Adding Defender CLI

.github/workflows/self-hosted-validation-v1.yml

@@ -0,0 +1,29 @@
+name: MSDO v1 self-hosted validation
+on: push
+
+permissions:
+  id-token: write
+  security-events: write
+
+jobs:
+  msdo-scan:
+    name: MSDO v1 - Security Scan
+
+    runs-on: self-hosted
+
+    steps:
+
+      # Checkout your code repository to scan
+    - uses: actions/checkout@v6
+
+    # Run MSDO v1
+    - name: Run MSDO
+      uses: ./
+      id: msdo
+
+      # Upload results to the Security tab
+    - name: Upload results to Security tab
+      uses: github/codeql-action/upload-sarif@v3
+      if: always()
+      with:
+        sarif_file: ${{ steps.msdo.outputs.sarifFile }}

.github/workflows/self-hosted-validation-v2.yml

@@ -0,0 +1,35 @@
+name: Defender CLI v2 self-hosted validation
+on:
+  push:
+    branches: [main, 'release/**']
+  workflow_dispatch:
+
+permissions:
+  id-token: write
+  security-events: write
+
+jobs:
+  defender-image-scan:
+    name: Image Scan (mdc policy)
+
+    runs-on: self-hosted
+
+    steps:
+
+    - uses: actions/checkout@v6
+
+    - name: Run Defender CLI - Image Scan
+      uses: ./v2/
+      id: defender
+      with:
+        command: 'image'
+        imageName: 'ubuntu:latest'
+        policy: 'mdc'
+        break: 'false'
+        pr-summary: 'true'
+
+    - name: Upload results to Security tab
+      uses: github/codeql-action/upload-sarif@v3
+      if: always()
+      with:
+        sarif_file: ${{ steps.defender.outputs.sarifFile }}

.gitignore

@@ -329,3 +329,9 @@ ASALocalRun/
 
 # MFractors (Xamarin productivity tool) working folder 
 .mfractor/
+
+# GitHub Actions Runner
+actions-runner/
+
+# Copilot instructions
+.github/copilot-instructions.md

action.yml

@@ -30,6 +30,6 @@ outputs:
     description: A file path to a SARIF results file.
 runs:
   using: 'node24'
-  main: 'lib/main.js'
-  pre: 'lib/pre.js'
-  post: 'lib/post.js'
+  main: 'lib/v1/main.js'
+  pre: 'lib/v1/pre.js'
+  post: 'lib/v1/post.js'

