Hello,

I'm incorporating this in my pipelines and it's working for yaml pipeline but when I try to run the "Run Microsoft Defender for DevOps" task on a classical release pipeline I get this error : "TypeError [ERR_INVALID_ARG_TYPE]: The "path" argument must be of type string. Received type undefined". I've been following some tutorials online and all of them indicate that I do not need to add anything to the parameters of the task. All connection have been made on Azure side and I even tried adding a .gdnconfig file but I get the same error.

Some help would be immensely appreciated. Thanks for your time and efforts.

Could the Microsoft.Security.DevOps.CLI be repackaged as a dotnet tool so that it could be installed and used more cleanly from the command line:

dotnet tool install --global Microsoft.Security.DevOps.CLI

As it currently stands, it needs to be downloaded, extracted, and placed into the PATH.

Hi,
Very weird, it has been running for over a week and without any changes in OS or relevant pipelines the error 401 unauthorized appeared.
It happens when running security dev ops extention in CentOS 7 / Alma 8.
The error is mentioned below.

Thanks,
Sagi

/home/devops-agent-1/agent/work/_msdo/versions/Microsoft.Security.Devops.Cli.linux-x64.0.188.2/tools/guardian init --force
Init:
Creating guardian repo at: /home/devops-agent-1/agent/work/6/s
Added /home/devops-agent-1/agent/work/6/s/.gdn/.gitignore file to ignore internal files. Please commit this file.
Guardian repository created at: /home/devops-agent-1/agent/work/6/s/.gdn
Please commit everything in the .gdn folder to source control. You can now use "guardian run" to run tools.
/home/devops-agent-1/agent/work/_msdo/versions/Microsoft.Security.Devops.Cli.linux-x64.0.188.2/tools/guardian run -p azuredevops --rich-exit-code --logger-pipeline --export-file /home/devops-agent-1/agent/work/6/a/.gdn/msdo.sarif --telemetry-environment azdevops
Run:
Installing Microsoft.Security.CodeAnalysis.Policy.Names

##[warning]Failed to install from source https://pkgs.dev.azure.com/secdevtools/SecDevTools/_packaging/MSCA.Policy/nuget/v3/index.json with exception NuGet.Protocol.Core.Types.FatalProtocolException: Unable to load the service index for source https://pkgs.dev.azure.com/secdevtools/SecDevTools/_packaging/MSCA.Policy/nuget/v3/index.json.
---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 401 (Unauthorized).

Node 16 actions are being deprecated by Github and we're starting to get warnings in our workflows:
https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/

We have a project that I recently tried adding the following YAML to the build pipeline:

  - task: UseDotNet@2
    displayName: 'Use dotnet'
    condition: eq(variables['Build.SourceBranchName'], '18321-add-vulnerability-scan')
    inputs:
      version: 3.1.x
  - task: UseDotNet@2
    displayName: 'Use dotnet'
    condition: eq(variables['Build.SourceBranchName'], '18321-add-vulnerability-scan')
    inputs:
      version: 6.0.x
  - task: MicrosoftSecurityDevOps@1
    displayName: 'Microsoft Security DevOps'
    condition: eq(variables['Build.SourceBranchName'], '18321-add-vulnerability-scan')
    inputs:
      tools: 'BinSkim,CredScan,ESlint'

But BinSkim fails with the following:

    D:\a\_msdo\packages\nuget\Microsoft.CodeAnalysis.BinSkim.1.9.5\tools\netcoreapp3.1\win-x64\BinSkim.exe analyze --config default --hashes --statistics --sarif-output-version OneZeroZero --output D:\a\1\s\.gdn\.r\binskim\001\binskim.sarif @D:\a\1\s\.gdn\.r\binskim\001\.gdntoolinput
    Analyzing...
    D:\a\1\s\UserPortalAPI\bin\Release\netcoreapp3.1\runtimes\win-arm64\native\sni.dll : error ERR997.ExceptionLoadingPdb : 'sni.dll' was not evaluated because its PDB could not be loaded (E_PDB_NOT_FOUND).
    D:\a\1\s\UserPortalAPI\bin\Release\netcoreapp3.1\runtimes\win-x64\native\sni.dll : error ERR997.ExceptionLoadingPdb : 'sni.dll' was not evaluated because its PDB could not be loaded (E_PDB_NOT_FOUND).
    D:\a\1\s\UserPortalAPI\bin\Release\netcoreapp3.1\runtimes\win-x86\native\sni.dll : error ERR997.ExceptionLoadingPdb : 'sni.dll' was not evaluated because its PDB could not be loaded (E_PDB_NOT_FOUND).
    
    Done. 125 files scanned.
    
    One or more rules was disabled for an analysis target, as it was determined not to be applicable to it (this is a common condition). Pass --verbose on the command-line for more information.
    
