You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When running MicrosoftSecurityDevOps@1 task in an Azure DevOps pipeline there is a misconception about the behavior of the break input .
This is seen when there is a failure in running a tool (e.g. Trivy ,Terrascan, ect. ). The expectation is that failures in security tools should cause the task to fail. However, when a tool encounters a configuration issue and fails to execute, the task logs errors but still returns a success status, continuing the pipeline execution.
##[error]Error running tool 1 of 2: trivy
##[error]Error running trivy job: 1 of 1
##[error]GuardianErrorExitCodeException: trivy completed with an Error exit code: 1. The tool did not complete successfully due to bad parameters or a scan error. Contact TrivySecSupport for assistance.
##[error]BreakException: Guardian detected one or more breaking results.
This behavior introduces a risk where security tools silently fail, potentially causing vulnerabilities to go undetected.
To avoid this one can use the break input , but the description in the documentation focuses on severity level results and does not specify task execution issues.
- task: MicrosoftSecurityDevOps@1displayName: 'Microsoft Security DevOps'# inputs: # tools: string. Optional. A comma-separated list of analyzer tools to run. Values: 'bandit', 'binskim', 'checkov', 'eslint', 'templateanalyzer', 'terrascan', 'trivy'. Example 'templateanalyzer, trivy'# break: boolean. Optional. If true, will fail this build step if any high severity level results are found. Default: false.
The MicrosoftSecurityDevOps@1 task should return error and fail if a tool that is trying to run fails to execute. Alternatively, an additional setting should be used to distinguish between: security issue (i.e., high severity findings) and task execution failure (e.g., misconfiguration or tool failure).
Please advise and do let me know if more information is needed .
The text was updated successfully, but these errors were encountered:
When running MicrosoftSecurityDevOps@1 task in an Azure DevOps pipeline there is a misconception about the behavior of the break input .
This is seen when there is a failure in running a tool (e.g. Trivy ,Terrascan, ect. ). The expectation is that failures in security tools should cause the task to fail. However, when a tool encounters a configuration issue and fails to execute, the task logs errors but still returns a success status, continuing the pipeline execution.
This behavior introduces a risk where security tools silently fail, potentially causing vulnerabilities to go undetected.
To avoid this one can use the break input , but the description in the documentation focuses on severity level results and does not specify task execution issues.
The MicrosoftSecurityDevOps@1 task should return error and fail if a tool that is trying to run fails to execute. Alternatively, an additional setting should be used to distinguish between: security issue (i.e., high severity findings) and task execution failure (e.g., misconfiguration or tool failure).
Please advise and do let me know if more information is needed .
The text was updated successfully, but these errors were encountered: