Merge pull request #84 from microsoft/dev/daknis/includeTools

Switch to includeTools input option

Author: davidknise

README.md

@@ -50,7 +50,15 @@ To upload results to the Security tab of your repo, run the `github/codeql-actio
 
 ## Advanced
 
-To configure **Container Mapping** to send to **Microsoft Defender for DevOps**, include `container-mapping` with your `tools` input option:
+To configure **Container Mapping** to send to **Microsoft Defender for DevOps**, include `container-mapping` as a tool:
+```yaml
+- uses: microsoft/security-devops-action@v1
+  id: msdo
+  with:
+    includeTools: container-mapping
+```
+
+This will run all the analyzers defined by the configured or defaulted policy in addition to `container-mapping`. To only run this feature, define `container-mapping` as the only `tool` to run:
 ```yaml
 - uses: microsoft/security-devops-action@v1
   id: msdo

action.yml

@@ -13,9 +13,6 @@ inputs:
       - run
       - pre-job
       - post-job
-  features:
-    description: A comma separated list of features to enable. Example scanning, mapping, all. Defaults to scanning.
-    default: scanning
   config:
     description: A file path to a .gdnconfig file.
   policy:
@@ -26,7 +23,9 @@ inputs:
   languages:
     description: A comma separated list of languages to analyze. Example javascript, typescript. Defaults to all.
   tools:
-    description: A comma separated list of analyzer tools to run. Example bandit, binskim, eslint, templateanalyzer, terrascan, trivy.
+    description: A comma separated list of analyzer to run. Example bandit, binskim, container-mapping, eslint, templateanalyzer, terrascan, trivy.
+  includeTools:
+    description: A comma separated list of analyzers to run in addition to the default set defined by the policy. Limited to container-mapping
 outputs:
   sarifFile:
     description: A file path to a SARIF results file.

lib/index.js

@@ -63,7 +63,7 @@ function _runPreJob(command) {
         if (command != msdo_helpers_1.CommandType.All) {
             return;
         }
-        if (_featureIsEnabled(msdo_helpers_1.Features.Mapping)) {
+        if (_toolIsEnabled(msdo_helpers_1.Tools.ContainerMapping)) {
             yield _getExecutor(container_mapping_1.ContainerMapping).runPreJob();
         }
     });
@@ -73,7 +73,7 @@ function _runPostJob(command) {
         if (command != msdo_helpers_1.CommandType.All) {
             return;
         }
-        if (_featureIsEnabled(msdo_helpers_1.Features.Mapping)) {
+        if (_toolIsEnabled(msdo_helpers_1.Tools.ContainerMapping)) {
             yield _getExecutor(container_mapping_1.ContainerMapping).runPostJob();
         }
     });
@@ -87,27 +87,37 @@ function _runMain(command) {
             yield _runPostJob(command);
         }
         else if (command == msdo_helpers_1.CommandType.All || command == msdo_helpers_1.CommandType.Run) {
-            if (_featureIsEnabled(msdo_helpers_1.Features.Scanning)) {
-                yield _getExecutor(msdo_1.MicrosoftSecurityDevOps).runMain();
+            if (_toolIsEnabledOnInput(msdo_helpers_1.Inputs.Tools, msdo_helpers_1.Tools.ContainerMapping, true)) {
+                console.log("Scanning is not enabled. Skipping...");
             }
             else {
-                console.log("Scanning is not enabled. Skipping...");
+                yield _getExecutor(msdo_1.MicrosoftSecurityDevOps).runMain();
             }
         }
         else {
             throw new Error(`Invalid command type for the main task: ${command}`);
         }
     });
 }
-function _featureIsEnabled(featureName) {
+function _toolIsEnabled(toolName) {
+    let enabled = false;
+    enabled = _toolIsEnabledOnInput(msdo_helpers_1.Inputs.Tools, toolName, false);
+    if (!enabled) {
+        enabled = _toolIsEnabledOnInput(msdo_helpers_1.Inputs.IncludeTools, toolName, false);
+    }
+    return enabled;
+}
+function _toolIsEnabledOnInput(inputName, toolName, isOnlyTool = false) {
