BST-18043 Add the Azure Devops pipelines scan tests (#274)

Author: lindycoder

.github/workflows/scan-test.yml

@@ -5,7 +5,45 @@ on:
     types: [opened, synchronize, reopened]
     paths: ['scanners/**']
 
+permissions:
+  id-token: write  # Required for OIDC
+
 jobs:
+  azure-devops-pipelines:
+    name: Azure DevOps Pipelines
+    runs-on: ubuntu-latest
+    steps:
+      - name: Azure Login (OIDC)
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.BOOST_SCAN_RUNNER_ADO_CLIENT_ID }}
+          tenant-id: ${{ secrets.BOOST_SCAN_RUNNER_ADO_TENANT_ID }}
+          allow-no-subscriptions: true
+      - name: Get Azure DevOps Token
+        id: azure-token
+        run: |
+          token=$(az account get-access-token \
+            --resource 499b84ac-1321-427f-aa17-267ca6975798 \
+            --query accessToken -o tsv)
+          echo "token=$token" >> $GITHUB_OUTPUT
+          echo "::add-mask::$token"
+      - name: Checkout scanner registry
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Need full history to detect changes
+      - name: Run Tests
+        uses: boostsecurityio/scan-test-action@2a784e92451e9ba1561ca749ba630b7621adfcbf
+        with:
+          provider: azure-devops
+          provider-config: |
+            {
+              "token": "${{ steps.azure-token.outputs.token }}",
+              "organization": "BoostSecurity",
+              "project": "cicd-tools",
+              "pipeline_id": 1
+            }
+          registry-repo: "${{ github.repository_owner }}/${{ github.event.repository.name }}"
+          base-ref: "${{ github.base_ref }}"
   bitbucket-action:
     name: Bitbucket Pipelines
     runs-on: ubuntu-latest
@@ -26,7 +64,7 @@ jobs:
         with:
           fetch-depth: 0  # Need full history to detect changes
       - name: Run Tests
-        uses: boostsecurityio/scan-test-action@53e2f687ab93ac5d150b88abd7341b72f6fbf384
+        uses: boostsecurityio/scan-test-action@2a784e92451e9ba1561ca749ba630b7621adfcbf
         with:
           provider: bitbucket
           provider-config: |
@@ -55,7 +93,7 @@ jobs:
         with:
           fetch-depth: 0  # Need full history to detect changes
       - name: Run Tests
-        uses: boostsecurityio/scan-test-action@53e2f687ab93ac5d150b88abd7341b72f6fbf384
+        uses: boostsecurityio/scan-test-action@2a784e92451e9ba1561ca749ba630b7621adfcbf
         with:
           provider: github-actions
           provider-config: |
@@ -77,7 +115,7 @@ jobs:
         with:
           fetch-depth: 0  # Need full history to detect changes
       - name: Run Tests
-        uses: boostsecurityio/scan-test-action@53e2f687ab93ac5d150b88abd7341b72f6fbf384
+        uses: boostsecurityio/scan-test-action@2a784e92451e9ba1561ca749ba630b7621adfcbf
         with:
           provider: gitlab-ci
           provider-config: |

docs/setup-azure-devops.md

@@ -98,8 +98,8 @@ jobs:
       - name: Azure Login (OIDC)
         uses: azure/login@v2
         with:
-          client-id: ${{ secrets.AZURE_CLIENT_ID }}
-          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          client-id: ${{ secrets.BOOST_SCAN_RUNNER_ADO_CLIENT_ID }}
+          tenant-id: ${{ secrets.BOOST_SCAN_RUNNER_ADO_TENANT_ID }}
           allow-no-subscriptions: true
 
       - name: Get Azure DevOps Token

scanners/boostsecurityio/trivy-fs/tests.yaml

@@ -1,12 +1,12 @@
 version: "1.0"
 tests:
-  - name: "osv-scanner"
-    type: "source-code"
-    source:
-      url: "git@github.com:google/osv-scanner.git"
-      ref: "main"
   - name: "gitleaks"
     type: "source-code"
     source:
       url: "git@github.com:gitleaks/gitleaks.git"
       ref: "v8.15.2"
+  - name: "osv-scanner"
+    type: "source-code"
+    source:
+      url: "git@github.com:google/osv-scanner.git"
+      ref: "main"

scanners/boostsecurityio/trivy-image/tests.yaml

@@ -6,5 +6,5 @@ tests:
       url: "https://github.com/martin-boost-dev/boost-poc-registry-testing-trivy"
       ref: "main"
     scan_paths:
-      - "osv-scanner"
       - "rclone"
+      - "osv-scanner"