Merge pull request #100 from microsoft/serait/containerMappingDefault

Enable container-mapping tool by default

Author: sethRait

README.md

@@ -50,15 +50,8 @@ To upload results to the Security tab of your repo, run the `github/codeql-actio
 
 ## Advanced
 
-To configure **Container Mapping** to send to **Microsoft Defender for DevOps**, include `container-mapping` as a tool:
-```yaml
-- uses: microsoft/security-devops-action@v1
-  id: msdo
-  with:
-    includeTools: container-mapping
-```
+To only run specific analyzers, use the `tools` command. This command is a comma-seperated list of tools to run. For example, to run only the `container-mapping` tool, configure this action as follows:
 
-This will run all the analyzers defined by the configured or defaulted policy in addition to `container-mapping`. To only run this feature, define `container-mapping` as the only `tool` to run:
 ```yaml
 - uses: microsoft/security-devops-action@v1
   id: msdo
@@ -77,6 +70,7 @@ This will run all the analyzers defined by the configured or defaulted policy in
 | [Template Analyzer](https://github.com/Azure/template-analyzer) | Infrastructure-as-code (IaC), ARM templates, Bicep files | [MIT License](https://github.com/Azure/template-analyzer/blob/main/LICENSE.txt) |
 | [Terrascan](https://github.com/accurics/terrascan) | Infrastructure-as-code (IaC), Terraform (HCL2), Kubernetes (JSON/YAML), Helm v3, Kustomize, Dockerfiles, Cloudformation | [Apache License 2.0](https://github.com/accurics/terrascan/blob/master/LICENSE) |
 | [Trivy](https://github.com/aquasecurity/trivy) | container images, file systems, and git repositories | [Apache License 2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE) |
+| [container-mapping](https://learn.microsoft.com/en-us/azure/defender-for-cloud/container-image-mapping) | container images and registries (only available for DevOps security enabled CSPM plans) | [MIT License](https://github.com/microsoft/security-devops-action/blob/main/LICENSE) |
 
 # More Information
 

action.yml

@@ -6,13 +6,7 @@ branding:
   color: 'black'
 inputs:
   command:
-    description: The command to run. Defaults to run.
-    default: all
-    options:
-      - all
-      - run
-      - pre-job
-      - post-job
+    description: Deprecated, do not use.
   config:
     description: A file path to a .gdnconfig file.
   policy:
@@ -25,7 +19,7 @@ inputs:
   tools:
     description: A comma separated list of analyzer to run. Example bandit, binskim, container-mapping, eslint, templateanalyzer, terrascan, trivy.
   includeTools:
-    description: A comma separated list of analyzers to run in addition to the default set defined by the policy. Limited to container-mapping
+    description: Deprecated
 outputs:
   sarifFile:
     description: A file path to a SARIF results file.

lib/index.js

@@ -33,14 +33,30 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const core = __importStar(require("@actions/core"));
-const index_1 = require("./index");
+const msdo_1 = require("./msdo");
+const msdo_interface_1 = require("./msdo-interface");
+const common = __importStar(require("@microsoft/security-devops-actions-toolkit/msdo-common"));
 const msdo_helpers_1 = require("./msdo-helpers");
-const runner = msdo_helpers_1.RunnerType.Main;
 function runMain() {
     return __awaiter(this, void 0, void 0, function* () {
-        yield (0, index_1.run)(runner);
+        if (shouldRunMain()) {
+            yield (0, msdo_interface_1.getExecutor)(msdo_1.MicrosoftSecurityDevOps).runMain();
+        }
+        else {
+            console.log("Scanning is not enabled. Skipping...");
+        }
     });
 }
 runMain().catch(error => {
     core.setFailed(error);
 });
+function shouldRunMain() {
+    let toolsString = core.getInput('tools');
+    if (!common.isNullOrWhiteSpace(toolsString)) {
+        let tools = toolsString.split(',');
+        if (tools.length == 1 && tools[0].trim() == msdo_helpers_1.Tools.ContainerMapping) {