    Analysis did not complete due to one or more unrecoverable execution conditions.
    Unexpected fatal runtime condition(s) observed: ExceptionLoadingPdb
    
    Tool run time: 3.1682485 seconds
    ------------------------------------------------------------------------------
    BinSkim completed with exit code 1
##[error]Error running binskim job: 1 of 1
##[error]GuardianErrorExitCodeException: binskim completed with an Error exit code: 1. BinSkim failed. Verify the target(s) to be scanned. BinSkim targets must be a specific filename, or a pattern with a wildcard like *.dll, dir\*.dll, or dir\*
    ------------------------------------------------------------------------------

Although it doesn't fail the entire build pipeline, I am still curious why it fails.

When sharing executables of our apps SmartScreen blocks users from running the app with a warning (unless the user opens the file properties and selects Unblock).

Per this StackOverflow Post files can be submitted to MS for analysis at https://www.microsoft.com/en-us/wdsi/filesubmission which can cause the SmartScreen DB to be updated to recognise the app as safe.

It would be great if we could build this submission into our pipelines, rather than developers having to download the produced output and manually upload it to MS.
Does this GitHub action also feedback to MS so as to update the SmartScreen database?
If not, is there an equivalent action which does? I believe MS require that we use an organisation account when submitting files via the above site; but perhaps GH Actions could use a Service Principal from our MS Entra account (or something similar) for this?

Hi everyone, I am trying to use MicrosoftDevOps task in Azure DevOps with Terrascan and only want to scan with k8s, helm and dockerfile. I have tried the following ways with env variable, but all gave me errors. Does anyone know the way we can specify certain IAC type in terrascan.

    - task: MicrosoftSecurityDevOps@1
      displayName: 'Microsoft Security DevOps'
      inputs:
        tools: 'BinSkim, terrascan'
        break: true
      env:
        GDN_BINSKIM_TARGET: '$(Build.ArtifactStagingDirectory)/binskim/**/${{ parameters.binskimPath }}'
        GDN_BINSKIM_RECURSE: 'true'
        GDN_BINSKIM_VERBOSE: 'true'
        GDN_TERRASCAN_IACTYPE: 'k8s, helm, docker'
        GDN_TERRASCAN_IACVERSION: 'v1, v3, v1' 
        GDN_TERRASCAN_LOGLEVEL: 'error'
        GDN_TERRASCAN_POLICYTYPE: 'azure'
        GDN_TERRASCAN_VERBOSE: 'true'
        GDN_TERRASCAN_SHOWPASSED: 'true'
        GDN_TERRASCAN_OUTPUTTYPE: 'human'

    - task: MicrosoftSecurityDevOps@1
      displayName: 'Microsoft Security DevOps'
      inputs:
        tools: 'BinSkim, terrascan'
        break: true
      env:
        GDN_BINSKIM_TARGET: '$(Build.ArtifactStagingDirectory)/binskim/**/${{ parameters.binskimPath }}'
        GDN_BINSKIM_RECURSE: 'true'
        GDN_BINSKIM_VERBOSE: 'true'
        GDN_TERRASCAN_IACTYPE: 'k8s, helm, docker'
        GDN_TERRASCAN_IACVERSION: 'k8s: v1, helm: v3, docker: v1' 
        GDN_TERRASCAN_LOGLEVEL: 'error'
        GDN_TERRASCAN_POLICYTYPE: 'azure'
        GDN_TERRASCAN_VERBOSE: 'true'
        GDN_TERRASCAN_SHOWPASSED: 'true'
        GDN_TERRASCAN_OUTPUTTYPE: 'human'

it works fine when I only choose only ine IAC_TYPE and pass in the corresponding version. However, when I try with more than one IAC type and IAC version, it gave me the error like this:

When using the Azure DevOps extension secrets scanner it tries to download the package from nuget.org. This is hard-coded in the extension wrapper as of now.

Is there a way to choose a private artifact feed as source instead of https://api.nuget.org/v3/index.json?

I have the action running as a step in my Azure DevOps build pipline, specifying the 'secrets' category that runs CredScan.

There are a few false positives in non C# files (json, Dockerfile) that I want to suppress. However, I am unsure of how to pass the suppressions file path to credscan for this and it's missing in the documentation. Can you tell me how (and maybe add to the docs)?

How is this intended to work in the context of overall workflows? Is it a step that should be added to an existing workflow that has built the binaries and run tests or should it be in its own workflow file?

I was heading down the path of the latter but then I noticed BinSkim step fails because it cannot find the binaries. So I assume the intend would be to add this to an existing workflow process that has built the binaries.

