-
Notifications
You must be signed in to change notification settings - Fork 46
Home
Charles Oxyer edited this page May 8, 2024
·
41 revisions
Microsoft Security DevOps (MSDO) is a command line application which integrates static analysis tools into the development cycle. MSDO installs, configures and runs the latest versions of static analysis tools (including, but not limited to, SDL/security and compliance tools). MSDO is data-driven with portable configurations that enable deterministic execution across multiple environments. For tools that output results in or MSDO can convert their results to SARIF, MSDO imports into a normalized file database for seamlessly reporting and responding to results across tools, such as forcing build breaks.
Note: This page describes how to configure the MSDO Action for GitHub workflows. For Azure DevOps task configuration, please see here.
steps:
- name: Run Microsoft Security DevOps
uses: microsoft/security-devops-action@latest
id: msdo
# with:
# config: string. Optional. A file path to an MSDO configuration file ('*.gdnconfig'). See 'Tool Options' for additional configuration instructions.
# policy: 'GitHub' | 'microsoft' | 'none'. Optional. The name of a well-known Microsoft policy to determine which tools/checks to run. If no configuration file or list of tools is provided, the policy may instruct MSDO which tools to run. Default: GitHub.
# categories: string. Optional. A comma-separated list of analyzer categories to run. Values: 'code', 'artifacts', 'IaC', 'containers'. Example: 'IaC, containers'. Defaults to all.
# languages: string. Optional. A comma-separated list of languages to analyze. Example: 'javascript,typescript'. Defaults to all.
# tools: string. Optional. A comma-separated list of analyzer tools to run. Values: 'antimalware' (Windows only), 'bandit', 'binskim', 'checkov', 'eslint', 'templateanalyzer', 'terrascan', 'trivy'.
# env:
# environment variable configurations. Optional.| Argument name | Environment variable name | Description |
|---|---|---|
| --auto | GDN_RUN_AUTO | Automatically detect what tools are applicable and then included. |
| --blame | GDN_RUN_BLAME | Retrieve the git blame data for each security finding identified by MSDO to trace the issue to the origin. Default is false. |
| --config | GDN_RUN_CONFIG | A path to a MSDO run config file that points to the tools and command line options to run. Any number of space-delimited configs may be specified. |
| --tool | GDN_RUN_TOOL | The name of a MSDO tool or the path to a tool configuration file to run an analysis tool. The run config info will be generated using the tool configuration's required inputs defaults. Any number of space-delimited tools may be specified. |
| --analyze-fast | GDN_RUN_ANALYZEFAST | (Optional) Fail the entire job after one analyzer failure and do not continue to run other analyzers. Default: false |
| --no-baseline | GDN_RUN_NOBASELINE | Will not allow the use of any baselines including the default baseline (in the .gdn/.gdnbaselines file). Default is false. |
| --baseline | GDN_RUN_BASELINE | The baseline(s) to use for the break method. Any number of space-delimited baselines may be specified. Any baselined (and un-expired) results will not cause a break. |
| --baseline-file | GDN_RUN_BASELINEFILE | The baseline file(s) to load baselines from. Use absolute paths, or file names(under the Processed Results Folder). Multiple entries supported. Extension can be ommited (will always be set to gdnbaseline). If --baseline is used but not --baseline-file, the default baseline file will be used (.gdnbaselines under the .gdn folder). |
| --no-suppressions | GDN_RUN_NOSUPPRESSIONS | Will not allow the use of any suppressions including the default suppression set (in the .gdn/.gdnsuppress file). Default is false. |
| --disregard-tool-suppressions | GDN_RUN_DISREGARDTOOLSUPPRESSIONS | Will disregard suppressions recorded by the tools in the result logs. This system is independent of MSDO suppressions. Default is false. |
| --suppression-set | GDN_RUN_SUPPRESSIONSET | The suppression set(s) to use for the break method. Any number of space-delimited suppresion sets may be specified. Any suppresed (and un-expired) results will not cause a break. |
| --suppression-file | GDN_RUN_SUPPRESSIONFILE | The suppression file(s) to load suppressions from. Use absolute paths, or file names(under the Processed Results Folder). Multiple entries supported. Extension can be ommited (will always be set to gdnsuppress). If --suppression-set is used but not --suppression-file, the default suppression file will be used (.gdnsuppress under the .gdn folder). |
| --disable-flighting | GDN_RUN_DISABLEFLIGHTING | Disable flighting of rules. In-flight rules will show a message but will not break. When this option is enabled, all rules will break as usual. |
| --preview-flighting | GDN_RUN_PREVIEWFLIGHTING | Preview rules behavior on a specific date. In flight rules will break if specified date is set after expiration date. Format ISO-8601 yyyy-mm-dd |
| --policy | GDN_RUN_POLICY | The name of the policy to install and use. |
| --policy-file-path | GDN_RUN_POLICYFILEPATH | The file path to a MSDO Policy file to use. Must be used with GDN_RUN_POLICY: 'none' |
| --min-severity | GDN_RUN_MINSEVERITY | The name of the minimum severity log level to break on. Any results in this severity or ranked as more severe will cause a break. Default: Error |
| --update-baseline | GDN_RUN_UPDATEBASELINE | (Alias for --output-baseline) Specify the name of a baseline to be created or updated with the breaking results. If update-baseline-file is not specified, then the file .gdnbaselines(under the .gdn folder) will be used.This does not affect the return value of break.The --fast option prevents this option. |
