Skip to content
chrisnielsen-MS edited this page Oct 8, 2024 · 42 revisions

Microsoft Security DevOps (MSDO) is a command line application which integrates static analysis tools into the development cycle. MSDO installs, configures and runs the latest versions of static analysis tools (including, but not limited to, SDL/security and compliance tools). MSDO is data-driven with portable configurations that enable deterministic execution across multiple environments. For tools that output results in or MSDO can convert their results to SARIF, MSDO imports into a normalized file database for seamlessly reporting and responding to results across tools, such as forcing build breaks.

Note: This page describes how to configure the MSDO Action for GitHub workflows. For Azure DevOps task configuration, please see here.

How to Configure the Microsoft Security DevOps (MSDO) Action

MSDO Action Configuration

steps:
 - name: Run Microsoft Security DevOps
   uses: microsoft/security-devops-action@latest
   id: msdo
 # with:
   # config: string. Optional. A file path to an MSDO configuration file ('*.gdnconfig'). See 'Tool Options' for additional configuration instructions.
   # policy: 'GitHub' | 'microsoft' | 'none'. Optional. The name of a well-known Microsoft policy to determine which tools/checks to run. If no configuration file or list of tools is provided, the policy may instruct MSDO which tools to run. Default: GitHub.
   # categories: string. Optional. A comma-separated list of analyzer categories to run. Values: 'code', 'artifacts', 'IaC', 'containers'. Example: 'IaC, containers'. Defaults to all.   
   # languages: string. Optional. A comma-separated list of languages to analyze. Example: 'javascript,typescript'. Defaults to all.
   # tools: string. Optional. A comma-separated list of analyzer tools to run. Values: 'antimalware' (Windows only), 'bandit', 'binskim', 'checkov', 'eslint', 'templateanalyzer', 'terrascan', 'trivy'.
 # env:
   # environment variable configurations. Optional.

