From e2930f9d9f29e3317d7e52c81a02e512577ee287 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 16 May 2026 06:58:51 +0000 Subject: [PATCH 1/6] Initial plan From 47118cacec632749a087657caf85d80f096af50b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 16 May 2026 07:00:18 +0000 Subject: [PATCH 2/6] Add checkovAzurePipelines sample fixture for CKV_AZUREPIPELINES_2 Agent-Logs-Url: https://github.com/microsoft/security-devops-azdevops/sessions/5b5faec4-36ff-4c06-af13-179dc4a93b9d Co-authored-by: DimaBir <28827735+DimaBir@users.noreply.github.com> --- samples/checkovAzurePipelines/README.md | 78 +++++++++++++++++++ .../checkovAzurePipelines/azure-pipelines.yml | 34 ++++++++ 2 files changed, 112 insertions(+) create mode 100644 samples/checkovAzurePipelines/README.md create mode 100644 samples/checkovAzurePipelines/azure-pipelines.yml diff --git a/samples/checkovAzurePipelines/README.md b/samples/checkovAzurePipelines/README.md new file mode 100644 index 0000000..cfecf88 --- /dev/null +++ b/samples/checkovAzurePipelines/README.md @@ -0,0 +1,78 @@ +## Introduction + +This folder provides a verification fixture for the Checkov `CKV_AZUREPIPELINES_*` +severity promotion tracked in [issue #164](https://github.com/microsoft/security-devops-azdevops/issues/164) +(split out from [#163](https://github.com/microsoft/security-devops-azdevops/issues/163)). + +The [azure-pipelines.yml](azure-pipelines.yml) in this folder references a container +image tagged `:latest`, which causes Checkov (run via the `MicrosoftSecurityDevOps@1` +task) to emit a `CKV_AZUREPIPELINES_2` finding ("Ensure container images are not +pulled from the latest tag") against the pipeline file itself. + +> **Pending in Guardian:** the actual severity-mapping change that promotes +> `CKV_AZUREPIPELINES_*` from `note` to `warning` lives in Microsoft's internal +> Guardian severity-policy and is owned by that team. This fixture exists so the +> end-to-end behavior can be verified against the public MSDO task output once the +> internal change ships. + +## Contents + +* [azure-pipelines.yml](azure-pipelines.yml) — minimal pipeline that triggers + `CKV_AZUREPIPELINES_2` and runs `MicrosoftSecurityDevOps@1` with `tools: 'checkov'`. + +## How to run + +1. Copy `azure-pipelines.yml` to the root of an Azure DevOps repository (or point an + existing pipeline at this file). +2. Create a pipeline in Azure DevOps that uses this YAML. +3. Run the pipeline. The MSDO task publishes `msdo.sarif` to the build artifacts + under `CodeAnalysisLogs` (on disk at `$(Agent.BuildDirectory)/_msdo/msdo.sarif`, + typically `/home/vsts/work/1/a/.gdn/msdo.sarif`). +4. Open the **Scans** tab on the build run to see Checkov findings. + +## Expected Scans Tab output + +Under the `checkov` tool collapse, with the SARIF Scans Tab extension at its default +severity filter: + +* Once the Guardian policy change in issue #164 is deployed, `CKV_AZUREPIPELINES_2` + appears as a **Warning** without the user enabling "Notes". +* Until then, the same finding is emitted as `note` and is hidden by the default + filter — you can verify it is present by enabling "Notes" in the Scans Tab filter, + or by inspecting `msdo.sarif` directly with the `jq` commands below. + +## Verification commands + +Download `msdo.sarif` from the build artifacts (under `CodeAnalysisLogs`) and run the +following against it. These are the paste-ready snippets from the acceptance criteria +in [issue #164](https://github.com/microsoft/security-devops-azdevops/issues/164). + +**AC1 — Severity in published SARIF.