| --output-baseline | GDN_RUN_OUTPUTBASELINE | (Alias for --update-baseline) Specify the name of a baseline to be created or updated with the breaking results. If output-baseline-file is not specified, then the file .gdnbaselines(under the .gdn folder) will be used. This does not affect the return value of break. The --fast option prevents this option. |
| --output-baseline-file | GDN_RUN_OUTPUTBASELINEFILE | Specify the name or full path of a baseline file to create/update a baseline with the breaking results. If output-baseline is not specified, the name 'default' will be used. This does not affect the return value of break. The --fast option prevents this option. |
| --output-suppression-set | GDN_RUN_OUTPUTSUPPRESSIONSET | Specify the name of a suppression set to be created or updated with the breaking results. If output-suppression-file is not specified, then the file .gdnsuppress(under the .gdn folder) will be used. This does not affect the return value of break. The --fast option prevents this option. |
| --output-suppression-file | GDN_RUN_OUTPUTSUPPRESSIONFILE | Specify the name or full path of a suppression file to create/update a suppression set with the breaking results. If output-suppression-set is not specified, the name 'default' will be used. This does not affect the return value of break. The --fast option prevents this option. |
| --export-breaking-results-to-file | GDN_RUN_EXPORTBREAKINGRESULTSTOFILE | Exports the breaking results to a file. Format is determined from the extension. Available formats: csv, tsv, html, sarif. For any other extension, sarif format will be chosen. If this option isn't set, export goes to the logger. The --fast option prevents all exporting. |
| --target-root | GDN_RUN_TARGETROOT | The possible root folder of your scan targets. Any number of space-delimited paths may be specified. Process will use these paths to calculate the relative path of your targets. The shortest relative path will be chosen. The relative path is used as part of the signature that allows the unique identification of results. |
| --languages | GDN_RUN_LANGUAGES | Only run applicable tools for the specified languages. Any number of space-delimited languages may be specified. |
| --categories | GDN_RUN_CATEGORIES | Only run applicable tools of the specified category: secrets, code, artifacts, IaC, containers. Any number of space-delimited categories may be specified. |
| --github | GDN_RUN_GITHUB | When outputting a SARIF file, make the SARIF compliant with GitHub's code scanning requirements |
| --save-command-options | GDN_RUN_SAVECOMMANDOPTIONS | Will save options used to run commands (break, run, analyze and publish are supported) in .gdn/o folder for purpose of configuration validation. Default: false |
| --working-directory | GDN_RUN_WORKINGDIRECTORY | The working directory from which to execute MSDO. |
| --settings-file | GDN_RUN_SETTINGSFILE | Path to the settings file to use. This will override all other global or local settings. |
| --logger | GDN_RUN_LOGGER | The name of the loggers to use. Values: Console, File. File requires --logger-filepath to be set one or more times. |
| --logger-filepath | GDN_RUN_LOGGERFILEPATH | One or more file paths to write log output to. Does not require --logger file to work. |
| --logger-level | GDN_RUN_LOGGERLEVEL | Sets the minimum log output level that will be printed to console. Values: Trace, Verbose, Standard, Warning, Error. |
| --logger-timestamp | GDN_RUN_LOGGERTIMESTAMP | Prefix logger messages with a formatted UTC timestamp [YYYY-MM-ddTHH:mm:ss.fff]. Example [2018-03-20T21:41:59.998] Running Microsoft MSDO... |
| --logger-show-level | GDN_RUN_LOGGERSHOWLEVEL | Prefix logger messages with the logger level name of the message [{LoggerLevel}]. Example [Warning] Microsoft MSDO partially succeeded. |
| --logger-pipeline | GDN_RUN_LOGGERPIPELINE | Write Warnings and Errors using the Azure DevOps Pipeline Command format. |
| --logger-actions | GDN_RUN_LOGGERACTIONS | Write Warnings and Errors using the GitHub Actions Workflow Command format. |
| --rich-exit-code | GDN_RUN_RICHEXITCODE | Return a rich exit code. |
This section contains all of the direct input options to tools (aka. analyzers).
There are a few ways configure tool inputs:
- Creating a *.gdnconfig file to save configurations
- Great for reuse between team members and local/remote runs
- Can save multiple tool configurations in a single file to run all configurations. See the tool arguments section for additional details on defining .gdnconfig files.
- Using environment variables
- Great for quick configurations in build pipelines
- They follow the format
[GDN_]<ToolName>_<ArgumentId>, whereGDN_is optional andToolNameandArgumentIdare defined by the tool integration file to (*.gdntool).
The microsoft/security-devops-action will run all applicable analyzers configured in the policy. By default, this action runs the GitHub policy. If a file is found that MSDO has an analyzer for, it runs the analyzer with default settings against the target.
Tool variables can be set within GitHub Workflows.
They can be set as top level environment variables in the build:
env:
<key>: '<value>'
job:
...Or on the action itself.
steps:
- uses: microsoft/security-devops-action
env:
<key>: '<value>'Here' an example action to configure the targets CLI option for eslint:
steps:
- uses: microsoft/security-devops-action
env:
eslint_targets: '**/*.js'Short description:
A command line utility for running Microsoft AntiMalware/Windows Defender tool.
Long description:
This is a command line utility for running Microsoft AntiMalware/Windows Defender tool. It must be run on a local machine (or build agent) with Windows Defender already installed.