Action Environment Variables

Argument name Environment variable name Description
--auto GDN_RUN_AUTO Automatically detect what tools are applicable and then included.
--blame GDN_RUN_BLAME Retrieve the git blame data for each security finding identified by MSDO to trace the issue to the origin. Default is false.
--config GDN_RUN_CONFIG A path to a MSDO run config file that points to the tools and command line options to run. Any number of space-delimited configs may be specified.
--tool GDN_RUN_TOOL The name of a MSDO tool or the path to a tool configuration file to run an analysis tool. The run config info will be generated using the tool configuration's required inputs defaults. Any number of space-delimited tools may be specified.
--analyze-fast GDN_RUN_ANALYZEFAST (Optional) Fail the entire job after one analyzer failure and do not continue to run other analyzers. Default: false
--no-baseline GDN_RUN_NOBASELINE Will not allow the use of any baselines including the default baseline (in the .gdn/.gdnbaselines file). Default is false.
--baseline GDN_RUN_BASELINE The baseline(s) to use for the break method. Any number of space-delimited baselines may be specified. Any baselined (and un-expired) results will not cause a break.
--baseline-file GDN_RUN_BASELINEFILE The baseline file(s) to load baselines from. Use absolute paths, or file names(under the Processed Results Folder). Multiple entries supported. Extension can be ommited (will always be set to gdnbaseline). If --baseline is used but not --baseline-file, the default baseline file will be used (.gdnbaselines under the .gdn folder).
--no-suppressions GDN_RUN_NOSUPPRESSIONS Will not allow the use of any suppressions including the default suppression set (in the .gdn/.gdnsuppress file). Default is false.
--disregard-tool-suppressions GDN_RUN_DISREGARDTOOLSUPPRESSIONS Will disregard suppressions recorded by the tools in the result logs. This system is independent of MSDO suppressions. Default is false.
--suppression-set GDN_RUN_SUPPRESSIONSET The suppression set(s) to use for the break method. Any number of space-delimited suppresion sets may be specified. Any suppresed (and un-expired) results will not cause a break.
--suppression-file GDN_RUN_SUPPRESSIONFILE The suppression file(s) to load suppressions from. Use absolute paths, or file names(under the Processed Results Folder). Multiple entries supported. Extension can be ommited (will always be set to gdnsuppress). If --suppression-set is used but not --suppression-file, the default suppression file will be used (.gdnsuppress under the .gdn folder).
--disable-flighting GDN_RUN_DISABLEFLIGHTING Disable flighting of rules. In-flight rules will show a message but will not break. When this option is enabled, all rules will break as usual.
--preview-flighting GDN_RUN_PREVIEWFLIGHTING Preview rules behavior on a specific date. In flight rules will break if specified date is set after expiration date. Format ISO-8601 yyyy-mm-dd
--policy GDN_RUN_POLICY The name of the policy to install and use.
--policy-file-path GDN_RUN_POLICYFILEPATH The file path to a MSDO Policy file to use. Must be used with GDN_RUN_POLICY: 'none'
--min-severity GDN_RUN_MINSEVERITY The name of the minimum severity log level to break on. Any results in this severity or ranked as more severe will cause a break. Default: Error
--update-baseline GDN_RUN_UPDATEBASELINE (Alias for --output-baseline) Specify the name of a baseline to be created or updated with the breaking results. If update-baseline-file is not specified, then the file .gdnbaselines(under the .gdn folder) will be used.This does not affect the return value of break.The --fast option prevents this option.
--output-baseline GDN_RUN_OUTPUTBASELINE (Alias for --update-baseline) Specify the name of a baseline to be created or updated with the breaking results. If output-baseline-file is not specified, then the file .gdnbaselines(under the .gdn folder) will be used. This does not affect the return value of break. The --fast option prevents this option.
--output-baseline-file GDN_RUN_OUTPUTBASELINEFILE Specify the name or full path of a baseline file to create/update a baseline with the breaking results. If output-baseline is not specified, the name 'default' will be used. This does not affect the return value of break. The --fast option prevents this option.
--output-suppression-set GDN_RUN_OUTPUTSUPPRESSIONSET Specify the name of a suppression set to be created or updated with the breaking results. If output-suppression-file is not specified, then the file .gdnsuppress(under the .gdn folder) will be used. This does not affect the return value of break. The --fast option prevents this option.
--output-suppression-file GDN_RUN_OUTPUTSUPPRESSIONFILE Specify the name or full path of a suppression file to create/update a suppression set with the breaking results. If output-suppression-set is not specified, the name 'default' will be used. This does not affect the return value of break. The --fast option prevents this option.
--export-breaking-results-to-file GDN_RUN_EXPORTBREAKINGRESULTSTOFILE Exports the breaking results to a file. Format is determined from the extension. Available formats: csv, tsv, html, sarif. For any other extension, sarif format will be chosen. If this option isn't set, export goes to the logger. The --fast option prevents all exporting.
--target-root GDN_RUN_TARGETROOT The possible root folder of your scan targets. Any number of space-delimited paths may be specified. Process will use these paths to calculate the relative path of your targets. The shortest relative path will be chosen. The relative path is used as part of the signature that allows the unique identification of results.
--languages GDN_RUN_LANGUAGES Only run applicable tools for the specified languages. Any number of space-delimited languages may be specified.
--categories GDN_RUN_CATEGORIES Only run applicable tools of the specified category: secrets, code, artifacts, IaC, containers. Any number of space-delimited categories may be specified.
--github GDN_RUN_GITHUB When outputting a SARIF file, make the SARIF compliant with GitHub's code scanning requirements
--save-command-options GDN_RUN_SAVECOMMANDOPTIONS Will save options used to run commands (break, run, analyze and publish are supported) in .gdn/o folder for purpose of configuration validation. Default: false
--working-directory GDN_RUN_WORKINGDIRECTORY The working directory from which to execute MSDO.
--settings-file GDN_RUN_SETTINGSFILE Path to the settings file to use. This will override all other global or local settings.
--logger GDN_RUN_LOGGER The name of the loggers to use. Values: Console, File. File requires --logger-filepath to be set one or more times.
--logger-filepath GDN_RUN_LOGGERFILEPATH One or more file paths to write log output to. Does not require --logger file to work.
--logger-level GDN_RUN_LOGGERLEVEL Sets the minimum log output level that will be printed to console. Values: Trace, Verbose, Standard, Warning, Error.
--logger-timestamp GDN_RUN_LOGGERTIMESTAMP Prefix logger messages with a formatted UTC timestamp [YYYY-MM-ddTHH:mm:ss.fff]. Example [2018-03-20T21:41:59.998] Running Microsoft MSDO...
--logger-show-level GDN_RUN_LOGGERSHOWLEVEL Prefix logger messages with the logger level name of the message [{LoggerLevel}]. Example [Warning] Microsoft MSDO partially succeeded.
--logger-pipeline GDN_RUN_LOGGERPIPELINE Write Warnings and Errors using the Azure DevOps Pipeline Command format.
--logger-actions GDN_RUN_LOGGERACTIONS Write Warnings and Errors using the GitHub Actions Workflow Command format.
--rich-exit-code GDN_RUN_RICHEXITCODE Return a rich exit code.

Tool configuration options

This section contains all of the direct input options to tools (aka. analyzers).

There are a few ways configure tool inputs:

  1. Creating a *.gdnconfig file to save configurations
    1. Great for reuse between team members and local/remote runs
    2. Can save multiple tool configurations in a single file to run all configurations. See the tool arguments section for additional details on defining .gdnconfig files.
  2. Using environment variables
    1. Great for quick configurations in build pipelines
    2. They follow the format [GDN_]<ToolName>_<ArgumentId>, where GDN_ is optional and ToolName and ArgumentId are defined by the tool integration file to (*.gdntool).

The microsoft/security-devops-action will run all applicable analyzers configured in the policy. By default, this action runs the GitHub policy. If a file is found that MSDO has an analyzer for, it runs the analyzer with default settings against the target.

Configuring environment variables for tool configuration in GitHub

Tool variables can be set within GitHub Workflows.

They can be set as top level environment variables in the build:

env:
  <key>: '<value>'

job:
  ...

Or on the action itself.

steps:
- uses: microsoft/security-devops-action
  env:
    <key>: '<value>'

Here' an example action to configure the targets CLI option for eslint:

steps:
- uses: microsoft/security-devops-action
  env:
    eslint_targets: '**/*.js'

Table of contents

  1. AntiMalware
  2. Bandit
  3. BinSkim
  4. Checkov
  5. ESLint
  6. TemplateAnalyzer
  7. Terrascan
  8. Trivy

AntiMalware options

Short description:
A command line utility for running Microsoft AntiMalware/Windows Defender tool.

Long description:
This is a command line utility for running Microsoft AntiMalware/Windows Defender tool. It must be run on a local machine (or build agent) with Windows Defender already installed.

