security-devops-action

In this release, we're enabling the container-mapping tool by default for customers who have onboarded to Microsoft Defender for Cloud and have enabled their GitHub organization.

Those who do not have Microsoft Defender for Cloud enabled on their GitHub organizations will not be able to run the container-mapping workload and it will be automatically skipped.

With this change, we are deprecating the includeTools option. If you would like to manually specify which tools to run, this can still be done via the tools option as before. See the wiki for further instructions.

This release brings introduces our first pre and post job feature, container-mapping, as an opt-in feature. It runs docker commands to see which containers have been created during the pipeline for integration with Microsoft Defender for DevOps.

To configure Container Mapping to send conatiner data to Microsoft Defender for DevOps, include container-mapping as a tool:

- uses: microsoft/security-devops-action@v1
  id: msdo
  with:
    includeTools: container-mapping

This will run all the analyzers defined by the configured or defaulted policy in addition to container-mapping. To only run this feature, define container-mapping as the only tool to run:

- uses: microsoft/security-devops-action@v1
  id: msdo
  with:
    tools: container-mapping

In future releases, we will use this to auto-configure container scanning as well as introduce additional scanning optimizations and capabilities.

Adds a backwards compatibility check for the --export-breaking-results-to-file which going forward still exists, with corrected behavior, and will use --export-file instead.

v1.7.2 - 06/22/2023

Fixed

• Added try-catch best effort for gzip json response decompression from nuget.org
• Compile with nodenext moduleResolution so it implements a Promise resolver intead of yield on dynamic module resolution (node v13.2+)
  • Resolves node and node10 task runners

Added

• The msdo-nuget-client.ts javascript nuget client
• Dependency on adm-zip
• Dependency on decompress-response

Changed

• Install the MSDO nuget package via javascript
  • Removes a dependency on dotnet to leverage restore to install the platform cross-platform
• Upgraded dependencies
  • azure-pipelines-task-lib to v4.3.1
  • azure-pipelines-tool-lib to v2.0.4
  • typescript to v5.1.3

node16
Upgrade @actions/core dependency
Upgrade @actions/exec dependency

Add tools as an input option to explicitly define which tools to run with default values.

Upgrade the microsoft-security-devops-actions-toolkit to v1.4.2 for shared agent packages.

This change saves considerable space on reusable agents as well as prevent unwanted detections in samples installed with analyzers.

Fix multi categories and languages

GitHub SARIF result format.