** Every `CKV_AZUREPIPELINES_*` result must be +`warning`: + +```bash +jq '[.runs[] + | select(.tool.driver.name == "checkov") + | .results[] + | select(.ruleId | startswith("CKV_AZUREPIPELINES_")) + | .level] | unique' /home/vsts/work/1/a/.gdn/msdo.sarif +# Expected: ["warning"] +``` + +**AC3 — No regression for other Checkov rules.** Capture the per-rule severity +histogram and diff against a pre-change baseline. Only `CKV_AZUREPIPELINES_*` rows +should change from `note` → `warning`: + +```bash +jq '[.runs[] + | select(.tool.driver.name == "checkov") + | .results[] + | {ruleId, level}] + | group_by(.ruleId) + | map({ruleId: .[0].ruleId, level: .[0].level})' /home/vsts/work/1/a/.gdn/msdo.sarif +``` + +**AC4 — Build break unchanged.** Run the pipeline twice — once with `break: true` on +the `MicrosoftSecurityDevOps@1` task, once with `break: false`. With the default +`--min-severity Error`, AZUREPIPELINES warnings must not break the build; both runs +must complete with `succeeded` status. diff --git a/samples/checkovAzurePipelines/azure-pipelines.yml b/samples/checkovAzurePipelines/azure-pipelines.yml new file mode 100644 index 0000000..b65bcd9 --- /dev/null +++ b/samples/checkovAzurePipelines/azure-pipelines.yml @@ -0,0 +1,34 @@ +trigger: none + +pool: + vmImage: 'ubuntu-latest' + +# This pipeline is a fixture for verifying the CKV_AZUREPIPELINES_* severity +# promotion described in issue #164. The container step below references an +# image with the :latest tag, which triggers Checkov rule CKV_AZUREPIPELINES_2 +# ("Ensure container images are not pulled from the latest tag") when MSDO runs +# Checkov against this azure-pipelines.yml file. +steps: +- task: Bash@3 + displayName: 'Run command in :latest container (triggers CKV_AZUREPIPELINES_2)' + target: + container: latest_image + inputs: + targetType: 'inline' + script: | + echo "Hello from a :latest tagged container" + +- task: MicrosoftSecurityDevOps@1 + displayName: 'Microsoft Security DevOps' + inputs: + tools: 'checkov' + # With break: true the build should still succeed, because AZUREPIPELINES + # findings are warning-level (not Error) under the default --min-severity. + # Flip break between true/false to validate AC4 from issue #164. + # inputs: + # break: true + +resources: + containers: + - container: latest_image + image: ubuntu:latest From 733cecd9b1ea50ab3044ac89a964d6eac8522c06 Mon Sep 17 00:00:00 2001 From: Dima Birenbaum Date: Sat, 16 May 2026 10:11:07 +0300 Subject: [PATCH 3/6] fix(samples/checkovAzurePipelines): restructure pipeline to trigger CKV_AZUREPIPELINES_* --- .../checkovAzurePipelines/azure-pipelines.yml | 46 ++++++++----------- 1 file changed, 18 insertions(+), 28 deletions(-) diff --git a/samples/checkovAzurePipelines/azure-pipelines.yml b/samples/checkovAzurePipelines/azure-pipelines.yml index b65bcd9..932354f 100644 --- a/samples/checkovAzurePipelines/azure-pipelines.yml +++ b/samples/checkovAzurePipelines/azure-pipelines.yml @@ -3,32 +3,22 @@ trigger: none pool: vmImage: 'ubuntu-latest' -# This pipeline is a fixture for verifying the CKV_AZUREPIPELINES_* severity -# promotion described in issue #164. The container step below references an -# image with the :latest tag, which triggers Checkov rule CKV_AZUREPIPELINES_2 -# ("Ensure container images are not pulled from the latest tag") when MSDO runs -# Checkov against this azure-pipelines.yml file. -steps: -- task: Bash@3 - displayName: 'Run command in :latest container (triggers