AntiMalware gdnconfig sample

{
  "tools": [
    {
      "tool": {
        "name": "AntiMalware",
        "version": "Latest"
      },
      "arguments": {
        "Function": "analyze",
        "Command": "scan",
        "ScanType": 3,
        "ScanDirectoryOrFile": "$(WorkingDirectory)",
        "DisableRemediation": true,
        "BootSectorScan": "false",
        "CommandlineArguments": "",
        "EnableServices": "false",
        "CollectLogsOnError": "false",
        "ForceSignatureUpdate": "false",
        "SignatureUpdateUsesMMPC": "false",
        "SignatureUpdateFailureLoggerLevel": "Warning",
        "SignatureFreshness": 3,
        "OutdatedSignatureLoggerLevel": "Error",
        "Output": "",
        "LoggerLevel": "Standard"
      }
    }
  ]
}

AntiMalware Environment Variables

Argument name Environment variable name Description
ScanType GDN_ANTIMALWARE_SCANTYPE Values for ScanType are: 0 Default, according to your configuration. 1 Quick scan. 2 Full scan. 3 File and directory custom scan.
ScanDirectoryOrFile GDN_ANTIMALWARE_SCANDIRECTORYORFILE Indicates the file or directory to be scanned.
DisableRemediation GDN_ANTIMALWARE_DISABLEREMEDIATION If true: 1) File exclusions are ignored. 2) Archive files are scanned. 3) Actions are not applied after detection. 4) Event log entries are not written after detection. 5) Detections from the custom scan are not displayed in the user interface. 6) The console output will show the list of detections from the custom scan.
BootSectorScan GDN_ANTIMALWARE_BOOTSECTORSCAN If true, it enables boot sector scanning.
EnableServices GDN_ANTIMALWARE_ENABLESERVICES If true, it will try enabling the required services for Windows Update in case they are disabled.
CollectLogsOnError GDN_ANTIMALWARE_COLLECTLOGSONERROR If true, it will collect the support files for diagnosis when an error happened. This may take several minutes.
ForceSignatureUpdate GDN_ANTIMALWARE_FORCESIGNATUREUPDATE If true, it will force to run Signature Update.
SignatureUpdateUsesMMPC GDN_ANTIMALWARE_SIGNATUREUPDATEUSESMMPC If true, signature update will use Microsoft Malware Protection Center to download updates. Default: false.
SignatureUpdateFailureLoggerLevel GDN_ANTIMALWARE_SIGNATUREUPDATEFAILURELOGGERLEVEL The log level used if the signature update fails. Options include: Error, Standard, Warning.
SignatureFreshness GDN_ANTIMALWARE_SIGNATUREFRESHNESS The maximum allowed age for the AntiMalware signature. Options include: OneDay, TwoDays, ThreeDays, UpToDate.
OutdatedSignatureLoggerLevel GDN_ANTIMALWARE_OUTDATEDSIGNATURELOGGERLEVEL The log level used if the signature age is older than the selected signature freshness. Options include: Error, Standard, Warning.
LoggerLevel GDN_ANTIMALWARE_LOGGERLEVEL The log level used for all other failures. Options include: Error, Standard, Warning.

Bandit options

Short description:
Security oriented static analyser for python code.

Long description:
Bandit is a tool designed to find common security issues in Python code. To do this, Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files, it generates a report.

Bandit gdnconfig sample

{
  "tools": [
    {
      "tool": {
        "name": "Bandit",
        "version": "Latest"
      },
      "arguments": {
        "OutputFile": "",
        "Recursive": "",
        "Target": "$(DefaultBanditTargets)",
        "Aggregate": "",
        "ContextLines": "",
        "ConfigFile": "",
        "Profile": "",
        "Tests": ["B102", "B110", "B112", "B303", "B304", "B312", "B321", "B324", "B413", "B501", "B502", "B503", "B504", "B505"],
        "SkippedTests": "",
        "SeverityLevel": "",
        "ConfidenceLevel": "",
        "Format": "sarif",
        "MessageTemplate": "",
        "Verbose": "",
        "Debug": "",
        "Quiet": "",
        "IgnoreNosec": "",
        "ExcludedPaths": "",
        "Baseline": "",
        "IniPath": "",
        "Help": "",
        "Version": ""
      }
    }
  ]
}

