Update latest from main

.github/workflows/official-build.yml

@@ -0,0 +1,49 @@
+name: security-devops-action Official Build
+
+on:
+  pull_request:
+    branches:
+      - release/vNext
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    - name: Extract branch name
+      shell: bash
+      run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT
+      id: extract_branch
+
+    - name: Set up Node.js
+      uses: actions/setup-node@v2
+      with:
+        node-version: '14'
+
+    - name: Configure npm to use GitHub Packages
+      run: echo "//npm.pkg.github.com/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc
+
+    - name: Install dependencies
+      run: npm install
+
+    - name: Compile TypeScript
+      run: npm run build
+
+    - name: Commit compiled JavaScript
+      run: |
+        git config --global user.name 'github-actions[bot]'
+        git config --global user.email 'github-actions[bot]@users.noreply.github.com'
+        git add lib/.
+        git commit -m 'Official Build: Compile TypeScript to JavaScript'
+        git push --force origin HEAD:${{ steps.extract_branch.outputs.branch }}
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

README.md

@@ -66,6 +66,7 @@ To only run specific analyzers, use the `tools` command. This command is a comma
 | [AntiMalware](https://www.microsoft.com/en-us/windows/comprehensive-security) | code, artifacts | - |
 | [Bandit](https://github.com/PyCQA/bandit) | python | [Apache License 2.0](https://github.com/PyCQA/bandit/blob/master/LICENSE) |
 | [BinSkim](https://github.com/Microsoft/binskim) | binary - Windows, ELF | [MIT License](https://github.com/microsoft/binskim/blob/main/LICENSE) |
+| [Checkov](https://github.com/bridgecrewio/checkov) | Infrastructure-as-code (IaC), Terraform, Terraform plan, Cloudformation, AWS SAM, Kubernetes, Helm charts, Kustomize, Dockerfile, Serverless, Bicep, OpenAPI, ARM Templates, or OpenTofu  | [Apache License 2.0](https://github.com/bridgecrewio/checkov/blob/main/LICENSE) |
 | [ESlint](https://github.com/eslint/eslint) | JavaScript | [MIT License](https://github.com/eslint/eslint/blob/main/LICENSE) |
 | [Template Analyzer](https://github.com/Azure/template-analyzer) | Infrastructure-as-code (IaC), ARM templates, Bicep files | [MIT License](https://github.com/Azure/template-analyzer/blob/main/LICENSE.txt) |
 | [Terrascan](https://github.com/accurics/terrascan) | Infrastructure-as-code (IaC), Terraform (HCL2), Kubernetes (JSON/YAML), Helm v3, Kustomize, Dockerfiles, Cloudformation | [Apache License 2.0](https://github.com/accurics/terrascan/blob/master/LICENSE) |

action.yml

@@ -20,11 +20,13 @@ inputs:
     description: A comma separated list of analyzer to run. Example bandit, binskim, container-mapping, eslint, templateanalyzer, terrascan, trivy.
   includeTools:
     description: Deprecated
+  existingFilename:
+    description: A SARIF filename that already exists. If it does, then the normal run will not take place and the file will instead be uploaded to MSDO backend.
 outputs:
   sarifFile:
     description: A file path to a SARIF results file.
 runs:
-  using: 'node16'
+  using: 'node20'
   main: 'lib/main.js'
   pre: 'lib/pre.js'
   post: 'lib/post.js'

lib/msdo-helpers.js

@@ -14,6 +14,7 @@ var Inputs;
     Inputs["Languages"] = "languages";
     Inputs["Tools"] = "tools";
     Inputs["IncludeTools"] = "includeTools";
+    Inputs["ExistingFilename"] = "existingFilename";
 })(Inputs || (exports.Inputs = Inputs = {}));
 var RunnerType;
 (function (RunnerType) {
@@ -25,6 +26,7 @@ var Tools;
 (function (Tools) {
     Tools["Bandit"] = "bandit";
     Tools["Binskim"] = "binskim";
+    Tools["Checkov"] = "checkov";
     Tools["ContainerMapping"] = "container-mapping";
     Tools["ESLint"] = "eslint";
     Tools["TemplateAnalyzer"] = "templateanalyzer";