One more test issue, will close immediately

The credential scanning github action for hi-ml repo is failing with the following error:

Error: Package 'Microsoft.Guardian.TerrascanRedist_windows_amd64 1.14.0.1' is not found in the following primary source(s): 'C:\Users\runneradmin\.nuget\packages\,https://pkgs.dev.azure.com/secdevtools/_packaging/SecDevTools/nuget/v3/index.json'. Please verify all your online package sources are available (OR) package id, version are specified correctly.

Link to failed CI workflow check.

Any ideas on how to fix it?

Basically, it's possible to specify iac types when we use terrascan tool? The thing is that terrascan automatically detects the diferents types based on the files. On a kustomize applying patch on diferents environments, terrascan detect k8s deployment and print some high vulnerability but in reality on the main deployment are resolved.

SNYK

https://docs.snyk.io/products/snyk-code/cli-for-snyk-code/working-with-the-snyk-code-cli-results/exporting-the-test-results-to-a-json-or-sarif-file

TRIVY
https://aquasecurity.github.io/trivy/v0.27.1/docs/vulnerability/examples/report/

Prisma Cloud
https://www.paloaltonetworks.com/blog/prisma-cloud/github-action-container-image-scanning/

SEMGREP
https://semgrep.dev/docs/cli-reference/

gitleaks
https://github.com/zricethezav/gitleaks

Dockle
https://github.com/goodwithtech/dockle

Hello. I'm setting up the action in multiple repositories and all of them fails in the same step, while trying to execute bandit.

Logs:

Error:      Error running tool 2 of 5: bandit
Error:      Error running bandit job: 1 of 1
Error:      ToolLauncherNotFoundException: Could not successfully find the D:\a\_msdo\packages\nuget\Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1\tools\bandit_runner.exe tool launcher. Please ensure any dependent frameworks are installed.
Error:      Win32Exception: An error occurred trying to start process 'D:\a\_msdo\packages\nuget\Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1\tools\bandit_runner.exe' with working directory 'D:\a\AzureGoat\AzureGoat'. The filename or extension is too long.
Error:      BreakException: Guardian detected one or more breaking results.
Error: Error: The process 'D:\a\_msdo\versions\microsoft.security.devops.cli\0.163.0\tools\guardian.cmd' failed with exit code 1

The action run resides in: https://github.com/rpiraces-plain/AzureGoat/actions/runs/5164467559/jobs/9303379837

How can I fix this? I have set up anything wrong?

Edit:
Works perfectly fine with ubuntu-latest runner... seems it only fails with windows-latest runner.

We have a fleet of self-hosted Runners running as containers. We have a minimal windows image (windows server core ltsc 2022) and only install what we need. We have tried to use the security-devops-action Action and encounter the following issue:

• The MSDO CLI appears to install correctly
• The MS Security Code Analysis Policy Names appears to install correctly
• The MS Security Code Analysis Policy GitHub appears to install correctly
• The MS Security DevOps AntiMalware CLI win-x64 appears to install correctly
• The MS Guardian Terrascan Redist appears to install correctly

When running AntiMalware 1.7.0 we encounter the following error:

The tool path for AntiMalware could not be found. ArgumentNullException: Value cannot be null

When we run the exact same workflow on a GitHub-hosted Runner - it works perfectly.

What software are we missing on the self-hosted Runner in order for the action to work?

Hi,

The docs for the .gdnconfig show only a handful of variables for the TemplateAnalyzer: https://github.com/microsoft/security-devops-action/wiki#templateanalyzer-options

Of which, there doesn't appear to be a way to suppress or skip certain rules.

The docs for TemplateAnalyzer indicate you can skip objects: https://github.com/Azure/template-analyzer/blob/main/docs/customizing-evaluation-outputs.md#template-analyzer-rule-object

Is this possible in Defender for DevOps currently, and it's more of a documentation gap or is this not yet a feature we can leverage?

Thanks

Hi,

I have been testing out Cloud Defender for DevOps and the integration with GitHub actions via MSDO and it works well.

The question I have is whether if we can integrate our existing tooling that outputs to Sarif format? For example, we also use Snyk Code (SAST) and SCA and it would be great to integrate the results with Cloud Defender.

I am able to upload the results to the security tab but it looks like the results don't flow through to Cloud Defender?

Hi,

Could I also use this to check for the existence of certain steps in an Azure DevOps YAML pipeline? Does it have this capability? For example, if there is a step that uses SonarQube or Nexus IQ - ie. can MSDO scan the following Azure DevOps YAML file and look for the existence of the steps involving SonarQube (example YAML below):

trigger:
- master # or the name of the main branch
- feature/*

steps:

- task: SonarQubePrepare@5
inputs:
SonarQube: 'YourSonarqubeServerEndpoint'
scannerMode: 'Other'
extraProperties: 'sonar.projectKey=YourProjectKey'

- task: SonarQubePublish@5
inputs:
pollingTimeoutSec: '300'

Hi,

I am trying to setup PR decoration with Azure Defender for DevOps (leave comments on PRs with the findings from the SAST tool). I had previously created a ticket on Azure, but they forwarded me here once we realised the best way to achieve what I wanted was via a GitHub workflow, rather than setting up a pipeline on Azure DevOps.