Bandit Environment Variables

Argument name Environment variable name Description
OutputFile GDN_BANDIT_OUTPUTFILE write report to filename
Recursive GDN_BANDIT_RECURSIVE find and process files in subdirectories.
Target GDN_BANDIT_TARGET source file(s) or directory(s) to be tested
Aggregate GDN_BANDIT_AGGREGATE aggregate output by vulnerability (default) or by filename (file or vuln)
ContextLines GDN_BANDIT_CONTEXTLINES maximum number of code lines to output for each issue
ConfigFile GDN_BANDIT_CONFIGFILE optional config file to use for selecting plugins and overriding defaults
Profile GDN_BANDIT_PROFILE optional config file to use for selecting plugins and overriding defaults
Tests GDN_BANDIT_TESTS list of test IDs to run
SkippedTests GDN_BANDIT_SKIPPEDTESTS list of test IDs to skip
SeverityLevel GDN_BANDIT_SEVERITYLEVEL report only issues of a given severity level or higher. (LOW, MEDIUM, or HIGH, default LOW)
ConfidenceLevel GDN_BANDIT_CONFIDENCELEVEL report only issues of a given confidence level or higher. (LOW, MEDIUM, or HIGH, default LOW)
Format GDN_BANDIT_FORMAT the output format of the log file. Guardian supports the 'sarif' output format. Other formats that cannot be imported for post processing by Guardian are: csv,custom,html,json,screen,txt,xml,yaml
MessageTemplate GDN_BANDIT_MESSAGETEMPLATE Specify output format (only usable with --format custom)
Verbose GDN_BANDIT_VERBOSE output extra information like excluded and included files
Debug GDN_BANDIT_DEBUG turn on debug mode
Quiet GDN_BANDIT_QUIET only show output in the case of an error
IgnoreNosec GDN_BANDIT_IGNORENOSEC do not skip lines with # nosec comments
ExcludedPaths GDN_BANDIT_EXCLUDEDPATHS comma-separated list of paths (glob patterns supported to exclude from scan)
Baseline GDN_BANDIT_BASELINE path of a baseline report to compare against (only JSON-formatted files are accepted)
IniPath GDN_BANDIT_INIPATH path to a .bandit file that supplies command line arguments
Help GDN_BANDIT_HELP show a help message and exit.
Version GDN_BANDIT_VERSION show program's version number and exit

BinSkim options

Short description:
A portable executable scanner that validates compiler/linker settings and other security-relevant binary characteristics.

BinSkim gdnconfig sample

{
  "tools": [
    {
      "tool": {
        "name": "BinSkim",
        "version": "Latest"
      },
      "arguments": {
        "Function": "analyze",
        "Target": "$(BinSkim.DefaultTargetPattern)",
        "Output": "",
        "SymbolsPath": "",
        "LocalSymbolDirectories": "",
        "ConfigPath": "default",
        "PluginPath": "",
        "IgnorePdbLoadError": "false",
        "Recurse": "false",
        "Verbose": "false",
        "Hashes": true,
        "Statistics": true,
        "Environment": "false",
        "Trace": "",
        "Quiet": "false",
        "Optimize": "false",
        "Level": "",
        "Kind": "",
        "PrettyPrint": "false",
        "Minify": "false",
        "SarifOutputVersion": "OneZeroZero",
        "Threads": ""
      }
    }
  ]
}

BinSkim Environment Variables

Argument name Environment variable name Description
Function GDN_BINSKIM_FUNCTION
Target GDN_BINSKIM_TARGET
Output GDN_BINSKIM_OUTPUT File path to which analysis output will be written.
SymbolsPath GDN_BINSKIM_SYMBOLSPATH Symbols path value, e.g., Cachec:\symbols;SRVhttp://msdl.microsoft.com/download/symbols or Cached:\symbols;Srvhttp://symweb.
LocalSymbolDirectories GDN_BINSKIM_LOCALSYMBOLDIRECTORIES A set of semicolon-delimited local directory paths that will be examined when attempting to locate PDBs.
ConfigPath GDN_BINSKIM_CONFIGPATH Path to policy file that will be used to configure analysis.
PluginPath GDN_BINSKIM_PLUGINPATH Path to plug-in that will be invoked against all targets in the analysis set.
IgnorePdbLoadError GDN_BINSKIM_IGNOREPDBLOADERROR If enabled, BinSkim won't break if we have a 'PdbLoadingException'.
Recurse GDN_BINSKIM_RECURSE Recurse into subdirectories when evaluating file specifier arguments.
Verbose GDN_BINSKIM_VERBOSE Emit verbose output.
Hashes GDN_BINSKIM_HASHES Output MD5, SHA1, and SHA-256 hash of analysis targets when emitting SARIF reports.
Statistics GDN_BINSKIM_STATISTICS Generate timing and other statistics for analysis session.
Environment GDN_BINSKIM_ENVIRONMENT Log machine environment details of run to output file.
Trace GDN_BINSKIM_TRACE (Default: ) Execution traces, expressed as a semicolon-delimited list, that should be emitted to the console and log file (if appropriate). Valid values: PdbLoad.
Quiet GDN_BINSKIM_QUIET Do not log results to the console.
Optimize GDN_BINSKIM_OPTIMIZE Omit redundant properties, producing a smaller but non-human-readable log.
Level GDN_BINSKIM_LEVEL (Default: Error Warning) Filter output of scan results to one or more failure levels. Valid values: Error, Warning and Note.
Kind GDN_BINSKIM_KIND (Default: Fail) Filter output one or more result kinds. Valid values: Fail (for literal scan results), Pass, Review, Open, NotApplicable and Informational.
PrettyPrint GDN_BINSKIM_PRETTYPRINT Produce pretty-printed JSON output rather than compact output (all white space removed).
Minify GDN_BINSKIM_MINIFY Produce compact JSON output (all white space removed) rather than pretty-printed output.
SarifOutputVersion GDN_BINSKIM_SARIFOUTPUTVERSION The SARIF version of the output log file. Valid values are OneZeroZero and Current.
Threads GDN_BINSKIM_THREADS A count of threads that should be used for multithreaded operations.

