Merge pull request #77 from microsoft/containerMappingPreview

Container mapping preview

Author: davidknise

.github/workflows/on-push-verification.yml

@@ -7,7 +7,8 @@ on:
       - '**'
 
 permissions:
-  security-events: write
+  id-token: write # This is required for federation to Defender for DevOps
+  security-events: write # This is required to upload SARIF files
 
 jobs:
   sample:
@@ -24,8 +25,7 @@ jobs:
     - uses: actions/checkout@v3
 
       # Run analyzers
-    - name: Run Microsoft Security DevOps Analysis
-      uses: ./
+    - uses: ./
       id: msdo
 
       # Upload alerts to the Security tab

.github/workflows/sample-workflow.yml

@@ -5,7 +5,8 @@ on:
       - main
 
 permissions:
-  security-events: write
+  id-token: write # This is required for federation to Defender for DevOps
+  security-events: write # This is required to upload SARIF files
 
 jobs:
   sample:

.gitignore

@@ -23,6 +23,7 @@ bld/
 [Bb]in/
 [Oo]bj/
 [Ll]og/
+test/**/*.js
 
 # Visual Studio 2015/2017 cache/options directory
 .vs/

README.md

@@ -48,6 +48,24 @@ To upload results to the Security tab of your repo, run the `github/codeql-actio
     sarif_file: ${{ steps.msdo.outputs.sarifFile }}
 ```
 
+## Advanced
+
+To configure **Container Mapping** to send to **Microsoft Defender for DevOps**, include `container-mapping` as a tool:
+```yaml
+- uses: microsoft/security-devops-action@v1
+  id: msdo
+  with:
+    includeTools: container-mapping
+```
+
+This will run all the analyzers defined by the configured or defaulted policy in addition to `container-mapping`. To only run this feature, define `container-mapping` as the only `tool` to run:
+```yaml
+- uses: microsoft/security-devops-action@v1
+  id: msdo
+  with:
+    tools: container-mapping
+```
+
 # Tools
 
 | Name | Language | License |

action.yml

@@ -5,6 +5,14 @@ branding:
   icon: 'shield'
   color: 'black'
 inputs:
+  command:
+    description: The command to run. Defaults to run.
+    default: all
+    options:
+      - all
+      - run
+      - pre-job
+      - post-job
   config:
     description: A file path to a .gdnconfig file.
   policy:
@@ -15,10 +23,14 @@ inputs:
   languages:
     description: A comma separated list of languages to analyze. Example javascript, typescript. Defaults to all.
   tools:
-    description: A comma separated list of analyzer tools to run. Example bandit, binskim, eslint, templateanalyzer, terrascan, trivy.
+    description: A comma separated list of analyzer to run. Example bandit, binskim, container-mapping, eslint, templateanalyzer, terrascan, trivy.
+  includeTools:
+    description: A comma separated list of analyzers to run in addition to the default set defined by the policy. Limited to container-mapping
 outputs:
   sarifFile:
     description: A file path to a SARIF results file.
 runs:
   using: 'node16'
-  main: 'lib/action.js'
+  main: 'lib/main.js'
+  pre: 'lib/pre.js'
+  post: 'lib/post.js'

gulpfile.js

@@ -6,6 +6,7 @@ const process = require('process');
 const ts = require('gulp-typescript');
 
 const tsProject = ts.createProject('tsconfig.json');
+const testTsProject = ts.createProject(path.join(__dirname, 'test', 'tsconfig.json'));
 
 function clean(cb) {
     import('del')
@@ -58,6 +59,14 @@ function compile(cb) {
         .on('end', () => cb());
 }
 
+function compileTests(cb) {
+    testTsProject
+        .src()
+        .pipe(testTsProject()).js
+        .pipe(gulp.dest(path.join(__dirname, 'test')))
+        .on('end', () => cb());
+}
+
 function clearDir(dirPath) {
     // Get a list of files and subdirectories in the directory
     const items = fs.readdirSync(dirPath);
@@ -96,5 +105,7 @@ function copyFiles(srcDir, destDir) {
 
 exports.clean = clean;
 exports.compile = compile;
+exports.compileTests = compileTests;
 exports.build = gulp.series(clean, sideload, compile);
+exports.buildTests = gulp.series(exports.build, compileTests);
 exports.default = exports.build;