{
"tools": [
{
"tool": {
"name": "AntiMalware",
"version": "Latest"
},
"arguments": {
"Function": "analyze",
"Command": "scan",
"ScanType": 3,
"ScanDirectoryOrFile": "$(WorkingDirectory)",
"DisableRemediation": true,
"BootSectorScan": "false",
"CommandlineArguments": "",
"EnableServices": "false",
"CollectLogsOnError": "false",
"ForceSignatureUpdate": "false",
"SignatureUpdateUsesMMPC": "false",
"SignatureUpdateFailureLoggerLevel": "Warning",
"SignatureFreshness": 3,
"OutdatedSignatureLoggerLevel": "Error",
"Output": "",
"LoggerLevel": "Standard"
}
}
]
}| Argument name | Environment variable name | Description |
|---|---|---|
| ScanType | GDN_ANTIMALWARE_SCANTYPE | Values for ScanType are: 0 Default, according to your configuration. 1 Quick scan. 2 Full scan. 3 File and directory custom scan. |
| ScanDirectoryOrFile | GDN_ANTIMALWARE_SCANDIRECTORYORFILE | Indicates the file or directory to be scanned. |
| DisableRemediation | GDN_ANTIMALWARE_DISABLEREMEDIATION | If true: 1) File exclusions are ignored. 2) Archive files are scanned. 3) Actions are not applied after detection. 4) Event log entries are not written after detection. 5) Detections from the custom scan are not displayed in the user interface. 6) The console output will show the list of detections from the custom scan. |
| BootSectorScan | GDN_ANTIMALWARE_BOOTSECTORSCAN | If true, it enables boot sector scanning. |
| EnableServices | GDN_ANTIMALWARE_ENABLESERVICES | If true, it will try enabling the required services for Windows Update in case they are disabled. |
| CollectLogsOnError | GDN_ANTIMALWARE_COLLECTLOGSONERROR | If true, it will collect the support files for diagnosis when an error happened. This may take several minutes. |
| ForceSignatureUpdate | GDN_ANTIMALWARE_FORCESIGNATUREUPDATE | If true, it will force to run Signature Update. |
| SignatureUpdateUsesMMPC | GDN_ANTIMALWARE_SIGNATUREUPDATEUSESMMPC | If true, signature update will use Microsoft Malware Protection Center to download updates. Default: false. |
| SignatureUpdateFailureLoggerLevel | GDN_ANTIMALWARE_SIGNATUREUPDATEFAILURELOGGERLEVEL | The log level used if the signature update fails. Options include: Error, Standard, Warning. |
| SignatureFreshness | GDN_ANTIMALWARE_SIGNATUREFRESHNESS | The maximum allowed age for the AntiMalware signature. Options include: OneDay, TwoDays, ThreeDays, UpToDate. |
| OutdatedSignatureLoggerLevel | GDN_ANTIMALWARE_OUTDATEDSIGNATURELOGGERLEVEL | The log level used if the signature age is older than the selected signature freshness. Options include: Error, Standard, Warning. |
| LoggerLevel | GDN_ANTIMALWARE_LOGGERLEVEL | The log level used for all other failures. Options include: Error, Standard, Warning. |
Short description:
Security oriented static analyser for python code.
Long description:
Bandit is a tool designed to find common security issues in Python code. To do this, Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files, it generates a report.
{
"tools": [
{
"tool": {
"name": "Bandit",
"version": "Latest"
},
"arguments": {
"OutputFile": "",
"Recursive": "",
"Target": "$(DefaultBanditTargets)",
"Aggregate": "",
"ContextLines": "",
"ConfigFile": "",
"Profile": "",
"Tests": ["B102", "B110", "B112", "B303", "B304", "B312", "B321", "B324", "B413", "B501", "B502", "B503", "B504", "B505"],
"SkippedTests": "",
"SeverityLevel": "",
"ConfidenceLevel": "",
"Format": "sarif",
"MessageTemplate": "",
"Verbose": "",
"Debug": "",
"Quiet": "",
"IgnoreNosec": "",
"ExcludedPaths": "",
"Baseline": "",
"IniPath": "",
"Help": "",
"Version": ""
}
}
]
}| Argument name | Environment variable name | Description |
|---|---|---|
| OutputFile | GDN_BANDIT_OUTPUTFILE | write report to filename |
| Recursive | GDN_BANDIT_RECURSIVE | find and process files in subdirectories. |
| Target | GDN_BANDIT_TARGET | source file(s) or directory(s) to be tested |
| Aggregate | GDN_BANDIT_AGGREGATE | aggregate output by vulnerability (default) or by filename (file or vuln) |
| ContextLines | GDN_BANDIT_CONTEXTLINES | maximum number of code lines to output for each issue |
| ConfigFile | GDN_BANDIT_CONFIGFILE | optional config file to use for selecting plugins and overriding defaults |
| Profile | GDN_BANDIT_PROFILE | optional config file to use for selecting plugins and overriding defaults |
| Tests | GDN_BANDIT_TESTS | list of test IDs to run |
| SkippedTests | GDN_BANDIT_SKIPPEDTESTS | list of test IDs to skip |
| SeverityLevel | GDN_BANDIT_SEVERITYLEVEL | report only issues of a given severity level or higher. (LOW, MEDIUM, or HIGH, default LOW) |
| ConfidenceLevel | GDN_BANDIT_CONFIDENCELEVEL | report only issues of a given confidence level or higher. (LOW, MEDIUM, or HIGH, default LOW) |
| Format | GDN_BANDIT_FORMAT | the output format of the log file. Guardian supports the 'sarif' output format. Other formats that cannot be imported for post processing by Guardian are: csv,custom,html,json,screen,txt,xml,yaml |
| MessageTemplate | GDN_BANDIT_MESSAGETEMPLATE | Specify output format (only usable with --format custom) |
| Verbose | GDN_BANDIT_VERBOSE | output extra information like excluded and included files |
| Debug | GDN_BANDIT_DEBUG | turn on debug mode |
| Quiet | GDN_BANDIT_QUIET | only show output in the case of an error |
| IgnoreNosec | GDN_BANDIT_IGNORENOSEC | do not skip lines with # nosec comments |
| ExcludedPaths | GDN_BANDIT_EXCLUDEDPATHS | comma-separated list of paths (glob patterns supported to exclude from scan) |
| Baseline | GDN_BANDIT_BASELINE | path of a baseline report to compare against (only JSON-formatted files are accepted) |
| IniPath | GDN_BANDIT_INIPATH | path to a .bandit file that supplies command line arguments |
| Help | GDN_BANDIT_HELP | show a help message and exit. |
| Version | GDN_BANDIT_VERSION | show program's version number and exit |
Short description:
A portable executable scanner that validates compiler/linker settings and other security-relevant binary characteristics.