ESLint options

Short description:
An extensible open source JavaScript linting utility used to find problematic patterns or code that doesn't adhere to certain guidelines

ESLint gdnconfig sample (Windows defaults)

{
  "tools": [
    {
      "tool": {
        "name": "ESLint",
        "version": "Latest"
      },
      "arguments": {
        "DisableDefaultConfigurationFile": true,
        "ResolvePluginsRelativeTo": "",
        "ConfigurationFile": "$(SDLRequiredConfigurationFile)",
        "Environments": "",
        "Extensions": [".js", ".ts"],
        "Globals": "",
        "Parser": "",
        "ParserOptions": "",
        "AdditionalRulesDirectories": "",
        "Plugins": "",
        "Rules": "",
        "Fix": "",
        "FixDryRun": "",
        "FixTypes": "",
        "ExclusionsFilePath": "",
        "DisableExclusions": "",
        "ExclusionPatterns": "*.d.ts",
        "Quiet": "",
        "MaxWarnings": "",
        "ExitOnFatalError": "",
        "OutputFile": "",
        "OutputFormat": "$(InstallDirectory)\\node_modules\\@microsoft\\eslint-formatter-sarif\\sarif.js",
        "DisableInlineConfig": "",
        "ReportUnusedDisableDirectives": "",
        "Cache": "",
        "CacheLocation": "",
        "Debug": "",
        "Help": "",
        "Targets": "$(DefaultTargets)"
      }
    }
  ]
}

Checkov options

Short description:
An Infrastructure-as-Code (IaC) security analyzer for multi-cloud template types.

Long description:
Checkov is a static code analysis tool for infrastructure as code (IaC).

It scans cloud infrastructure provisioned using Terraform, Terraform plan, Cloudformation, AWS SAM, Kubernetes, Helm charts, Kustomize, Dockerfile, Serverless, Bicep, OpenAPI or ARM Templates and detects security and compliance misconfigurations using graph-based scanning.

Checkov gdnconfig sample

{
  "tools": [
    {
      "tool": {
        "name": "Checkov",
        "version": "Latest"
      },
      "arguments": {
        "SkipPath": "",
        "Directory": "",
        "File": "",
        "ExternalChecksDir": "",
        "List": "true",
        "Framework": "",
        "SkipFramework": "",
        "Check": "",
        "SkipCheck": "",
        "HardFailOn": "",
        "DownloadExternalModules": "",
        "ExternalModulesDownloadPath": "",
        "ConfigFile": "",
        "CreateConfig": "",
        "ShowConfig": "true",
        "CreateBaseLine": "",
        "Baseline": "",
        "NoFailOnCrash": "",
        "EnableSecretScanAllFiles": "false",
        "BlockListSecretScan": "",
        "Quiet": "false",
        "Help": "",
        "Version": ""
      }
    }
  ]
}

Checkov Environment Variables

Argument name Environment variable name Description
SkipPath GDN_CHECKOV_SKIPPATH Path (file or directory) to skip, using regular expression logic, relative to the current working directory. Word boundaries are not implicit; i.e., specifying “dir1” will skip any directory or subdirectory named “dir1”. Can be specified multiple times. 
Directory GDN_CHECKOV_TARGETDIRECTORY IaC root directory (can not be used together with --file). 
File GDN_CHECKOV_FILE File to scan (can not be used together with --directory). With this option, Checkov will attempt to filter the runners based on the file type. For example, if you specify a “.tf” file, only the terraform and secrets frameworks will be included. You can further limit this (e.g., skip secrets) by using the --skip-framework argument. 
ExternalChecksDir GDN_CHECKOV_EXTERNALCHECKSDIR Directory for custom checks to be loaded. Can be repeated.
List GDN_CHECKOV_LIST List all checks that Checkov is scanning for.
Framework GDN_CHECKOV_FRAMEWORK Filter scan to run only on specific infrastructure code frameworks.
SkipFramework GDN_CHECKOV_SKIPFRAMEWORK Filter scan to skip specific infrastructure as code frameworks. This will be included automatically for some frameworks if system dependencies are missing. Add multiple frameworks using spaces.
Check GDN_CHECKOV_CHECK Checks to run; any other checks will be skipped. Enter one or more items separated by commas. Each item will be a Checkov check ID (CKV_AWS_123).
SkipCheck GDN_CHECKOV_SKIPCHECK Checks to skip; any other checks will not be run. Enter one or more items separated by commas. Each item will be a Checkov check ID
HardFailOn GDN_CHECKOV_HARDFAILON Exits with a non-zero exit code for specified checks. Enter one or more items separated by commas. Each item will be a Checkov check ID (CKV_AWS_123). --hard-fail-on takes precedence in a tie with skip check.
DownloadExternalModules GDN_CHECKOV_DOWNLOADEXTERNALMODULES Download external terraform modules from public git repositories and terraform registry
ExternalModulesDownloadPath GDN_CHECKOV_EXTERNALMODULESDOWNLOADPATH Set the path for the download external terraform modules.
ConfigFile GDN_CHECKOV_CONFIGFILE Path to the Checkov configuration YAML file.
CreateConfig GDN_CHECKOV_CREATECONFIG Takes the current command line args and writes them out to a config file at the given path. 
ShowConfig GDN_CHECKOV_SHOWCONFIG Prints all args and config settings and where they came from (e.g., command line, config file, environment variable or default). 
CreateBaseLine GDN_CHECKOV_CREATEBASELINE Alongside outputting the findings, save all results to .checkov.baseline file so future runs will not re-flag the same noise. Works only with --directory flag. 
Baseline GDN_CHECKOV_BASELINE Use a .checkov.baseline file to compare current results with a known baseline. Report will include only failed checks that are new with respect to the provided baseline. 
NoFailOnCrash GDN_CHECKOV_NOFAILONCRASH Return exit code 0 instead of 2 which indicates a failure in the integration with the platform. 
EnableSecretScanAllFiles GDN_CHECKOV_ENABLESECRETSCANALLFILES Enable secret scan to scan all type of file. 
BlockListSecretScan GDN_CHECKOV_BLOCKLISTSECRETSCAN List of files to filter out in the secret scanner. 
Quiet GDN_CHECKOV_QUIET For the CLI output, display only failed checks. Also disables progress bars.
Help GDN_CHECKOV_HELP show a help message and exit.
Version GDN_CHECKOV_VERSION show program's version number and exit