lib/msdo.js

@@ -52,59 +52,66 @@ class MicrosoftSecurityDevOps {
     runMain() {
         return __awaiter(this, void 0, void 0, function* () {
             core.debug('MicrosoftSecurityDevOps.runMain - Running MSDO...');
-            let args = ['run'];
-            let config = core.getInput('config');
-            if (!common.isNullOrWhiteSpace(config)) {
-                args.push('-c');
-                args.push(config);
+            let args = undefined;
+            let existingFilename = core.getInput('existingFilename');
+            if (!common.isNullOrWhiteSpace(existingFilename)) {
+                args = ['upload', '--file', existingFilename];
             }
-            let policy = core.getInput('policy');
-            if (common.isNullOrWhiteSpace(policy)) {
-                policy = "GitHub";
-            }
-            args.push('-p');
-            args.push(policy);
-            let categoriesString = core.getInput('categories');
-            if (!common.isNullOrWhiteSpace(categoriesString)) {
-                args.push('--categories');
-                let categories = categoriesString.split(',');
-                for (let i = 0; i < categories.length; i++) {
-                    let category = categories[i];
-                    if (!common.isNullOrWhiteSpace(category)) {
-                        args.push(category.trim());
+            else {
+                args = ['run'];
+                let config = core.getInput('config');
+                if (!common.isNullOrWhiteSpace(config)) {
+                    args.push('-c');
+                    args.push(config);
+                }
+                let policy = core.getInput('policy');
+                if (common.isNullOrWhiteSpace(policy)) {
+                    policy = "GitHub";
+                }
+                args.push('-p');
+                args.push(policy);
+                let categoriesString = core.getInput('categories');
+                if (!common.isNullOrWhiteSpace(categoriesString)) {
+                    args.push('--categories');
+                    let categories = categoriesString.split(',');
+                    for (let i = 0; i < categories.length; i++) {
+                        let category = categories[i];
+                        if (!common.isNullOrWhiteSpace(category)) {
+                            args.push(category.trim());
+                        }
                     }
                 }
-            }
-            let languagesString = core.getInput('languages');
-            if (!common.isNullOrWhiteSpace(languagesString)) {
-                args.push('--languages');
-                let languages = languagesString.split(',');
-                for (let i = 0; i < languages.length; i++) {
-                    let language = languages[i];
-                    if (!common.isNullOrWhiteSpace(language)) {
-                        args.push(language.trim());
+                let languagesString = core.getInput('languages');
+                if (!common.isNullOrWhiteSpace(languagesString)) {
+                    args.push('--languages');
+                    let languages = languagesString.split(',');
+                    for (let i = 0; i < languages.length; i++) {
+                        let language = languages[i];
+                        if (!common.isNullOrWhiteSpace(language)) {
+                            args.push(language.trim());
+                        }
                     }
                 }
-            }
-            let toolsString = core.getInput('tools');
-            let includedTools = [];
-            if (!common.isNullOrWhiteSpace(toolsString)) {
-                let tools = toolsString.split(',');
-                for (let i = 0; i < tools.length; i++) {
-                    let tool = tools[i];
-                    let toolTrimmed = tool.trim();
-                    if (!common.isNullOrWhiteSpace(tool)
-                        && tool != msdo_helpers_1.Tools.ContainerMapping
-                        && includedTools.indexOf(toolTrimmed) == -1) {
-                        if (includedTools.length == 0) {
-                            args.push('--tool');
+                let toolsString = core.getInput('tools');
+                let includedTools = [];
+                if (!common.isNullOrWhiteSpace(toolsString)) {
+                    let tools = toolsString.split(',');
+                    for (let i = 0; i < tools.length; i++) {
+                        let tool = tools[i];
+                        let toolTrimmed = tool.trim();
+                        if (!common.isNullOrWhiteSpace(tool)
+                            && tool != msdo_helpers_1.Tools.ContainerMapping
+                            && includedTools.indexOf(toolTrimmed) == -1) {
+                            if (includedTools.length == 0) {
+                                args.push('--tool');
+                            }
+                            args.push(toolTrimmed);
+                            includedTools.push(toolTrimmed);
                         }
-                        args.push(toolTrimmed);
-                        includedTools.push(toolTrimmed);
                     }
                 }
+                args.push('--github');
             }
-            args.push('--github');
             yield client.run(args, 'microsoft/security-devops-action');
         });
     }

package.json

@@ -1,6 +1,6 @@
 {
     "name": "microsoft-security-devops-action",
-    "version": "1.11.0",
+    "version": "1.12.0",
     "description": "Node dependencies for the microsoft/security-devops-action.",
     "scripts": {
         "build": "npx gulp",
@@ -13,7 +13,7 @@
     "dependencies": {
         "@actions/core": "1.10.0",
         "@actions/exec": "1.1.1",
-        "@microsoft/security-devops-actions-toolkit": "1.10.0"
+        "@microsoft/security-devops-actions-toolkit": "1.11.0"
     },
     "devDependencies": {
         "@types/mocha": "^2.2.44",