search

microsoft / security-devops-azdevops

Microsoft Security DevOps extension for Azure DevOps.
MIT License
59 stars 14 forks source link

binskim scans files one by one #85

Open fabio-s-franco opened 9 months ago

fabio-s-franco commented 9 months ago

There is no documentation and I couldn't find anything on the source code on how to customize the behavior of binskim.

The result is that it tries to scan files one by one, which makes the scan prohibitively slow (never succeeded to finish it). If we can set the CLI argument through the extension, then it may be possible to use it.

kewalaka commented 8 months ago

hi @fabio-s-franco - I was just hitting the same wall myself. I've found this documentation here which was helpful:

https://github.com/microsoft/security-devops-azdevops/wiki

You can use a gdnconfig file & supply that to the defender for devops task, as the config option, from the above docs:

 - task: MicrosoftSecurityDevOps@1
   inputs:
   # command: 'run' | 'pre-job' | 'post-job'. Optional. The command to run. Default: run
   # config: string. Optional. A file path to an MSDO configuration file ('*.gdnconfig').
   # policy: 'azuredevops' | 'microsoft' | 'none'. Optional. The name of a well-known Microsoft policy. If no configuration file or list of tools is provided, the policy may instruct MSDO which tools to run. Default: azuredevops.
   # categories: string. Optional. A comma-separated list of analyzer categories to run. Values: 'secrets', 'code', 'artifacts', 'IaC', 'containers. Example: 'IaC,secrets'. Defaults to all.
   # languages: string. Optional. A comma-separated list of languages to analyze. Example: 'javascript,typescript'. Defaults to all.
   # tools: string. Optional. A comma-separated list of analyzer tools to run. Values: 'bandit', 'binskim', 'eslint', 'templateanalyzer', 'terrascan', 'trivy'.
   # break: boolean. Optional. If true, will fail this build step if any error level results are found. Default: false.
   # publish: boolean. Optional. If true, will publish the output SARIF results file to the chosen pipeline artifact. Default: true.
   # artifactName: string. Optional. The name of the pipeline artifact to publish the SARIF result file to. Default: CodeAnalysisLogs*.

There's also a sample file for BinSkim options (and other tools) further on the same page:

https://github.com/microsoft/security-devops-azdevops/wiki#bandit-options

I couldn't find this on Learn with the other pipeline yaml definitions, that would have made the search easier.