ESLint Environment Variables

Argument name Environment variable name Description
DisableDefaultConfigurationFile GDN_ESLINT_DISABLEDEFAULTCONFIGURATIONFILE Disables use of configuration from .eslintrc.* and package.json files. Default: true
ResolvePluginsRelativeTo GDN_ESLINT_RESOLVEPLUGINSRELATIVETO Specify the working directory from which to load the plugins. Default:CWD
ConfigurationFile GDN_ESLINT_CONFIGURATIONFILE Specify an additional configuration file for ESLint. This file will override existing configurations.
Environments GDN_ESLINT_ENVIRONMENTS Specify environments, e.g.: --env browser,node. See: https://eslint.org/docs/user-guide/configuring#specifying-environments
Extensions GDN_ESLINT_EXTENSIONS Specifies file extensions to scan.
Globals GDN_ESLINT_GLOBALS Specify global variables,so that they will not be flagged as undefined by the no-undef rule. Any specified global variables are assumed to be read-only by default, but appending :true to a variable's name ensures that no-undef will also allow writes. E.g.: --global require,exports:true
Parser GDN_ESLINT_PARSER Specify a parser to be used by ESLint. When using the SDL required/recommended config, @typescript-eslint/parser will be the default.
ParserOptions GDN_ESLINT_PARSEROPTIONS Specify parser options to be used by ESLint. Note that the available parser options are determined by the parser being used. E.g.: --parser-options=ecmaVersion:7
AdditionalRulesDirectories GDN_ESLINT_ADDITIONALRULESDIRECTORIES Specify other directories from which to load rules files.
Plugins GDN_ESLINT_PLUGINS Specifies plugins to load. You can omit the prefix eslint-plugin- fom the plugin name. Plugins must be installed using npm before being used.
Rules GDN_ESLINT_RULES Specify additional rules. These will be merged with any rules specified using other options.
Fix GDN_ESLINT_FIX Instructs ESLint to try to fix as many issues as possible. The fixes are made to the actual files themselves and only the remaining unfixed issues are output.
FixDryRun GDN_ESLINT_FIXDRYRUN Same as --fix, but instead of fixing the files, output the fixes.
FixTypes GDN_ESLINT_FIXTYPES Specify the types of fixes to apply. Choose from: problem, suggestion, layout. Multiple allowed, comma separated.
ExclusionsFilePath GDN_ESLINT_EXCLUSIONSFILEPATH Specify the file to use as your .eslintignore. By default, ESLint looks in the current working directory for .eslintignore. You can override this behavior by providing a path to a different file.
DisableExclusions GDN_ESLINT_DISABLEEXCLUSIONS Disables excluding of files from .eslintignore, --ignore-path and --ignore-pattern.
ExclusionPatterns GDN_ESLINT_EXCLUSIONPATTERNS This option allows you to specify patterns of files to ignore (in addition to those in .eslintignore). You can repeat the option to provide multiple patterns.E.g. eslint --ignore-pattern '/lib/' --ignore-pattern '/src/vendor/*' .
Quiet GDN_ESLINT_QUIET Disable reporting on warnings.
MaxWarnings GDN_ESLINT_MAXWARNINGS Specify a warning threshold, which can be used to force ESLint to exit with an error status if there are too many warning-level rule violations in your project.
ExitOnFatalError GDN_ESLINT_EXITONFATALERROR This option causes ESLint to exit with exit code 2 if one or more fatal parsing errors occur. Without this option, fatal parsing errors are reported as rule violations.
OutputFile GDN_ESLINT_OUTPUTFILE Specifies the path of the output file.
OutputFormat GDN_ESLINT_OUTPUTFORMAT Specifies the output format. Default: json.
DisableInlineConfig GDN_ESLINT_DISABLEINLINECONFIG This option prevents all inline comments like /eslint-disable/ or /global foo/ from having any effect.
ReportUnusedDisableDirectives GDN_ESLINT_REPORTUNUSEDDISABLEDIRECTIVES This option causes ESLint to report directive comments like // eslint-disable-line when no errors would have been reported on that line anyway.
Cache GDN_ESLINT_CACHE Only check changed files - default: false.
CacheLocation GDN_ESLINT_CACHELOCATION Path to the cache file or directory
Debug GDN_ESLINT_DEBUG Outputs debugging information to the console.
Help GDN_ESLINT_HELP
Targets GDN_ESLINT_TARGETS Specifies the target files, directories or globs, as a space separated list.

TemplateAnalyzer options

Short description:
Scans ARM templates for security misconfigurations

Long description:
TemplateAnalyzer provides a simple and extensible solution to improve the security of your Azure resources before deployment and ensures your ARM templates follow best practices.