+            return false;
+        }
+    }
+    return true;
+}

lib/main.js

@@ -3,7 +3,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.writeToOutStream = exports.getEncodedContent = exports.encode = exports.Constants = exports.Tools = exports.CommandType = exports.RunnerType = exports.Inputs = void 0;
+exports.writeToOutStream = exports.getEncodedContent = exports.encode = exports.Constants = exports.Tools = exports.RunnerType = exports.Inputs = void 0;
 const os_1 = __importDefault(require("os"));
 var Inputs;
 (function (Inputs) {
@@ -21,13 +21,6 @@ var RunnerType;
     RunnerType["Pre"] = "pre";
     RunnerType["Post"] = "post";
 })(RunnerType || (exports.RunnerType = RunnerType = {}));
-var CommandType;
-(function (CommandType) {
-    CommandType["All"] = "all";
-    CommandType["PreJob"] = "pre-job";
-    CommandType["PostJob"] = "post-job";
-    CommandType["Run"] = "run";
-})(CommandType || (exports.CommandType = CommandType = {}));
 var Tools;
 (function (Tools) {
     Tools["Bandit"] = "bandit";

lib/msdo-helpers.js

@@ -1,2 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.getExecutor = void 0;
+function getExecutor(runner) {
+    return new runner();
+}
+exports.getExecutor = getExecutor;

lib/msdo-interface.js

@@ -104,23 +104,6 @@ class MicrosoftSecurityDevOps {
                     }
                 }
             }
-            let includeToolsString = core.getInput('includeTools');
-            if (!common.isNullOrWhiteSpace(includeToolsString)) {
-                let includeTools = includeToolsString.split(',');
-                for (let i = 0; i < includeTools.length; i++) {
-                    let includeTool = includeTools[i];
-                    let toolTrimmed = includeTool.trim();
-                    if (!common.isNullOrWhiteSpace(includeTool)
-                        && includeTool != msdo_helpers_1.Tools.ContainerMapping
-                        && includedTools.indexOf(toolTrimmed) == -1) {
-                        if (includedTools.length == 0) {
-                            args.push('--tool');
-                        }
-                        args.push(toolTrimmed);
-                        includedTools.push(toolTrimmed);
-                    }
-                }
-            }
             args.push('--github');
             yield client.run(args, 'microsoft/security-devops-action');
         });

lib/msdo.js

@@ -33,12 +33,11 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const core = __importStar(require("@actions/core"));
-const index_1 = require("./index");
-const msdo_helpers_1 = require("./msdo-helpers");
-const runner = msdo_helpers_1.RunnerType.Post;
+const container_mapping_1 = require("./container-mapping");
+const msdo_interface_1 = require("./msdo-interface");
 function runPost() {
     return __awaiter(this, void 0, void 0, function* () {
-        yield (0, index_1.run)(runner);
+        yield (0, msdo_interface_1.getExecutor)(container_mapping_1.ContainerMapping).runPostJob();
     });
 }
 runPost().catch((error) => {

lib/post.js

@@ -33,12 +33,11 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const core = __importStar(require("@actions/core"));
-const index_1 = require("./index");
-const msdo_helpers_1 = require("./msdo-helpers");
-const runner = msdo_helpers_1.RunnerType.Pre;
+const container_mapping_1 = require("./container-mapping");
+const msdo_interface_1 = require("./msdo-interface");
 function runPre() {
     return __awaiter(this, void 0, void 0, function* () {
-        yield (0, index_1.run)(runner);
+        yield (0, msdo_interface_1.getExecutor)(container_mapping_1.ContainerMapping).runPreJob();
     });
 }
 runPre().catch((error) => {

lib/pre.js

@@ -1,4 +1,3 @@
-import { CommandType, Constants, getEncodedContent, writeToOutStream } from "./msdo-helpers";
 import { IMicrosoftSecurityDevOps } from "./msdo-interface";
 import * as https from "https";
 import * as core from '@actions/core';