Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

binskim scans files one by one #85

Open
fabio-s-franco opened this issue Sep 27, 2023 · 1 comment
Open

binskim scans files one by one #85

fabio-s-franco opened this issue Sep 27, 2023 · 1 comment

Comments

@fabio-s-franco
Copy link

There is no documentation and I couldn't find anything on the source code on how to customize the behavior of binskim.

The result is that it tries to scan files one by one, which makes the scan prohibitively slow (never succeeded to finish it).
If we can set the CLI argument through the extension, then it may be possible to use it.
@kewalaka
Copy link

kewalaka commented Nov 9, 2023
edited
Loading

hi @fabio-s-franco - I was just hitting the same wall myself. I've found this documentation here which was helpful:

https://github.com/microsoft/security-devops-azdevops/wiki

You can use a gdnconfig file & supply that to the defender for devops task, as the config option, from the above docs:

 - task: MicrosoftSecurityDevOps@1
   inputs:
   # command: 'run' | 'pre-job' | 'post-job'. Optional. The command to run. Default: run
   # config: string. Optional. A file path to an MSDO configuration file ('*.gdnconfig').
   # policy: 'azuredevops' | 'microsoft' | 'none'. Optional. The name of a well-known Microsoft policy. If no configuration file or list of tools is provided, the policy may instruct MSDO which tools to run. Default: azuredevops.
   # categories: string. Optional. A comma-separated list of analyzer categories to run. Values: 'secrets', 'code', 'artifacts', 'IaC', 'containers. Example: 'IaC,secrets'. Defaults to all.
   # languages: string. Optional. A comma-separated list of languages to analyze. Example: 'javascript,typescript'. Defaults to all.
   # tools: string. Optional. A comma-separated list of analyzer tools to run. Values: 'bandit', 'binskim', 'eslint', 'templateanalyzer', 'terrascan', 'trivy'.
   # break: boolean. Optional. If true, will fail this build step if any error level results are found. Default: false.
   # publish: boolean. Optional. If true, will publish the output SARIF results file to the chosen pipeline artifact. Default: true.
   # artifactName: string. Optional. The name of the pipeline artifact to publish the SARIF result file to. Default: CodeAnalysisLogs*.

There's also a sample file for BinSkim options (and other tools) further on the same page:

https://github.com/microsoft/security-devops-azdevops/wiki#bandit-options

I couldn't find this on Learn with the other pipeline yaml definitions, that would have made the search easier.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kewalaka @fabio-s-franco