{
"tools": [
{
"tool": {
"name": "BinSkim",
"version": "Latest"
},
"arguments": {
"Function": "analyze",
"Target": "$(BinSkim.DefaultTargetPattern)",
"Output": "",
"SymbolsPath": "",
"LocalSymbolDirectories": "",
"ConfigPath": "default",
"PluginPath": "",
"IgnorePdbLoadError": "false",
"Recurse": "false",
"Verbose": "false",
"Hashes": true,
"Statistics": true,
"Environment": "false",
"Trace": "",
"Quiet": "false",
"Optimize": "false",
"Level": "",
"Kind": "",
"PrettyPrint": "false",
"Minify": "false",
"SarifOutputVersion": "OneZeroZero",
"Threads": ""
}
}
]
}| Argument name | Environment variable name | Description |
|---|---|---|
| Function | GDN_BINSKIM_FUNCTION | |
| Target | GDN_BINSKIM_TARGET | |
| Output | GDN_BINSKIM_OUTPUT | File path to which analysis output will be written. |
| SymbolsPath | GDN_BINSKIM_SYMBOLSPATH | Symbols path value, e.g., Cachec:\symbols;SRVhttp://msdl.microsoft.com/download/symbols or Cached:\symbols;Srvhttp://symweb. |
| LocalSymbolDirectories | GDN_BINSKIM_LOCALSYMBOLDIRECTORIES | A set of semicolon-delimited local directory paths that will be examined when attempting to locate PDBs. |
| ConfigPath | GDN_BINSKIM_CONFIGPATH | Path to policy file that will be used to configure analysis. |
| PluginPath | GDN_BINSKIM_PLUGINPATH | Path to plug-in that will be invoked against all targets in the analysis set. |
| IgnorePdbLoadError | GDN_BINSKIM_IGNOREPDBLOADERROR | If enabled, BinSkim won't break if we have a 'PdbLoadingException'. |
| Recurse | GDN_BINSKIM_RECURSE | Recurse into subdirectories when evaluating file specifier arguments. |
| Verbose | GDN_BINSKIM_VERBOSE | Emit verbose output. |
| Hashes | GDN_BINSKIM_HASHES | Output MD5, SHA1, and SHA-256 hash of analysis targets when emitting SARIF reports. |
| Statistics | GDN_BINSKIM_STATISTICS | Generate timing and other statistics for analysis session. |
| Environment | GDN_BINSKIM_ENVIRONMENT | Log machine environment details of run to output file. |
| Trace | GDN_BINSKIM_TRACE | (Default: ) Execution traces, expressed as a semicolon-delimited list, that should be emitted to the console and log file (if appropriate). Valid values: PdbLoad. |
| Quiet | GDN_BINSKIM_QUIET | Do not log results to the console. |
| Optimize | GDN_BINSKIM_OPTIMIZE | Omit redundant properties, producing a smaller but non-human-readable log. |
| Level | GDN_BINSKIM_LEVEL | (Default: Error Warning) Filter output of scan results to one or more failure levels. Valid values: Error, Warning and Note. |
| Kind | GDN_BINSKIM_KIND | (Default: Fail) Filter output one or more result kinds. Valid values: Fail (for literal scan results), Pass, Review, Open, NotApplicable and Informational. |
| PrettyPrint | GDN_BINSKIM_PRETTYPRINT | Produce pretty-printed JSON output rather than compact output (all white space removed). |
| Minify | GDN_BINSKIM_MINIFY | Produce compact JSON output (all white space removed) rather than pretty-printed output. |
| SarifOutputVersion | GDN_BINSKIM_SARIFOUTPUTVERSION | The SARIF version of the output log file. Valid values are OneZeroZero and Current. |
| Threads | GDN_BINSKIM_THREADS | A count of threads that should be used for multithreaded operations. |
Short description:
An extensible open source JavaScript linting utility used to find problematic patterns or code that doesn't adhere to certain guidelines
{
"tools": [
{
"tool": {
"name": "ESLint",
"version": "Latest"
},
"arguments": {
"DisableDefaultConfigurationFile": true,
"ResolvePluginsRelativeTo": "",
"ConfigurationFile": "$(SDLRequiredConfigurationFile)",
"Environments": "",
"Extensions": [".js", ".ts"],
"Globals": "",
"Parser": "",
"ParserOptions": "",
"AdditionalRulesDirectories": "",
"Plugins": "",
"Rules": "",
"Fix": "",
"FixDryRun": "",
"FixTypes": "",
"ExclusionsFilePath": "",
"DisableExclusions": "",
"ExclusionPatterns": "*.d.ts",
"Quiet": "",
"MaxWarnings": "",
"ExitOnFatalError": "",
"OutputFile": "",
"OutputFormat": "$(InstallDirectory)\\node_modules\\@microsoft\\eslint-formatter-sarif\\sarif.js",
"DisableInlineConfig": "",
"ReportUnusedDisableDirectives": "",
"Cache": "",
"CacheLocation": "",
"Debug": "",
"Help": "",
"Targets": "$(DefaultTargets)"
}
}
]
}Short description:
An Infrastructure-as-Code (IaC) security analyzer for multi-cloud template types.