CKV_AZUREPIPELINES_2)' - target: - container: latest_image - inputs: - targetType: 'inline' - script: | - echo "Hello from a :latest tagged container" +# Fixture for verifying the CKV_AZUREPIPELINES_* severity promotion tracked in +# issue #164. The job's `container` field is what Checkov's `azure_pipelines` +# framework inspects, so referencing `ubuntu:latest` here triggers: +# - CKV_AZUREPIPELINES_1: container job uses a non-latest version tag +# - CKV_AZUREPIPELINES_2: container job uses a version digest (missing @sha256) +jobs: +- job: build + container: ubuntu:latest + steps: + - script: echo "Hello from a :latest tagged container" -- task: MicrosoftSecurityDevOps@1 - displayName: 'Microsoft Security DevOps' - inputs: - tools: 'checkov' - # With break: true the build should still succeed, because AZUREPIPELINES - # findings are warning-level (not Error) under the default --min-severity. - # Flip break between true/false to validate AC4 from issue #164. - # inputs: - # break: true - -resources: - containers: - - container: latest_image - image: ubuntu:latest + - task: MicrosoftSecurityDevOps@1 + displayName: 'Microsoft Security DevOps' + inputs: + tools: 'checkov' + # Flip between true/false to validate AC4 from issue #164. With default + # --min-severity Error, AZUREPIPELINES warnings must not break the build, + # so both runs should complete with `succeeded` status. + # break: true From 0cd59730496dde3159f1e85e835ee6cd4432eb22 Mon Sep 17 00:00:00 2001 From: Dima Birenbaum Date: Sat, 16 May 2026 10:11:14 +0300 Subject: [PATCH 4/6] fix(samples/checkovAzurePipelines): correct rule descriptions and SARIF path in readme --- samples/checkovAzurePipelines/README.md | 32 +++++++++++++++---------- 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/samples/checkovAzurePipelines/README.md b/samples/checkovAzurePipelines/README.md index cfecf88..1b04156 100644 --- a/samples/checkovAzurePipelines/README.md +++ b/samples/checkovAzurePipelines/README.md @@ -4,10 +4,15 @@ This folder provides a verification fixture for the Checkov `CKV_AZUREPIPELINES_ severity promotion tracked in [issue #164](https://github.com/microsoft/security-devops-azdevops/issues/164) (split out from [#163](https://github.com/microsoft/security-devops-azdevops/issues/163)). -The [azure-pipelines.yml](azure-pipelines.yml) in this folder references a container -image tagged `:latest`, which causes Checkov (run via the `MicrosoftSecurityDevOps@1` -task) to emit a `CKV_AZUREPIPELINES_2` finding ("Ensure container images are not -pulled from the latest tag") against the pipeline file itself. +The [azure-pipelines.yml](azure-pipelines.yml) in this folder declares a job whose +`container` field references `ubuntu:latest`. When Checkov (run via the +`MicrosoftSecurityDevOps@1` task) scans the pipeline file, the `azure_pipelines` +framework inspects job-level `container` declarations and emits two findings: + +* **`CKV_AZUREPIPELINES_1`** — *Ensure container job uses a non latest version tag.* + Fires because the tag is `:latest`. +* **`CKV_AZUREPIPELINES_2`** — *Ensure container job uses a version digest.* Fires + because the reference lacks an `@sha256:...` digest. > **Pending in Guardian:** the actual severity-mapping change that promotes > `CKV_AZUREPIPELINES_*` from `note` to `warning` lives in Microsoft's internal @@ -18,7 +23,8 @@ pulled from the latest tag") against the pipeline file itself. ## Contents * [azure-pipelines.yml](azure-pipelines.yml) — minimal pipeline that triggers - `CKV_AZUREPIPELINES_2` and runs `MicrosoftSecurityDevOps@1` with `tools: 'checkov'`. + `CKV_AZUREPIPELINES_1` and `CKV_AZUREPIPELINES_2` and runs + `MicrosoftSecurityDevOps@1` with `tools: 'checkov'`. ## How to run @@ -26,8 +32,9 @@ pulled from the latest tag") against the pipeline file itself. existing pipeline at this file). 