     let enabled = false;
-    let featuresString = core.getInput(msdo_helpers_1.Inputs.Features);
-    if (!common.isNullOrWhiteSpace(featuresString)) {
-        let features = featuresString.split(',').map(item => item.trim());
-        const toolIndex = features.indexOf(featureName);
-        enabled = toolIndex > -1;
-        if (!enabled) {
-            enabled = features.indexOf(msdo_helpers_1.Features.All) > -1;
+    let toolsString = core.getInput(inputName);
+    if (!common.isNullOrWhiteSpace(toolsString)) {
+        let tools = toolsString.split(',');
+        if (isOnlyTool && tools.length > 1) {
+            enabled = false;
+        }
+        else {
+            const toolIndex = tools.indexOf(toolName);
+            enabled = toolIndex > -1;
         }
     }
     return enabled;

lib/msdo-helpers.js

@@ -3,12 +3,17 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.writeToOutStream = exports.getEncodedContent = exports.encode = exports.Constants = exports.Features = exports.CommandType = exports.RunnerType = exports.Inputs = void 0;
+exports.writeToOutStream = exports.getEncodedContent = exports.encode = exports.Constants = exports.Tools = exports.CommandType = exports.RunnerType = exports.Inputs = void 0;
 const os_1 = __importDefault(require("os"));
 var Inputs;
 (function (Inputs) {
     Inputs["Command"] = "command";
-    Inputs["Features"] = "features";
+    Inputs["Config"] = "config";
+    Inputs["Policy"] = "policy";
+    Inputs["Categories"] = "categories";
+    Inputs["Languages"] = "languages";
+    Inputs["Tools"] = "tools";
+    Inputs["IncludeTools"] = "includeTools";
 })(Inputs || (exports.Inputs = Inputs = {}));
 var RunnerType;
 (function (RunnerType) {
@@ -23,12 +28,16 @@ var CommandType;
     CommandType["PostJob"] = "post-job";
     CommandType["Run"] = "run";
 })(CommandType || (exports.CommandType = CommandType = {}));
-var Features;
-(function (Features) {
-    Features["All"] = "all";
-    Features["Scanning"] = "scanning";
-    Features["Mapping"] = "mapping";
-})(Features || (exports.Features = Features = {}));
+var Tools;
+(function (Tools) {
+    Tools["Bandit"] = "bandit";
+    Tools["Binskim"] = "binskim";
+    Tools["ContainerMapping"] = "container-mapping";
+    Tools["ESLint"] = "eslint";
+    Tools["TemplateAnalyzer"] = "templateanalyzer";
+    Tools["Terrascan"] = "terrascan";
+    Tools["Trivy"] = "trivy";
+})(Tools || (exports.Tools = Tools = {}));
 var Constants;
 (function (Constants) {
     Constants["Unknown"] = "unknown";

lib/msdo.js

@@ -34,6 +34,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.MicrosoftSecurityDevOps = void 0;
 const core = __importStar(require("@actions/core"));
+const msdo_helpers_1 = require("./msdo-helpers");
 const client = __importStar(require("@microsoft/security-devops-actions-toolkit/msdo-client"));
 const common = __importStar(require("@microsoft/security-devops-actions-toolkit/msdo-common"));
 class MicrosoftSecurityDevOps {
@@ -86,13 +87,37 @@ class MicrosoftSecurityDevOps {
                 }
             }
             let toolsString = core.getInput('tools');
+            let includedTools = [];
             if (!common.isNullOrWhiteSpace(toolsString)) {
                 let tools = toolsString.split(',');
-                args.push('--tool');
                 for (let i = 0; i < tools.length; i++) {
                     let tool = tools[i];
-                    if (!common.isNullOrWhiteSpace(tool)) {
-                        args.push(tool.trim());
+                    let toolTrimmed = tool.trim();
+                    if (!common.isNullOrWhiteSpace(tool)
+                        && tool != msdo_helpers_1.Tools.ContainerMapping
+                        && includedTools.indexOf(toolTrimmed) == -1) {
+                        args.push(toolTrimmed);
+                        if (includedTools.length == 0) {
+                            args.push('--tool');
+                        }