Long description:
Checkov is a static code analysis tool for infrastructure as code (IaC).
It scans cloud infrastructure provisioned using Terraform, Terraform plan, Cloudformation, AWS SAM, Kubernetes, Helm charts, Kustomize, Dockerfile, Serverless, Bicep, OpenAPI or ARM Templates and detects security and compliance misconfigurations using graph-based scanning.
{
"tools": [
{
"tool": {
"name": "Checkov",
"version": "Latest"
},
"arguments": {
"SkipPath": "",
"Directory": "",
"File": "",
"ExternalChecksDir": "",
"List": "true",
"Framework": "",
"SkipFramework": "",
"Check": "",
"SkipCheck": "",
"HardFailOn": "",
"DownloadExternalModules": "",
"ExternalModulesDownloadPath": "",
"ConfigFile": "",
"CreateConfig": "",
"ShowConfig": "true",
"CreateBaseLine": "",
"Baseline": "",
"NoFailOnCrash": "",
"EnableSecretScanAllFiles": "false",
"BlockListSecretScan": "",
"Quiet": "false",
"Help": "",
"Version": ""
}
}
]
}| Argument name | Environment variable name | Description |
|---|---|---|
| SkipPath | GDN_CHECKOV_SKIPPATH | Path (file or directory) to skip, using regular expression logic, relative to the current working directory. Word boundaries are not implicit; i.e., specifying “dir1” will skip any directory or subdirectory named “dir1”. Can be specified multiple times. |
| Directory | GDN_CHECKOV_DIRECTORY | IaC root directory (can not be used together with --file). |
| File | GDN_CHECKOV_FILE | File to scan (can not be used together with --directory). With this option, Checkov will attempt to filter the runners based on the file type. For example, if you specify a “.tf” file, only the terraform and secrets frameworks will be included. You can further limit this (e.g., skip secrets) by using the --skip-framework argument. |
| ExternalChecksDir | GDN_CHECKOV_EXTERNALCHECKSDIR | Directory for custom checks to be loaded. Can be repeated. |
| List | GDN_CHECKOV_LIST | List all checks that Checkov is scanning for. |
| Framework | GDN_CHECKOV_FRAMEWORK | Filter scan to run only on specific infrastructure code frameworks. |
| SkipFramework | GDN_CHECKOV_SKIPFRAMEWORK | Filter scan to skip specific infrastructure as code frameworks. This will be included automatically for some frameworks if system dependencies are missing. Add multiple frameworks using spaces. |
| Check | GDN_CHECKOV_CHECK | Checks to run; any other checks will be skipped. Enter one or more items separated by commas. Each item will be a Checkov check ID (CKV_AWS_123). |
| SkipCheck | GDN_CHECKOV_SKIPCHECK | Checks to skip; any other checks will not be run. Enter one or more items separated by commas. Each item will be a Checkov check ID |
| HardFailOn | GDN_CHECKOV_HARDFAILON | Exits with a non-zero exit code for specified checks. Enter one or more items separated by commas. Each item will be a Checkov check ID (CKV_AWS_123). --hard-fail-on takes precedence in a tie with skip check. |
| DownloadExternalModules | GDN_CHECKOV_DOWNLOADEXTERNALMODULES | Download external terraform modules from public git repositories and terraform registry |
| ExternalModulesDownloadPath | GDN_CHECKOV_EXTERNALMODULESDOWNLOADPATH | Set the path for the download external terraform modules. |
| ConfigFile | GDN_CHECKOV_CONFIGFILE | Path to the Checkov configuration YAML file. |
| CreateConfig | GDN_CHECKOV_CREATECONFIG | Takes the current command line args and writes them out to a config file at the given path. |
| ShowConfig | GDN_CHECKOV_SHOWCONFIG | Prints all args and config settings and where they came from (e.g., command line, config file, environment variable or default). |
| CreateBaseLine | GDN_CHECKOV_CREATEBASELINE | Alongside outputting the findings, save all results to .checkov.baseline file so future runs will not re-flag the same noise. Works only with --directory flag. |
| Baseline | GDN_CHECKOV_BASELINE | Use a .checkov.baseline file to compare current results with a known baseline. Report will include only failed checks that are new with respect to the provided baseline. |
| NoFailOnCrash | GDN_CHECKOV_NOFAILONCRASH | Return exit code 0 instead of 2 which indicates a failure in the integration with the platform. |
| EnableSecretScanAllFiles | GDN_CHECKOV_ENABLESECRETSCANALLFILES | Enable secret scan to scan all type of file. |
| BlockListSecretScan | GDN_CHECKOV_BLOCKLISTSECRETSCAN | List of files to filter out in the secret scanner. |
| Quiet | GDN_CHECKOV_QUIET | For the CLI output, display only failed checks. Also disables progress bars. |
| Help | GDN_CHECKOV_HELP | show a help message and exit. |
| Version | GDN_CHECKOV_VERSION | show program's version number and exit |
| Argument name | Environment variable name | Description |