TemplateAnalyzer gdnconfig sample (Windows defaults)

{
  "tools": [
    {
      "tool": {
        "name": "TemplateAnalyzer",
        "version": "Latest"
      },
      "arguments": {
        "AnalyzeDirectory": "$(WorkingDirectory)",
        "AnalyzeTemplate": "",
        "ParametersFilePath": "",
        "Verbose": "true",
        "IncludeNonSecurityRules": "true",
        "Help": ""
      }
    }
  ]
}

TemplateAnalyzer Environment Variables

Argument name Environment variable name Description
AnalyzeDirectory GDN_TEMPLATEANALYZER_ANALYZEDIRECTORY Recursively searches for and analyzes all ARM templates in a directory with the set of preconfigured rules
AnalyzeTemplate GDN_TEMPLATEANALYZER_ANALYZETEMPLATE Analyzes an ARM template with the set of preconfigured rules
ParametersFilePath GDN_TEMPLATEANALYZER_PARAMETERSFILEPATH File path of parameters file to use when scanning a template (optional)
Verbose GDN_TEMPLATEANALYZER_VERBOSE Shows details about the analysis
IncludeNonSecurityRules GDN_TEMPLATEANALYZER_INCLUDENONSECURITYRULES Run all the rules against the templates, including non-security rules
Help GDN_TEMPLATEANALYZER_HELP Output command line help information for the Template BPA CLI

Terrascan options

Short description:
Validate an IaC templates

Long description:
Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

Terrascan gdnconfig sample

{
  "tools": [
    {
      "tool": {
        "name": "Terrascan",
        "version": "Latest"
      },
      "arguments": {
        "Init": "",
        "Scan": "scan",
        "Server": "",
        "Version": "",
        "ConfigPath": "",
        "LogLevel": "",
        "LogType": "",
        "OutputType": "sarif",
        "Categories": "",
        "ConfigOnly": "",
        "FindVuln": "",
        "Help": "",
        "IacDir": "$(WorkingDirectory)",
        "IacFile": "",
        "IacType": "",
        "IacVersion": "",
        "NonRecursive": "",
        "PolicyPath": "",
        "PolicyType": "",
        "RemoteType": "",
        "RemoteUrl": "",
        "ScanRules": "",
        "Severity": "",
        "ShowPassed": "",
        "SkipRules": "",
        "UseColors": "auto",
        "UseTerraformCache": "",
        "Verbose": ""
      }
    }
  ]
}

Terrascan Environment Variables

Argument name Environment variable name Description
Init GDN_TERRASCAN_INIT Initializes Terrascan and clones policies from the Terrascan GitHub repository
Scan GDN_TERRASCAN_SCAN Detect compliance and security violations across Infrastructure as Code
Server GDN_TERRASCAN_SERVER Run Terrascan as an API server
Version GDN_TERRASCAN_VERSION Terrascan version
ConfigPath GDN_TERRASCAN_CONFIGPATH Format supported is *.TOML
LogLevel GDN_TERRASCAN_LOGLEVEL Log level (debug, info, warn, error, panic, fatal) (default 'info')
LogType GDN_TERRASCAN_LOGTYPE Log output type (console, json) (default 'console')
OutputType GDN_TERRASCAN_OUTPUTTYPE Output type (human, json, yaml, xml, junit-xml, sarif) (default 'sarif')
Categories GDN_TERRASCAN_CATEGORIES List of categories of violations to be reported by terrascan (example: --categories='category1,category2')
ConfigOnly GDN_TERRASCAN_CONFIGONLY Will output resource config (should only be used for debugging purposes)
FindVuln GDN_TERRASCAN_FINDVULN Fetches vulnerabilities identified in Docker images
Help GDN_TERRASCAN_HELP
IacDir GDN_TERRASCAN_IACDIR Path to a directory containing one or more IaC files (default '.'')
IacFile GDN_TERRASCAN_IACFILE Path to a single IaC file
IacType GDN_TERRASCAN_IACTYPE Iac type (arm, cft, docker, helm, k8s, kustomize, terraform, tfplan)
IacVersion GDN_TERRASCAN_IACVERSION Iac version (arm: v1, cft: v1, docker: v1, helm: v3, k8s: v1, kustomize: v2, v3, v4, terraform: v12, v13, v14, v15, tfplan: v1)
NonRecursive GDN_TERRASCAN_NONRECURSIVE Do not scan directories and modules recursively
PolicyPath GDN_TERRASCAN_POLICYPATH Policy path directory
PolicyType GDN_TERRASCAN_POLICYTYPE Policy type (all, aws, azure, gcp, github, k8s) (default [all])
RemoteType GDN_TERRASCAN_REMOTETYPE Type of remote backend (git, s3, gcs, http, terraform-registry)
RemoteUrl GDN_TERRASCAN_REMOTEURL Url pointing to remote IaC repository
ScanRules GDN_TERRASCAN_SCANRULES One or more rules to scan (example: --scan-rules='ruleID1,ruleID2')
Severity GDN_TERRASCAN_SEVERITY Minimum severity level of the policy violations to be reported by terrascan
ShowPassed GDN_TERRASCAN_SHOWPASSED Display passed rules, along with violations
SkipRules GDN_TERRASCAN_SKIPRULES One or more rules to skip while scanning (example: --skip-rules='ruleID1,ruleID2')
UseColors GDN_TERRASCAN_USECOLORS Color output (auto, t, f) (default 'auto')
UseTerraformCache GDN_TERRASCAN_USETERRAFORMCACHE Use terraform init cache for remote modules (when used directory scan will be non recursive,flag applicable only with terraform IaC provider)
Verbose GDN_TERRASCAN_VERBOSE Will show violations with details (applicable for default output)

Trivy options

Short description:
A security analysis tool for containers.

