Pipeline Task Does Not Fail When a Security Tool Encounters a Run Error. #132
Description
When running MicrosoftSecurityDevOps@1 task in an Azure DevOps pipeline there is a misconception about the behavior of the break input .
This is seen when there is a failure in running a tool (e.g. Trivy ,Terrascan, ect. ). The expectation is that failures in security tools should cause the task to fail. However, when a tool encounters a configuration issue and fails to execute, the task logs errors but still returns a success status, continuing the pipeline execution.
##[error]Error running tool 1 of 2: trivy
##[error]Error running trivy job: 1 of 1
##[error]GuardianErrorExitCodeException: trivy completed with an Error exit code: 1. The tool did not complete successfully due to bad parameters or a scan error. Contact TrivySecSupport for assistance.
##[error]BreakException: Guardian detected one or more breaking results.
This behavior introduces a risk where security tools silently fail, potentially causing vulnerabilities to go undetected.
To avoid this one can use the break input , but the description in the documentation focuses on severity level results and does not specify task execution issues.
- task: MicrosoftSecurityDevOps@1
displayName: 'Microsoft Security DevOps'
# inputs:
# tools: string. Optional. A comma-separated list of analyzer tools to run. Values: 'bandit', 'binskim', 'checkov', 'eslint', 'templateanalyzer', 'terrascan', 'trivy'. Example 'templateanalyzer, trivy'
# break: boolean. Optional. If true, will fail this build step if any high severity level results are found. Default: false.The MicrosoftSecurityDevOps@1 task should return error and fail if a tool that is trying to run fails to execute. Alternatively, an additional setting should be used to distinguish between: security issue (i.e., high severity findings) and task execution failure (e.g., misconfiguration or tool failure).
Please advise and do let me know if more information is needed .