|---|---|---|
| DisableDefaultConfigurationFile | GDN_ESLINT_DISABLEDEFAULTCONFIGURATIONFILE | Disables use of configuration from .eslintrc.* and package.json files. Default: true |
| ResolvePluginsRelativeTo | GDN_ESLINT_RESOLVEPLUGINSRELATIVETO | Specify the working directory from which to load the plugins. Default:CWD |
| ConfigurationFile | GDN_ESLINT_CONFIGURATIONFILE | Specify an additional configuration file for ESLint. This file will override existing configurations. |
| Environments | GDN_ESLINT_ENVIRONMENTS | Specify environments, e.g.: --env browser,node. See: https://eslint.org/docs/user-guide/configuring#specifying-environments |
| Extensions | GDN_ESLINT_EXTENSIONS | Specifies file extensions to scan. |
| Globals | GDN_ESLINT_GLOBALS | Specify global variables,so that they will not be flagged as undefined by the no-undef rule. Any specified global variables are assumed to be read-only by default, but appending :true to a variable's name ensures that no-undef will also allow writes. E.g.: --global require,exports:true |
| Parser | GDN_ESLINT_PARSER | Specify a parser to be used by ESLint. When using the SDL required/recommended config, @typescript-eslint/parser will be the default. |
| ParserOptions | GDN_ESLINT_PARSEROPTIONS | Specify parser options to be used by ESLint. Note that the available parser options are determined by the parser being used. E.g.: --parser-options=ecmaVersion:7 |
| AdditionalRulesDirectories | GDN_ESLINT_ADDITIONALRULESDIRECTORIES | Specify other directories from which to load rules files. |
| Plugins | GDN_ESLINT_PLUGINS | Specifies plugins to load. You can omit the prefix eslint-plugin- fom the plugin name. Plugins must be installed using npm before being used. |
| Rules | GDN_ESLINT_RULES | Specify additional rules. These will be merged with any rules specified using other options. |
| Fix | GDN_ESLINT_FIX | Instructs ESLint to try to fix as many issues as possible. The fixes are made to the actual files themselves and only the remaining unfixed issues are output. |
| FixDryRun | GDN_ESLINT_FIXDRYRUN | Same as --fix, but instead of fixing the files, output the fixes. |
| FixTypes | GDN_ESLINT_FIXTYPES | Specify the types of fixes to apply. Choose from: problem, suggestion, layout. Multiple allowed, comma separated. |
| ExclusionsFilePath | GDN_ESLINT_EXCLUSIONSFILEPATH | Specify the file to use as your .eslintignore. By default, ESLint looks in the current working directory for .eslintignore. You can override this behavior by providing a path to a different file. |
| DisableExclusions | GDN_ESLINT_DISABLEEXCLUSIONS | Disables excluding of files from .eslintignore, --ignore-path and --ignore-pattern. |
| ExclusionPatterns | GDN_ESLINT_EXCLUSIONPATTERNS | This option allows you to specify patterns of files to ignore (in addition to those in .eslintignore). You can repeat the option to provide multiple patterns.E.g. eslint --ignore-pattern '/lib/' --ignore-pattern '/src/vendor/*' . |
| Quiet | GDN_ESLINT_QUIET | Disable reporting on warnings. |
| MaxWarnings | GDN_ESLINT_MAXWARNINGS | Specify a warning threshold, which can be used to force ESLint to exit with an error status if there are too many warning-level rule violations in your project. |
| ExitOnFatalError | GDN_ESLINT_EXITONFATALERROR | This option causes ESLint to exit with exit code 2 if one or more fatal parsing errors occur. Without this option, fatal parsing errors are reported as rule violations. |
| OutputFile | GDN_ESLINT_OUTPUTFILE | Specifies the path of the output file. |
| OutputFormat | GDN_ESLINT_OUTPUTFORMAT | Specifies the output format. Default: json. |
| DisableInlineConfig | GDN_ESLINT_DISABLEINLINECONFIG | This option prevents all inline comments like /eslint-disable/ or /global foo/ from having any effect. |
| ReportUnusedDisableDirectives | GDN_ESLINT_REPORTUNUSEDDISABLEDIRECTIVES | This option causes ESLint to report directive comments like // eslint-disable-line when no errors would have been reported on that line anyway. |
| Cache | GDN_ESLINT_CACHE | Only check changed files - default: false. |
| CacheLocation | GDN_ESLINT_CACHELOCATION | Path to the cache file or directory |
| Debug | GDN_ESLINT_DEBUG | Outputs debugging information to the console. |
| Help | GDN_ESLINT_HELP | |
| Targets | GDN_ESLINT_TARGETS | Specifies the target files, directories or globs, as a space separated list. |
Short description:
Scans ARM templates for security misconfigurations
Long description:
TemplateAnalyzer provides a simple and extensible solution to improve the security of your Azure resources before deployment and ensures your ARM templates follow best practices.
