feat(telemetry): add SubscriptionId and TenantId passthrough for MSDO CLI

action.yml

@@ -20,6 +20,10 @@ inputs:
     description: A comma separated list of analyzer to run. Example bandit, binskim, container-mapping, eslint, templateanalyzer, terrascan, trivy.
   includeTools:
     description: Deprecated
+  subscriptionId:
+    description: The Azure Subscription ID to include in MSDO CLI telemetry for correlation with Defender for Cloud.
+  tenantId:
+    description: The Azure Tenant ID to include in MSDO CLI telemetry for correlation with Defender for Cloud.
   existingFilename:
     description: A SARIF filename that already exists. If it does, then the normal run will not take place and the file will instead be uploaded to MSDO backend.
 outputs:

lib/msdo.js

@@ -34,6 +34,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.MicrosoftSecurityDevOps = void 0;
 const core = __importStar(require("@actions/core"));
+const exec = __importStar(require("@actions/exec"));
 const msdo_helpers_1 = require("./msdo-helpers");
 const client = __importStar(require("@microsoft/security-devops-actions-toolkit/msdo-client"));
 const common = __importStar(require("@microsoft/security-devops-actions-toolkit/msdo-common"));
@@ -112,6 +113,41 @@ class MicrosoftSecurityDevOps {
                 }
                 args.push('--github');
             }
+            let subscriptionId = core.getInput('subscriptionId');
+            let tenantId = core.getInput('tenantId');
+            if (common.isNullOrWhiteSpace(subscriptionId)) {
+                subscriptionId = process.env.AZURE_SUBSCRIPTION_ID || '';
+            }
+            if (common.isNullOrWhiteSpace(tenantId)) {
+                tenantId = process.env.AZURE_TENANT_ID || '';
+            }
+            if (common.isNullOrWhiteSpace(subscriptionId) || common.isNullOrWhiteSpace(tenantId)) {
+                try {
+                    let azOutput = yield exec.getExecOutput('az account show --query "{tenantId:tenantId,id:id}" -o json', [], { silent: true, ignoreReturnCode: true });
+                    if (azOutput.exitCode === 0) {
+                        let account = JSON.parse(azOutput.stdout.trim());
+                        if (common.isNullOrWhiteSpace(subscriptionId) && account.id) {
+                            subscriptionId = account.id;
+                            core.debug(`Auto-inferred subscriptionId from Azure CLI`);
+                        }
+                        if (common.isNullOrWhiteSpace(tenantId) && account.tenantId) {
+                            tenantId = account.tenantId;
+                            core.debug(`Auto-inferred tenantId from Azure CLI`);
+                        }
+                    }
+                }
+                catch (_a) {
+                    core.debug('Azure CLI not available for auto-inference of subscriptionId/tenantId');
+                }
+            }
+            if (!common.isNullOrWhiteSpace(subscriptionId)) {
+                process.env.MSDO_SUBSCRIPTIONID = subscriptionId.trim();
+                process.env.MSDO_AGENTLESS_SUBSCRIPTION_ID = subscriptionId.trim();
+            }
+            if (!common.isNullOrWhiteSpace(tenantId)) {
+                process.env.MSDO_TENANTID = tenantId.trim();
+                process.env.MSDO_AGENTLESS_TENANT_ID = tenantId.trim();
+            }
             yield client.run(args, 'microsoft/security-devops-action');
         });
     }

src/msdo.ts

@@ -1,4 +1,5 @@
 import * as core from '@actions/core';
+import * as exec from '@actions/exec';
 import { IMicrosoftSecurityDevOps } from './msdo-interface';
 import { Tools } from './msdo-helpers';
 import * as client from '@microsoft/security-devops-actions-toolkit/msdo-client';
@@ -97,6 +98,51 @@ export class MicrosoftSecurityDevOps implements IMicrosoftSecurityDevOps {
             args.push('--github');
         }
 
+        let subscriptionId: string = core.getInput('subscriptionId');
+        let tenantId: string = core.getInput('tenantId');
+
+        // Auto-infer from common Azure env vars if not explicitly provided
+        if (common.isNullOrWhiteSpace(subscriptionId)) {
+            subscriptionId = process.env.AZURE_SUBSCRIPTION_ID || '';
+        }
+        if (common.isNullOrWhiteSpace(tenantId)) {
+            tenantId = process.env.AZURE_TENANT_ID || '';
+        }
+
+        // Auto-infer from Azure CLI if still not available (e.g., after azure/login)
+        if (common.isNullOrWhiteSpace(subscriptionId) || common.isNullOrWhiteSpace(tenantId)) {
+            try {
+                let azOutput = await exec.getExecOutput(
+                    'az account show --query "{tenantId:tenantId,id:id}" -o json',
+                    [],
+                    { silent: true, ignoreReturnCode: true }
+                );
+                if (azOutput.exitCode === 0) {
+                    let account = JSON.parse(azOutput.stdout.trim());
+                    if (common.isNullOrWhiteSpace(subscriptionId) && account.id) {
+                        subscriptionId = account.id;
+                        core.debug(`Auto-inferred subscriptionId from Azure CLI`);
+                    }
+                    if (common.isNullOrWhiteSpace(tenantId) && account.tenantId) {
+                        tenantId = account.tenantId;
+                        core.debug(`Auto-inferred tenantId from Azure CLI`);
+                    }
+                }
+            } catch {
+                core.debug('Azure CLI not available for auto-inference of subscriptionId/tenantId');
+            }
+        }
+
+        if (!common.isNullOrWhiteSpace(subscriptionId)) {
+            process.env.MSDO_SUBSCRIPTIONID = subscriptionId.trim();
+            process.env.MSDO_AGENTLESS_SUBSCRIPTION_ID = subscriptionId.trim();
+        }
+
+        if (!common.isNullOrWhiteSpace(tenantId)) {
+            process.env.MSDO_TENANTID = tenantId.trim();
+            process.env.MSDO_AGENTLESS_TENANT_ID = tenantId.trim();
+        }
+
         await client.run(args, 'microsoft/security-devops-action');
     }
 }