Conversation
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Add v2 Defender CLI implementation (filesystem, image, model scans) - Restructure src/ and lib/ into v1/ and v2/ folders - Port defender-client and defender-installer from AzDevOps task-lib - Add job summary with SARIF parsing for GitHub Actions - Add self-hosted validation workflow for image scan testing - Add 70 new tests for v2 components Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…eme) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Revert action.yml to v1 MSDO inputs (paths updated to lib/v1/) - Create v2/action.yml for Defender CLI v2 - Split self-hosted-validation into v1 and v2 workflows - v1 workflow uses ./ (root action.yml) - v2 workflow uses ./v2/ (v2 action.yml) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Policy variations: github, microsoft, none, azuredevops, mdc - Break on critical: image (vuln), model (vuln), fs - Debug logging: image with debug=true - PR summary toggle: image with pr-summary=false - Custom args: image with --defender-list-findings - Different images: nginx, pycontribs/ubuntu (vulnerable) - Defaults only: no inputs (verify all defaults) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Omer Bareket <34472645+omerb97@users.noreply.github.com>
|
@microsoft-github-policy-service agree company="Microsoft" |
This comment was marked as duplicate.
This comment was marked as duplicate.
Sorry, something went wrong.
This comment was marked as off-topic.
This comment was marked as off-topic.
Sorry, something went wrong.
This comment was marked as spam.
This comment was marked as spam.
Sorry, something went wrong.
DimaBir
left a comment
DimaBir
left a comment
There was a problem hiding this comment.
Inline follow-up: remaining high-priority findings attached to specific lines.
There was a problem hiding this comment.
Pull request overview
This PR adds a v2 variant of the action that runs the Defender CLI (filesystem/image/model scans), introduces supporting v2 implementation code (installer/client/helpers/job summary), and reorganizes v1 compiled entrypoints under lib/v1 while adding self-hosted validation workflows.
Changes:
- Added a new
v2/action.ymland v2 runtime implementation (Defender CLI runner, installer, helpers, client, job summary). - Added v2 container-mapping implementation for pre/post job Docker event/image collection.
- Updated v1 entrypoints to reference
lib/v1/*and added self-hosted validation workflows for v1 and v2.
Reviewed changes
Copilot reviewed 30 out of 46 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| v2/action.yml | New action metadata + inputs/outputs for v2 action entrypoints. |
| test/pre.tests.ts | Updated tests to import v1 pre/container-mapping from versioned lib paths. |
| test/post.tests.ts | Updated tests to import v1 post/container-mapping from versioned lib paths. |
| test/job-summary.tests.ts | Added unit tests for v2 SARIF parsing + job summary generation. |
| test/defender-installer.tests.ts | Added unit tests for v2 installer filename/variable handling. |
| test/defender-helpers.tests.ts | Added unit tests for v2 input validation + arg parsing helpers. |
| test/defender-client.tests.ts | Added unit tests for v2 CLI invocation behavior. |
| src/v2/pre.ts | v2 pre entrypoint wiring to container-mapping executor. |
| src/v2/post.ts | v2 post entrypoint wiring to container-mapping executor. |
| src/v2/job-summary.ts | v2 SARIF parsing and GitHub Job Summary markdown generation/posting. |
| src/v2/defender-main.ts | v2 main entrypoint wiring to Defender CLI runner. |
| src/v2/defender-interface.ts | v2 executor factory + interface for 3-phase lifecycle. |
| src/v2/defender-installer.ts | v2 CLI download/install + checksum verification + env var setup. |
| src/v2/defender-helpers.ts | v2 input validation, debug setup, encoding helpers, arg parsing. |
| src/v2/defender-client.ts | v2 CLI invocation wrapper (scan fs/image/model) + env setup. |
| src/v2/defender-cli.ts | v2 action runner: reads inputs, validates, runs scans, posts summaries. |
| src/v2/container-mapping.ts | v2 container-mapping implementation (pre/post docker data + backend calls). |
| src/v1/pre.ts | Formatting-only change; retains v1 pre behavior. |
| src/v1/post.ts | Formatting-only change; retains v1 post behavior. |