{
"tools": [
{
"tool": {
"name": "TemplateAnalyzer",
"version": "Latest"
},
"arguments": {
"AnalyzeDirectory": "$(WorkingDirectory)",
"AnalyzeTemplate": "",
"ParametersFilePath": "",
"Verbose": "true",
"IncludeNonSecurityRules": "true",
"Help": ""
}
}
]
}| Argument name | Environment variable name | Description |
|---|---|---|
| AnalyzeDirectory | GDN_TEMPLATEANALYZER_ANALYZEDIRECTORY | Recursively searches for and analyzes all ARM templates in a directory with the set of preconfigured rules |
| AnalyzeTemplate | GDN_TEMPLATEANALYZER_ANALYZETEMPLATE | Analyzes an ARM template with the set of preconfigured rules |
| ParametersFilePath | GDN_TEMPLATEANALYZER_PARAMETERSFILEPATH | File path of parameters file to use when scanning a template (optional) |
| Verbose | GDN_TEMPLATEANALYZER_VERBOSE | Shows details about the analysis |
| IncludeNonSecurityRules | GDN_TEMPLATEANALYZER_INCLUDENONSECURITYRULES | Run all the rules against the templates, including non-security rules |
| Help | GDN_TEMPLATEANALYZER_HELP | Output command line help information for the Template BPA CLI |
Short description:
Validate an IaC templates
Long description:
Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
{
"tools": [
{
"tool": {
"name": "Terrascan",
"version": "Latest"
},
"arguments": {
"Init": "",
"Scan": "scan",
"Server": "",
"Version": "",
"ConfigPath": "",
"LogLevel": "",
"LogType": "",
"OutputType": "sarif",
"Categories": "",
"ConfigOnly": "",
"FindVuln": "",
"Help": "",
"IacDir": "$(WorkingDirectory)",
"IacFile": "",
"IacType": "",
"IacVersion": "",
"NonRecursive": "",
"PolicyPath": "",
"PolicyType": "",
"RemoteType": "",
"RemoteUrl": "",
"ScanRules": "",
"Severity": "",
"ShowPassed": "",
"SkipRules": "",
"UseColors": "auto",
"UseTerraformCache": "",
"Verbose": ""
}
}
]
}| Argument name | Environment variable name | Description |
|---|---|---|
| Init | GDN_TERRASCAN_INIT | Initializes Terrascan and clones policies from the Terrascan GitHub repository |
| Scan | GDN_TERRASCAN_SCAN | Detect compliance and security violations across Infrastructure as Code |
| Server | GDN_TERRASCAN_SERVER | Run Terrascan as an API server |
| Version | GDN_TERRASCAN_VERSION | Terrascan version |
| ConfigPath | GDN_TERRASCAN_CONFIGPATH | Format supported is *.TOML |
| LogLevel | GDN_TERRASCAN_LOGLEVEL | Log level (debug, info, warn, error, panic, fatal) (default 'info') |
| LogType | GDN_TERRASCAN_LOGTYPE | Log output type (console, json) (default 'console') |
| OutputType | GDN_TERRASCAN_OUTPUTTYPE | Output type (human, json, yaml, xml, junit-xml, sarif) (default 'sarif') |
| Categories | GDN_TERRASCAN_CATEGORIES | List of categories of violations to be reported by terrascan (example: --categories='category1,category2') |
| ConfigOnly | GDN_TERRASCAN_CONFIGONLY | Will output resource config (should only be used for debugging purposes) |
| FindVuln | GDN_TERRASCAN_FINDVULN | Fetches vulnerabilities identified in Docker images |
| Help | GDN_TERRASCAN_HELP | |
| IacDir | GDN_TERRASCAN_IACDIR | Path to a directory containing one or more IaC files (default '.'') |
| IacFile | GDN_TERRASCAN_IACFILE | Path to a single IaC file |
| IacType | GDN_TERRASCAN_IACTYPE | Iac type (arm, cft, docker, helm, k8s, kustomize, terraform, tfplan) |
| IacVersion | GDN_TERRASCAN_IACVERSION | Iac version (arm: v1, cft: v1, docker: v1, helm: v3, k8s: v1, kustomize: v2, v3, v4, terraform: v12, v13, v14, v15, tfplan: v1) |
| NonRecursive | GDN_TERRASCAN_NONRECURSIVE | Do not scan directories and modules recursively |
| PolicyPath | GDN_TERRASCAN_POLICYPATH | Policy path directory |
| PolicyType | GDN_TERRASCAN_POLICYTYPE | Policy type (all, aws, azure, gcp, github, k8s) (default [all]) |
| RemoteType | GDN_TERRASCAN_REMOTETYPE | Type of remote backend (git, s3, gcs, http, terraform-registry) |
| RemoteUrl | GDN_TERRASCAN_REMOTEURL | Url pointing to remote IaC repository |
| ScanRules | GDN_TERRASCAN_SCANRULES | One or more rules to scan (example: --scan-rules='ruleID1,ruleID2') |
| Severity | GDN_TERRASCAN_SEVERITY | Minimum severity level of the policy violations to be reported by terrascan |
| ShowPassed | GDN_TERRASCAN_SHOWPASSED | Display passed rules, along with violations |
| SkipRules | GDN_TERRASCAN_SKIPRULES | One or more rules to skip while scanning (example: --skip-rules='ruleID1,ruleID2') |
| UseColors | GDN_TERRASCAN_USECOLORS | Color output (auto, t, f) (default 'auto') |
| UseTerraformCache | GDN_TERRASCAN_USETERRAFORMCACHE | Use terraform init cache for remote modules (when used directory scan will be non recursive,flag applicable only with terraform IaC provider) |
| Verbose | GDN_TERRASCAN_VERBOSE | Will show violations with details (applicable for default output) |
Short description:
A security analysis tool for containers.