+                        includedTools.push(toolTrimmed);
+                    }
+                }
+            }
+            let includeToolsString = core.getInput('includeTools');
+            if (!common.isNullOrWhiteSpace(includeToolsString)) {
+                let includeTools = includeToolsString.split(',');
+                for (let i = 0; i < includeTools.length; i++) {
+                    let includeTool = includeTools[i];
+                    let toolTrimmed = includeTool.trim();
+                    if (!common.isNullOrWhiteSpace(includeTool)
+                        && includeTool != msdo_helpers_1.Tools.ContainerMapping
+                        && includedTools.indexOf(toolTrimmed) == -1) {
+                        args.push(toolTrimmed);
+                        if (includedTools.length == 0) {
+                            args.push('--tool');
+                        }
+                        includedTools.push(toolTrimmed);
                     }
                 }
             }

src/index.ts

@@ -1,6 +1,6 @@
 import * as core from '@actions/core';
 import { MicrosoftSecurityDevOps } from './msdo';
-import { CommandType, Features, Inputs, RunnerType } from './msdo-helpers';
+import { CommandType, Inputs, RunnerType, Tools } from './msdo-helpers';
 import { IMicrosoftSecurityDevOps, IMicrosoftSecurityDevOpsFactory } from './msdo-interface';
 import { ContainerMapping } from './container-mapping';
 import * as common from '@microsoft/security-devops-actions-toolkit/msdo-common';
@@ -33,7 +33,7 @@ async function _runPreJob(command: CommandType) {
         return;
     }
     // if explicit PreJob, will run in main
-    if (_featureIsEnabled(Features.Mapping)) {
+    if (_toolIsEnabled(Tools.ContainerMapping)) {
         await _getExecutor(ContainerMapping).runPreJob();
     }
 }
@@ -43,7 +43,7 @@ async function _runPostJob(command: CommandType) {
         return;
     }
     // if explicit PostJob, will run in main
-    if (_featureIsEnabled(Features.Mapping)) {
+    if (_toolIsEnabled(Tools.ContainerMapping)) {
         await _getExecutor(ContainerMapping).runPostJob();
     }
 }
@@ -57,30 +57,52 @@ async function _runMain(command: CommandType) {
         await _runPostJob(command);
     } else if (command == CommandType.All || command == CommandType.Run) {
         // Run main
-        if (_featureIsEnabled(Features.Scanning)) {
-            await _getExecutor(MicrosoftSecurityDevOps).runMain();
-        } else {
+        // If container-mapping is the only enabled tool, then skip scanning
+        if (_toolIsEnabledOnInput(Inputs.Tools, Tools.ContainerMapping, true)) {
             console.log("Scanning is not enabled. Skipping...");
+        } else {
+            await _getExecutor(MicrosoftSecurityDevOps).runMain();
         }
     } else {
         throw new Error(`Invalid command type for the main task: ${command}`);
     }
 }
 
 /**
- * Returns true if the feature is enabled in the inputs.
- * @param featureName - The name of the feature. 
- * @returns True if the feature is enabled in the inputs.
+ * Returns true if the tool is enabled on either the tools or includeTools inputs.
+ * @param toolName - The name of the tool. 
+ * @returns True if the tool is enabled in the inputs.
+ */
+function _toolIsEnabled(toolName: string): boolean {
+    let enabled: boolean = false;
+
+    enabled = _toolIsEnabledOnInput(Inputs.Tools, toolName, false);
+    
+    if (!enabled) {
+        // See if the tool is in includeTools
+        enabled = _toolIsEnabledOnInput(Inputs.IncludeTools, toolName, false);
+    }
+
+    return enabled;
+}
+
+/**
+ * Returns true if the tool is enabled on the specified input.
+ * @param inputName The action input name to check for the list of tools. Values tools or includeTools.
+ * @param toolName The name of the tool to look for.
+ * @param isOnlyTool Return true only if it is the only tool.
+ * @returns True if the tool is enabled on the specified input.
  */
-function _featureIsEnabled(featureName: string) {
+function _toolIsEnabledOnInput(inputName: string, toolName: string, isOnlyTool: boolean = false) {
     let enabled: boolean = false;
-    let featuresString: string = core.getInput(Inputs.Features);
-    if (!common.isNullOrWhiteSpace(featuresString)) {
-        let features = featuresString.split(',').map(item => item.trim());
-        const toolIndex = features.indexOf(featureName);
-        enabled = toolIndex > -1;
-        if (!enabled) {
-            enabled = features.indexOf(Features.All) > -1;
+    let toolsString: string = core.getInput(inputName);
+    if (!common.isNullOrWhiteSpace(toolsString)) {
+        let tools = toolsString.split(',');
+        if (isOnlyTool && tools.length > 1) {
+            enabled = false;
+        } else {
+            const toolIndex = tools.indexOf(toolName);
+            enabled = toolIndex > -1;
         }
     }
     return enabled;

src/msdo-helpers.ts

@@ -1,13 +1,17 @@
 import os from 'os';
 import { Writable } from "stream";
 
-
 /**
  * Enum for the possible inputs for the task (specified in action.yml)
  */
 export enum Inputs {
     Command = 'command',
-    Features = 'features'
+    Config = 'config',
+    Policy = 'policy',
+    Categories = 'categories',
+    Languages = 'languages',
+    Tools = 'tools',
+    IncludeTools = 'includeTools'
 }
 
 /**
@@ -29,13 +33,17 @@ export enum CommandType {
     Run = 'run'
 }
 
-/**
- * Enum for the possible values for the Inputs.Features (specified in action.yml)
- */
-export enum Features {
-    All = 'all',
-    Scanning = 'scanning',
-    Mapping = 'mapping'
+/*
+* Enum for the possible values for the Inputs.Tools (specified in action.yml)
+*/
+export enum Tools {
+    Bandit = 'bandit',
+    Binskim = 'binskim',
+    ContainerMapping = 'container-mapping',
+    ESLint = 'eslint',
+    TemplateAnalyzer = 'templateanalyzer',
+    Terrascan = 'terrascan',
+    Trivy = 'trivy'
 }
 
 /**

src/msdo.ts

@@ -1,5 +1,6 @@
 import * as core from '@actions/core';
 import { IMicrosoftSecurityDevOps } from './msdo-interface';
+import { Tools } from './msdo-helpers';
 import * as client from '@microsoft/security-devops-actions-toolkit/msdo-client';
 import * as common from '@microsoft/security-devops-actions-toolkit/msdo-common';
 
@@ -65,13 +66,38 @@ export class MicrosoftSecurityDevOps implements IMicrosoftSecurityDevOps {
         }
 
         let toolsString: string = core.getInput('tools');
+        let includedTools = [];
         if (!common.isNullOrWhiteSpace(toolsString)) {
             let tools = toolsString.split(',');
-            args.push('--tool');
             for (let i = 0; i < tools.length; i++) {
                 let tool = tools[i];
-                if (!common.isNullOrWhiteSpace(tool)) {
-                    args.push(tool.trim());
+                let toolTrimmed = tool.trim();
+                if (!common.isNullOrWhiteSpace(tool)
+                    && tool != Tools.ContainerMapping
+                    && includedTools.indexOf(toolTrimmed) == -1) {
+                    args.push(toolTrimmed);
+                    if (includedTools.length == 0) {
+                        args.push('--tool');
+                    }
+                    includedTools.push(toolTrimmed);
+                }
+            }
+        }
+        
+        let includeToolsString: string = core.getInput('includeTools');
+        if (!common.isNullOrWhiteSpace(includeToolsString)) {
+            let includeTools = includeToolsString.split(',');
+            for (let i = 0; i < includeTools.length; i++) {
+                let includeTool = includeTools[i];
+                let toolTrimmed = includeTool.trim();
+                if (!common.isNullOrWhiteSpace(includeTool)
+                    && includeTool != Tools.ContainerMapping
+                    && includedTools.indexOf(toolTrimmed) == -1) {
+                    args.push(toolTrimmed);
+                    if (includedTools.length == 0) {
+                        args.push('--tool');
+                    }
+                    includedTools.push(toolTrimmed);
                 }
             }
         }