| src/v1/msdo.ts | Formatting-only change; retains v1 runner behavior. |
| src/v1/msdo-interface.ts | Formatting-only change; retains v1 interface/factory behavior. |
| src/v1/msdo-helpers.ts | Formatting-only change; retains v1 helper behavior. |
| src/v1/main.ts | Formatting-only change; retains v1 main behavior. |
| src/v1/container-mapping.ts | Formatting-only change; retains v1 container-mapping behavior. |
| lib/v2/pre.js | Compiled v2 pre JS entrypoint. |
| lib/v2/post.js | Compiled v2 post JS entrypoint. |
| lib/v2/job-summary.js | Compiled v2 job summary JS. |
| lib/v2/defender-main.js | Compiled v2 main JS entrypoint. |
| lib/v2/defender-interface.js | Compiled v2 interface/factory JS. |
| lib/v2/defender-installer.js | Compiled v2 installer JS. |
| lib/v2/defender-helpers.js | Compiled v2 helpers JS. |
| lib/v2/defender-client.js | Compiled v2 client JS. |
| lib/v2/defender-cli.js | Compiled v2 CLI runner JS. |
| lib/v2/container-mapping.js | Compiled v2 container-mapping JS. |
| lib/v1/pre.js | Compiled v1 pre moved under versioned path. |
| lib/v1/post.js | Compiled v1 post moved under versioned path. |
| lib/v1/msdo.js | Compiled v1 msdo moved under versioned path. |
| lib/v1/msdo-interface.js | Compiled v1 interface moved under versioned path. |
| lib/v1/msdo-helpers.js | Compiled v1 helpers moved under versioned path. |
| lib/v1/main.js | Compiled v1 main moved under versioned path. |
| lib/v1/container-mapping.js | Compiled v1 container-mapping moved under versioned path. |
| action.yml | Updated v1 action entrypoints to lib/v1/*. |
| .gitignore | Added ignores for actions-runner/ and .github/copilot-instructions.md. |
| .github/workflows/self-hosted-validation-v2.yml | New self-hosted validation workflow for v2 image scan. |
| .github/workflows/self-hosted-validation-v1.yml | New self-hosted validation workflow for v1 scan. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
DimaBir
left a comment
DimaBir
left a comment
There was a problem hiding this comment.
All 6 previously flagged issues are resolved — both criticals (integrity check, redirect pinning) and all 4 highs (model scan deduplication, Promise anti-pattern, workflow scope, policy description). One remaining suggestion before merge:
🟡 Suggestion — Checksum sidecar served from the same CDN (defender-installer.ts)
verifyIntegrity() fetches ${downloadUrl}.sha256 from the same cli.dfd.security.azure.com origin as the binary. This protects against transit/MITM attacks but not against CDN-level compromise — a compromised CDN can serve a matching binary+checksum pair that passes the check.
Consider publishing checksums to a separate trust anchor (GitHub release asset, hardcoded pinned hashes per version, or a separate Microsoft endpoint) so the two are not co-located. Can be a follow-up if CDN compromise is out of scope for this PR.
Otherwise LGTM — clean implementation, good coverage of scan types.
|
One last comment @omerb97, lets stick to Immune PR Titles conventions for the history cleanness |
This pull request introduces significant improvements to the GitHub Action's documentation, workflow validation, and code organization for Defender for DevOps. The changes include new self-hosted validation workflows for both v1 and v2, a comprehensive documentation file for contributors, updates to the action's entry points, and the addition of a new
container-mappingimplementation for v2. These updates enhance clarity, maintainability, and support for advanced scanning scenarios.Documentation enhancements:
.github/copilot-instructions.mdwith build, test, architecture, and conventions for contributors, improving onboarding and maintenance.Workflow validation improvements:
.github/workflows/self-hosted-validation-v1.ymlfor MSDO v1 self-hosted security scan validation..github/workflows/self-hosted-validation-v2.ymlfor Defender CLI v2 self-hosted image, model, and filesystem scan validation.Codebase and entry point updates:
action.ymlto referencelib/v1/main.js,lib/v1/pre.js, andlib/v1/post.jsas entry points, supporting clearer version separation.New functionality:
lib/v2/container-mapping.js, implementing the v2 container mapping logic for pre/post job Docker event/image collection and reporting to Defender for DevOps.