Long description:
A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts.
{
"tools": [
{
"tool": {
"name": "Trivy",
"version": "Latest"
},
"arguments": {
"Action": "filesystem",
"Target": ".",
"ExitCode": "100",
"Quiet": "",
"Debug": "",
"CacheDirectory": "",
"OutputTemplate": "@$(InstallDirectory)\\tools\\sarif.tpl",
"TableFormat": "template",
"ImagePath": "",
"Severities": "",
"OutputPath": "",
"SkipDBUpdate": "",
"IgnoreUnfixed": "",
"RemovedPKGS": "",
"VulnTypes": "",
"IgnoreFile": "",
"Timeout": "",
"LightMode": "",
"IgnorePolicyPath": "",
"ListAllPackages": "",
"SkipFiles": "",
"SkipDirectories": "",
"CacheBackend": "",
"ClientServerToken": "",
"ClientServerTokenHeader": "",
"ClientRemoteLocation": "",
"ClientServerCustomHeaders": ""
}
}
]
}| Argument name | Environment variable name | Description |
|---|---|---|
| Action | GDN_TRIVY_ACTION | The type of resource you would like to scan. The default is filesystem which scans local resources. Other options include image, repository, client, server. |
| Target | GDN_TRIVY_TARGET | Target of scan. For the default action (filesystem), a directory. |
| ExitCode | GDN_TRIVY_EXITCODE | Exit code to use if errors are detected. This must stay 100. |
| Quiet | GDN_TRIVY_QUIET | Suppress progress bar and log output. |
| Debug | GDN_TRIVY_DEBUG | Enable verbose debug output. |
| CacheDirectory | GDN_TRIVY_CACHEDIRECTORY | Directory for storing Trivy cache data. |
| OutputTemplate | GDN_TRIVY_OUTPUTTEMPLATE | A template to modify the output format. Output format must be set to template for this to work. The default behavior uses this option and a provided template to produce SARIF. If providing a filename, prpend @. |
| TableFormat | GDN_TRIVY_TABLEFORMAT | Format for the results output. Template is preferred by Guardian to produce SARIF, but this requires an output template to be selected as well. Other options include JSON and text. |
| ImagePath | GDN_TRIVY_IMAGEPATH | Path to image instead of image name. This is only useful if using the image scan type. See also: https://github.com/aquasecurity/trivy#scan-an-oci-image |
| Severities | GDN_TRIVY_SEVERITIES | Severities to display. Available options are: UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL. Warning: this is not a threshold and all desired severities must be listed. The default is to include all findings. |
| OutputPath | GDN_TRIVY_OUTPUTPATH | Path of output file. |
| SkipDBUpdate | GDN_TRIVY_SKIPDBUPDATE | Skip the database update step. |
| IgnoreUnfixed | GDN_TRIVY_IGNOREUNFIXED | Ignore issues that aren't known to be fixed. |
| RemovedPKGS | GDN_TRIVY_REMOVEDPKGS | detect vulnerabilities of removed packages (only for Alpine) |
| VulnTypes | GDN_TRIVY_VULNTYPES | Vulnerability types to display. Options are: os, library. The default is to display both of these. |
| IgnoreFile | GDN_TRIVY_IGNOREFILE | Path to a Trivy ignorefile. See the tool documentation at: https://github.com/aquasecurity/trivy |
| Timeout | GDN_TRIVY_TIMEOUT | Timeout for Docker operations in the format 5m0s. The default is five minutes. |
| LightMode | GDN_TRIVY_LIGHTMODE | light mode: it's faster, but vulnerability descriptions and references are not displayed. |
| IgnorePolicyPath | GDN_TRIVY_IGNOREPOLICYPATH | Path to a custom Rego file to evaluate each vulnerability. This feature is experimental. See also: https://github.com/aquasecurity/trivy#filter-the-vulnerabilities-by-open-policy-agent-policy |
| ListAllPackages | GDN_TRIVY_LISTALLPACKAGES | List all packages used, whether they have vulnerabilities or not. |
| SkipFiles | GDN_TRIVY_SKIPFILES | Paths to files to skip. If you wish to ignore entire directories, use the skip directories option. This does not support complex matching patterns. |
| SkipDirectories | GDN_TRIVY_SKIPDIRECTORIES | Paths to directories to ignore. If you wish to ignore single files while scanning others in the same directory, use the skip files option. This does not support complex matching patterns. |
| CacheBackend | GDN_TRIVY_CACHEBACKEND | Location of the cache backend resource. Does not work with client action. |
| ClientServerToken | GDN_TRIVY_CLIENTSERVERTOKEN | Token to authenticate to a server. Only works with client or server actions. |
| ClientServerTokenHeader | GDN_TRIVY_CLIENTSERVERTOKENHEADER | Header to use when sending or expecting the token to authenticate to a server. Only works with client or server actions. |
| ClientRemoteLocation | GDN_TRIVY_CLIENTREMOTELOCATION | URI of a Trivy server. Only works with client action. |
| ClientServerCustomHeaders | GDN_TRIVY_CLIENTSERVERCUSTOMHEADERS | Custom headers for a Trivy server. Only works with client or server actions. |