Impossible to break the build - not-break-on-detections flag is forcebly added on scan run #156
Description
It is impossible to use the security-devops-action to break a build if a vulnerability is discovered, because the flag not-break-on-detections is added to the arguments of the cli when we don't use the action for uploading a SARIF file.
We can see this code block in node_modules/@microsoft/security-devops-actions-toolkit/msdo-client.js;
let isUploadExisting = inputArgs[0] == "upload";
if (!isUploadExisting) {
args.push('--not-break-on-detections'); // THE FLAG IS ADDED HERE
let sarifFile = path.join(process.env.GITHUB_WORKSPACE, '.gdn', 'msdo.sarif');
core.debug(`sarifFile = ${sarifFile}`);
core.exportVariable('MSDO_SARIF_FILE', sarifFile);
core.setOutput('sarifFile', sarifFile);
if (common.isVersionGreaterThanOrEqualTo(process.env.MSDO_INSTALLEDVERSION, '0.183.0')) {
args.push('--export-file');
}
else {
args.push('--export-breaking-results-to-file');
}
args.push(sarifFile);
}My understanding is that, unless the app is used to push an existing SARIF file to Microsoft Defender for DevOps, the scan will run, but is blocked from breaking. Which explains why configuring the environment variable GDN_RUN_MINSEVERITY doesn't have any effect.
I've discovered this issue while reading debug output logs of my run, where Error vulnerabilities were discovered, but the build wasn't breaking.
I've mentioned this issue to @jbrotsos on a call earlier today.