ignored to avoid false positives on test data. Try a random string and see if you get a hit. I'll circle back when I have a response from CredScan.

rahul-subash commented 1 year ago

Hi @boAndron,

It worked fine now after changing the password.

Regarding the suppression file, I have followed your instruction by renaming our suppression file from credscan-suppressions.json to .gdnsuppress and created a folder (Build.SourcesDirectory)/../.gdn and moved the suppression file .gdnsuppress to (Build.SourcesDirectory)/../.gdn. It didn't work.

When I checked the pipeline console I noticed this,

where the yellow highlighted path is the Build.SourcesDirectory then I came to know that the .gdn folder is in the root path. So I moved the .gdnsuppress file to (Build.SourcesDirectory)/.gdn, but then too it didn't work.

All I doubt is the format of the suppression file. We have the suppression file in JSON format. May I know whether the JSON format is fine for the .gdnsuppress file?

Looking forward to your suggestions.

aakanshaverma1310 commented 1 year ago

@rahul-subash @boAndron - Hey, are you able to suppress cred scan false positives? Im using ADO task - MicrosoftSecurityDevOps@1 are you also using the same task and did you also try suppressing the cred scan results? Can you pls share how are you suppressing it? Thanks

rahul-subash commented 1 year ago

Hi @aakanshaverma1310,

I'm able to suppress the credscan results. You have to create a folder named .gdn at the root of your repository and create a file named .gdnsuppress

Please follow the instructions in this comment to configure the gdnsuppress file content.

The tool will by default check for this file /.gdn/.gdnsuppress, if present it will consider this as a suppression file.

Welcome