2. Create a pipeline in Azure DevOps that uses this YAML. 3. Run the pipeline. The MSDO task publishes `msdo.sarif` to the build artifacts - under `CodeAnalysisLogs` (on disk at `$(Agent.BuildDirectory)/_msdo/msdo.sarif`, - typically `/home/vsts/work/1/a/.gdn/msdo.sarif`). + under `CodeAnalysisLogs` (on a hosted Linux agent the staged file is at + `$(Build.ArtifactStagingDirectory)/.gdn/msdo.sarif`, typically + `/home/vsts/work/1/a/.gdn/msdo.sarif`). 4. Open the **Scans** tab on the build run to see Checkov findings. ## Expected Scans Tab output @@ -35,11 +42,12 @@ pulled from the latest tag") against the pipeline file itself. Under the `checkov` tool collapse, with the SARIF Scans Tab extension at its default severity filter: -* Once the Guardian policy change in issue #164 is deployed, `CKV_AZUREPIPELINES_2` - appears as a **Warning** without the user enabling "Notes". -* Until then, the same finding is emitted as `note` and is hidden by the default - filter — you can verify it is present by enabling "Notes" in the Scans Tab filter, - or by inspecting `msdo.sarif` directly with the `jq` commands below. +* Once the Guardian policy change in issue #164 is deployed, both + `CKV_AZUREPIPELINES_1` and `CKV_AZUREPIPELINES_2` appear as **Warning** + without the user enabling "Notes". +* Until then, the same findings are emitted as `note` and are hidden by the default + filter — you can verify they are present by enabling "Notes" in the Scans Tab + filter, or by inspecting `msdo.sarif` directly with the `jq` commands below. ## Verification commands From 7e2fcf191764b2d6557d7ae3d1021a7301a44149 Mon Sep 17 00:00:00 2001 From: Dima Birenbaum Date: Sat, 16 May 2026 10:11:20 +0300 Subject: [PATCH 5/6] chore(samples): rename README.md to readme.md to match repo convention --- samples/checkovAzurePipelines/{README.md => readme.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename samples/checkovAzurePipelines/{README.md => readme.md} (100%) diff --git a/samples/checkovAzurePipelines/README.md b/samples/checkovAzurePipelines/readme.md similarity index 100% rename from samples/checkovAzurePipelines/README.md rename to samples/checkovAzurePipelines/readme.md From d07b0f9511532deda4c4ced16d87c9becfc218c5 Mon Sep 17 00:00:00 2001 From: Dima Birenbaum Date: Sat, 16 May 2026 10:12:09 +0300 Subject: [PATCH 6/6] docs(samples): index sample subdirectories in samples/readme.md --- samples/readme.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/samples/readme.md b/samples/readme.md index 6406c9c..65f4b59 100644 --- a/samples/readme.md +++ b/samples/readme.md @@ -1 +1,9 @@ This folder contains samples for DevOps security in Defender for Cloud. + +## Contents + +* [IaCMapping/](IaCMapping/) — Infrastructure as Code mapping with Terraform and an Azure DevOps pipeline. +* [trivypipeline/](trivypipeline/) — Azure DevOps pipeline that runs Trivy via `MicrosoftSecurityDevOps@1`. +* [copilotDemo/](copilotDemo/) — Pipeline and deployment sample used in Copilot demos. +* [checkovAzurePipelines/](checkovAzurePipelines/) — Verification fixture for the `CKV_AZUREPIPELINES_*` severity promotion (issue #164). +* [configs/](configs/) — Example `.gdnconfig` files for each supported tool.