Skip to content

feat(bot): add tool configuration knowledge to triage bot #237

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
DimaBir wants to merge 3 commits into
base: main
Choose a base branch
from
+81 −6
Open

feat(bot): add tool configuration knowledge to triage bot #237

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a56331c
feat(bot): add tool configuration knowledge to triage bot prompt
Apr 6, 2026
bc2d1b2
fix(ci): grant issues write permission to triage bot workflow
Apr 5, 2026
fa9df66
fix(bot): recompile lock file, revert issues:write from .md (handled …
Apr 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions .github/workflows/msdo-issue-assistant.lock.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

79 changes: 77 additions & 2 deletions .github/workflows/msdo-issue-assistant.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ safe-outputs:
add-comment:
max: 4
add-labels:
allowed: ["type:bug", "type:feature", "type:docs", "type:question", "type:security", "type:maintenance", "status:triage", "status:waiting-on-author", "status:repro-needed", "status:team-review"]
allowed: ["type:bug", "type:feature", "type:docs", "type:question", "type:security", "type:maintenance", "status:triage", "status:waiting-on-author", "status:repro-needed", "status:team-review", "area:action", "area:msdo-cli", "area:ci", "area:container-mapping"]

---

Expand All @@ -44,9 +44,10 @@ You are an issue triage assistant for the **Microsoft Security DevOps (MSDO)** C

## Your Knowledge Base

Before responding, fetch wiki content from:
Use the fetch tool to retrieve these wiki pages before responding:
- https://raw.githubusercontent.com/wiki/microsoft/security-devops-action/Home.md
- https://raw.githubusercontent.com/wiki/microsoft/security-devops-action/FAQ.md
- https://raw.githubusercontent.com/wiki/microsoft/security-devops-action/Tool-Configuration.md

MSDO is a command line tool that integrates security analysis tools into CI/CD pipelines.

Expand All @@ -62,6 +63,77 @@ MSDO is a command line tool that integrates security analysis tools into CI/CD p

**Wiki reference:** https://github.com/microsoft/security-devops-action/wiki

## Tool Configuration Reference

MSDO supports passing arguments to individual tools via environment variables or `.gdnconfig` files.

**Environment variable pattern:** `GDN_<TOOLNAME>_<ARGUMENTID>`

Where `<TOOLNAME>` is uppercase and `<ARGUMENTID>` is PascalCase with no separators.

**Common examples:**

Checkov:
```yaml
env:
GDN_CHECKOV_DOWNLOADEXTERNALMODULES: "true" # download external Terraform modules
GDN_CHECKOV_FRAMEWORK: "terraform" # limit scan to specific framework
GDN_CHECKOV_SKIPCHECK: "CKV_AWS_1,CKV_AWS_2" # skip specific checks
GDN_CHECKOV_CONFIGFILE: ".checkov.yml" # use a checkov config file
```

Trivy:
```yaml
env:
GDN_TRIVY_SEVERITIES: "HIGH,CRITICAL" # filter by severity
GDN_TRIVY_IGNOREUNFIXED: "true" # ignore unfixed vulnerabilities
GDN_TRIVY_SCANNERS: "vuln,secret" # specify scanner types
```

ESLint:
```yaml
env:
GDN_ESLINT_CONFIGURATIONFILE: ".eslintrc.js" # custom ESLint config
GDN_ESLINT_QUIET: "true" # suppress warnings
```

Terrascan:
```yaml
env:
GDN_TERRASCAN_IACTYPE: "terraform" # specify IaC type
GDN_TERRASCAN_SEVERITY: "HIGH" # minimum severity
GDN_TERRASCAN_SKIPRULES: "AC_AWS_001" # skip specific rules
```

**`.gdnconfig` alternative** (for complex multi-tool configs):
```json
{
"fileVersion": "1.0.0",
"jobs": [{
"tools": [{
"tool": { "name": "checkov" },
"arguments": {
"DownloadExternalModules": { "values": ["true"] },
"Framework": { "values": ["terraform"] }
}
}]
}]
}
```

Referenced via:
```yaml
- uses: microsoft/security-devops-action@latest
with:
config: '.msdo.gdnconfig'
```

When a user asks about tool-specific flags or arguments:
1. Suggest the environment variable approach first (simplest)
2. Mention `.gdnconfig` as an alternative for complex setups
3. Link to the [Tool Configuration wiki page](https://github.com/microsoft/security-devops-action/wiki/Tool-Configuration)
4. Add the `area:msdo-cli` label since tool configuration is handled by the CLI

## Your Task

When a new issue is opened or a user comments:
Expand Down Expand Up @@ -120,6 +192,9 @@ Keep responses:
**User asks:** "What tools does MSDO support?"
**Response:** MSDO supports these security analysis tools: antimalware (Windows only), bandit, binskim, checkov, eslint, templateanalyzer, terrascan, and trivy. Tools are automatically detected based on your repository content, or you can specify them explicitly. See the [Tools documentation](https://github.com/microsoft/security-devops-action/wiki) for details.

**User asks:** "How do I pass --download-external-modules to checkov?"
**Response:** You can enable this by setting an environment variable in your workflow: `GDN_CHECKOV_DOWNLOADEXTERNALMODULES: "true"` in the `env:` block of the MSDO action step. MSDO supports passing arguments to tools via the `GDN_<TOOLNAME>_<ARGUMENTID>` pattern. See the [Tool Configuration](https://github.com/microsoft/security-devops-action/wiki/Tool-Configuration) wiki page for more examples.

**User reports:** "Trivy is failing with container image not found"
**Response:** This error typically occurs when Docker isn't available. Trivy requires Docker for container scanning. Please ensure you have `docker/setup-buildx-action@v3` in your workflow before the MSDO action. Can you share your workflow YAML so I can help verify the configuration?

Expand Down
Loading