Long description:
A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts.

Trivy gdnconfig sample (Windows defaults)

{
  "tools": [
    {
      "tool": {
        "name": "Trivy",
        "version": "Latest"
      },
      "arguments": {
        "Action": "filesystem",
        "Target": ".",
        "ExitCode": "100",
        "Quiet": "",
        "Debug": "",
        "CacheDirectory": "",
        "OutputTemplate": "@$(InstallDirectory)\\tools\\sarif.tpl",
        "TableFormat": "template",
        "ImagePath": "",
        "Severities": "",
        "OutputPath": "",
        "SkipDBUpdate": "",
        "IgnoreUnfixed": "",
        "RemovedPKGS": "",
        "VulnTypes": "",
        "IgnoreFile": "",
        "Timeout": "",
        "LightMode": "",
        "IgnorePolicyPath": "",
        "ListAllPackages": "",
        "SkipFiles": "",
        "SkipDirectories": "",
        "CacheBackend": "",
        "ClientServerToken": "",
        "ClientServerTokenHeader": "",
        "ClientRemoteLocation": "",
        "ClientServerCustomHeaders": ""
      }
    }
  ]
}

Trivy Environment Variables

Argument name Environment variable name Description
Action GDN_TRIVY_ACTION The type of resource you would like to scan. The default is filesystem which scans local resources. Other options include image, repository, client, server.
Target GDN_TRIVY_TARGET Target of scan. For the default action (filesystem), a directory.
ExitCode GDN_TRIVY_EXITCODE Exit code to use if errors are detected. This must stay 100.
Quiet GDN_TRIVY_QUIET Suppress progress bar and log output.
Debug GDN_TRIVY_DEBUG Enable verbose debug output.
CacheDirectory GDN_TRIVY_CACHEDIRECTORY Directory for storing Trivy cache data.
OutputTemplate GDN_TRIVY_OUTPUTTEMPLATE A template to modify the output format. Output format must be set to template for this to work. The default behavior uses this option and a provided template to produce SARIF. If providing a filename, prpend @.
TableFormat GDN_TRIVY_TABLEFORMAT Format for the results output. Template is preferred by Guardian to produce SARIF, but this requires an output template to be selected as well. Other options include JSON and text.
ImagePath GDN_TRIVY_IMAGEPATH Path to image instead of image name. This is only useful if using the image scan type. See also: https://github.com/aquasecurity/trivy#scan-an-oci-image
Severities GDN_TRIVY_SEVERITIES Severities to display. Available options are: UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL. Warning: this is not a threshold and all desired severities must be listed. The default is to include all findings.
OutputPath GDN_TRIVY_OUTPUTPATH Path of output file.
SkipDBUpdate GDN_TRIVY_SKIPDBUPDATE Skip the database update step.
IgnoreUnfixed GDN_TRIVY_IGNOREUNFIXED Ignore issues that aren't known to be fixed.
RemovedPKGS GDN_TRIVY_REMOVEDPKGS detect vulnerabilities of removed packages (only for Alpine)
VulnTypes GDN_TRIVY_VULNTYPES Vulnerability types to display. Options are: os, library. The default is to display both of these.
IgnoreFile GDN_TRIVY_IGNOREFILE Path to a Trivy ignorefile. See the tool documentation at: https://github.com/aquasecurity/trivy
Timeout GDN_TRIVY_TIMEOUT Timeout for Docker operations in the format 5m0s. The default is five minutes.
LightMode GDN_TRIVY_LIGHTMODE light mode: it's faster, but vulnerability descriptions and references are not displayed.
IgnorePolicyPath GDN_TRIVY_IGNOREPOLICYPATH Path to a custom Rego file to evaluate each vulnerability. This feature is experimental. See also: https://github.com/aquasecurity/trivy#filter-the-vulnerabilities-by-open-policy-agent-policy
ListAllPackages GDN_TRIVY_LISTALLPACKAGES List all packages used, whether they have vulnerabilities or not.
SkipFiles GDN_TRIVY_SKIPFILES Paths to files to skip. If you wish to ignore entire directories, use the skip directories option. This does not support complex matching patterns.
SkipDirectories GDN_TRIVY_SKIPDIRECTORIES Paths to directories to ignore. If you wish to ignore single files while scanning others in the same directory, use the skip files option. This does not support complex matching patterns.
CacheBackend GDN_TRIVY_CACHEBACKEND Location of the cache backend resource. Does not work with client action.
ClientServerToken GDN_TRIVY_CLIENTSERVERTOKEN Token to authenticate to a server. Only works with client or server actions.
ClientServerTokenHeader GDN_TRIVY_CLIENTSERVERTOKENHEADER Header to use when sending or expecting the token to authenticate to a server. Only works with client or server actions.
ClientRemoteLocation GDN_TRIVY_CLIENTREMOTELOCATION URI of a Trivy server. Only works with client action.
ClientServerCustomHeaders GDN_TRIVY_CLIENTSERVERCUSTOMHEADERS Custom headers for a Trivy server. Only works with client or server actions.