lib/v2/container-mapping.js

@@ -0,0 +1,268 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ContainerMapping = void 0;
+const https = __importStar(require("https"));
+const core = __importStar(require("@actions/core"));
+const exec = __importStar(require("@actions/exec"));
+const os = __importStar(require("os"));
+const sendReportRetryCount = 1;
+const GetScanContextURL = "https://dfdinfra-afdendpoint-prod-d5fqbucbg7fue0cf.z01.azurefd.net/github/v1/auth-push/GetScanContext?context=authOnly";
+const ContainerMappingURL = "https://dfdinfra-afdendpoint-prod-d5fqbucbg7fue0cf.z01.azurefd.net/github/v1/container-mappings";
+class ContainerMapping {
+    constructor() {
+        this.succeedOnError = true;
+    }
+    runPreJob() {
+        try {
+            core.info("::group::Microsoft Defender for DevOps container mapping pre-job - https://go.microsoft.com/fwlink/?linkid=2231419");
+            this._runPreJob();
+        }
+        catch (error) {
+            core.info("Error in Container Mapping pre-job: " + error);
+        }
+        finally {
+            core.info("::endgroup::");
+        }
+    }
+    _runPreJob() {
+        const startTime = new Date().toISOString();
+        core.saveState('PreJobStartTime', startTime);
+        core.info(`PreJobStartTime: ${startTime}`);
+    }
+    runMain() {
+        return __awaiter(this, void 0, void 0, function* () {
+        });
+    }
+    runPostJob() {
+        return __awaiter(this, void 0, void 0, function* () {
+            try {
+                core.info("::group::Microsoft Defender for DevOps container mapping post-job - https://go.microsoft.com/fwlink/?linkid=2231419");
+                yield this._runPostJob();
+            }
+            catch (error) {
+                core.info("Error in Container Mapping post-job: " + error);
+            }
+            finally {
+                core.info("::endgroup::");
+            }
+        });
+    }
+    _runPostJob() {
+        return __awaiter(this, void 0, void 0, function* () {
+            let startTime = core.getState('PreJobStartTime');
+            if (startTime.length <= 0) {
+                startTime = new Date(new Date().getTime() - 10000).toISOString();
+                core.debug(`PreJobStartTime not defined, using now-10secs`);
+            }
+            core.info(`PreJobStartTime: ${startTime}`);
+            let reportData = {
+                dockerVersion: "",
+                dockerEvents: [],
+                dockerImages: []
+            };
+            let bearerToken = yield core.getIDToken()
+                .then((token) => { return token; })
+                .catch((error) => {
+                throw new Error("Unable to get token: " + error);
+            });
+            if (!bearerToken) {
+                throw new Error("Empty OIDC token received");
+            }
+            var callerIsOnboarded = yield this.checkCallerIsCustomer(bearerToken, sendReportRetryCount);
+            if (!callerIsOnboarded) {
+                core.info("Client is not onboarded to Defender for DevOps. Skipping container mapping workload.");
+                return;
+            }
+            core.info("Client is onboarded for container mapping.");
+            let dockerVersionOutput = yield exec.getExecOutput('docker --version');
+            if (dockerVersionOutput.exitCode != 0) {
+                core.info(`Unable to get docker version: ${dockerVersionOutput}`);
+                core.info(`Skipping container mapping since docker not found/available.`);
+                return;
+            }
+            reportData.dockerVersion = dockerVersionOutput.stdout.trim();
+            yield this.execCommand(`docker events --since ${startTime} --until ${new Date().toISOString()} --filter event=push --filter type=image --format ID={{.ID}}`, reportData.dockerEvents)
+                .catch((error) => {
+                throw new Error("Unable to get docker events: " + error);
+            });
+            yield this.execCommand(`docker images --format CreatedAt={{.CreatedAt}}::Repo={{.Repository}}::Tag={{.Tag}}::Digest={{.Digest}}`, reportData.dockerImages)
+                .catch((error) => {
+                throw new Error("Unable to get docker images: " + error);
+            });
+            core.debug("Finished data collection, starting API calls.");
+            var reportSent = yield this.sendReport(JSON.stringify(reportData), bearerToken, sendReportRetryCount);
+            if (!reportSent) {
+                throw new Error("Unable to send report to backend service");
+            }
+            ;
+            core.info("Container mapping data sent successfully.");
+        });
+    }
+    execCommand(command, listener) {
+        return __awaiter(this, void 0, void 0, function* () {
+            return exec.getExecOutput(command)
+                .then((result) => {
+                if (result.exitCode != 0) {
+                    return Promise.reject(`Command execution failed: ${result}`);
+                }
+                result.stdout.trim().split(os.EOL).forEach(element => {
+                    if (element.length > 0) {
+                        listener.push(element);
+                    }
+                });
+            });
+        });
+    }
+    sendReport(data, bearerToken, retryCount = 0) {
+        return __awaiter(this, void 0, void 0, function* () {
+            core.debug(`attempting to send report: ${data}`);
+            return yield this._sendReport(data, bearerToken)
+                .then(() => {
+                return true;
+            })
+                .catch((error) => __awaiter(this, void 0, void 0, function* () {
+                if (retryCount == 0) {
+                    return false;
+                }
+                else {
+                    core.info(`Retrying API call due to error: ${error}.\nRetry count: ${retryCount}`);
+                    retryCount--;
+                    return yield this.sendReport(data, bearerToken, retryCount);
+                }
+            }));
+        });
+    }
+    _sendReport(data, bearerToken) {
+        return __awaiter(this, void 0, void 0, function* () {
+            return new Promise((resolve, reject) => {
+                let apiTime = Date.now();
+                let options = {
+                    method: 'POST',
+                    timeout: 2500,
+                    headers: {
+                        'Content-Type': 'application/json',
+                        'Authorization': 'Bearer ' + bearerToken,
+                        'Content-Length': Buffer.byteLength(data, 'utf8')
+                    }
+                };
+                core.debug(`${options['method'].toUpperCase()} ${ContainerMappingURL}`);
+                const req = https.request(ContainerMappingURL, options, (res) => {
+                    let resData = '';
+                    res.on('data', (chunk) => {
+                        resData += chunk.toString();
+                    });
+                    res.on('end', () => {
+                        core.debug('API calls finished. Time taken: ' + (Date.now() - apiTime) + "ms");
+                        core.debug(`Status code: ${res.statusCode} ${res.statusMessage}`);
+                        core.debug('Response headers: ' + JSON.stringify(res.headers));
+                        if (resData.length > 0) {
+                            core.debug('Response: ' + resData);
+                        }
+                        if (res.statusCode < 200 || res.statusCode >= 300) {
+                            return reject(`Received Failed Status code when calling url: ${res.statusCode} ${resData}`);
+                        }
+                        resolve();
+                    });
+                });
+                req.on('error', (error) => {
+                    reject(new Error(`Error calling url: ${error}`));
+                });
+                req.write(data);
+                req.end();
+            });
+        });
+    }
+    checkCallerIsCustomer(bearerToken, retryCount = 0) {
+        return __awaiter(this, void 0, void 0, function* () {
+            return yield this._checkCallerIsCustomer(bearerToken)
+                .then((statusCode) => __awaiter(this, void 0, void 0, function* () {
+                if (statusCode == 200) {
+                    return true;
+                }
+                else if (statusCode == 403) {
+                    return false;
+                }
+                else {
+                    core.debug(`Unexpected status code: ${statusCode}`);
+                    return yield this.retryCall(bearerToken, retryCount);
+                }
+            }))
+                .catch((error) => __awaiter(this, void 0, void 0, function* () {
+                core.info(`Unexpected error: ${error}.`);
+                return yield this.retryCall(bearerToken, retryCount);
+            }));
+        });
+    }
+    retryCall(bearerToken, retryCount) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (retryCount == 0) {
+                core.info(`All retries failed.`);
+                return false;
+            }
+            else {
+                core.info(`Retrying checkCallerIsCustomer.\nRetry count: ${retryCount}`);
+                retryCount--;
+                return yield this.checkCallerIsCustomer(bearerToken, retryCount);
+            }
+        });
+    }
+    _checkCallerIsCustomer(bearerToken) {
+        return __awaiter(this, void 0, void 0, function* () {
+            return new Promise((resolve, reject) => {
+                let options = {
+                    method: 'GET',
+                    timeout: 2500,
+                    headers: {
+                        'Content-Type': 'application/json',
+                        'Authorization': 'Bearer ' + bearerToken,
+                    }
+                };
+                core.debug(`${options['method'].toUpperCase()} ${GetScanContextURL}`);
+                const req = https.request(GetScanContextURL, options, (res) => {
+                    res.on('end', () => {
+                        resolve(res.statusCode);
+                    });
+                    res.on('data', function (d) {
+                    });
+                });
+                req.on('error', (error) => {
+                    reject(new Error(`Error calling url: ${error}`));
+                });
+                req.end();
+            });
+        });
+    }
+}
+exports.ContainerMapping = ContainerMapping;