I had already set up a GitHub workflow to scan our code with Defender for DevOps, and I followed the following tutorials in order to set things up:

https://learn.microsoft.com/en-us/azure/defender-for-cloud/github-action
https://learn.microsoft.com/en-us/azure/defender-for-cloud/enable-pull-request-annotations

As you can see in the screenshot below, Azure Defender is already presenting the findings on the GitHub Security tab (highlighted in Blue in the screenshot). It is also possible to see in the tool filter, the relevant tools used by Defender - antimalware & terrascan (highlighted in Red). Lastly, but very important, we can see highlighted in Green (a filter) that these findings are related to a Pull Request.

In fact, when comparing the number of findings with another screenshot, below, we can infer that we are already able to find new findings on PR time, which is precisely my goal. I know this because the screenshot above is related to a PR that was introducing an issue (hence the number 23, referring to the number of issues spotted), whereas the screenshot below was taken before creating the aforementioned PR, filtering the issues already present in the main branch (22).

But there's one thing missing: even though Defender found a new issue on PR time, the workflow is not being annotated with a comment, related to the new finding. Can you help me figure out what the issue is? I believe that, as per documentation, this is possible to achieve!

Will close this issue when testing is complete.

https://github.com/microsoft/security-devops-action/wiki#how-to-configure-tools-in-azure-devops

The examples shown uses the terms with and doesnt specify a version. in order to work they should be

steps:
- task: MicrosoftSecurityDevOps@1

As the wiki isn't part of the repo it is hard to fork and fix this.

I am trying this action out against the OWASP juice app
When I run the action i get errors like this

BINSKIM : error ERR997.NoValidAnalysisTargets : No valid analysis targets were specified.

Analysis did not complete due to one or more unrecoverable execution conditions.
Unexpected fatal runtime condition(s) observed: NoValidAnalysisTargets

Tool run time: 0.9085511 seconds
------------------------------------------------------------------------------
BinSkim completed with exit code 1

Error: Error running binskim job: 13 of 67
Error: GuardianErrorExitCodeException: binskim completed with an Error exit code: 1. BinSkim failed. Verify the target(s) to be scanned. BinSkim targets must be a specific filename, or a pattern with a wildcard like .dll, dir/.dll, or dir/*

is there an easy way to turn this off - or to just ignore this?

I am trying to use the action to analyze a single template, so I specified env variables that seem to correspond to the usage described in https://github.com/Azure/template-analyzer:

      - name: Run Microsoft Security DevOps Analysis
        uses: microsoft/security-devops-action@preview
        env:
          GDN_TEMPLATEANALYZER_VERBOSE: 1
          GDN_TEMPLATEANALYZER_ANALYZETEMPLATE: "infra/main.json"
          GDN_TEMPLATEANALYZER_PARAMETERSFILEPATH: "infra/main.parameters.json"
        id: msdo
        with:
          tools: templateanalyzer

However that results in a poorly formed command and subsequent error:

  Analyze:
    Using environment variable override: AnalyzeTemplate=infra/main.json
    Using environment variable override: ParametersFilePath=infra/main.parameters.json
    Using environment variable override: Verbose=1
    Running ARM Template Best Practice Analyzer 0.4.0
    ------------------------------------------------------------------------------
    /home/runner/work/_msdo/packages/nuget/Azure.Templates.Analyzer.CommandLine.linux-x64.0.4.0/tools/TemplateAnalyzer analyze-directory /home/runner/work/simple-fastapi-container/simple-fastapi-container --report-format sarif --output-file-path /home/runner/work/simple-fastapi-container/simple-fastapi-container/.gdn/.r/templateanalyzer/001/templateanalyzer.sarif analyze-template infra/main.json --parameters-file-path infra/main.parameters.json --verbose
    Unrecognized command or argument 'analyze-template'
    Unrecognized command or argument 'infra/main.json'
    analyze-directory:
    Unrecognized command or argument '--parameters-file-path'
    Unrecognized command or argument 'infra/main.parameters.json'

Here's the full workflow:
https://github.com/pamelafox/simple-fastapi-container/actions/runs/4485952792/jobs/7887991866?pr=6

Can you clarify proper usage?
Thanks!

While testing out the Microsoft Security DevOps extension, we are getting the error
GuardianErrorExitCodeException: templateanalyzer completed with an Error exit code: 22. Violation + Error: Scan encountered both violations in template(s) and errors trying to analyze template(s)

The YAML pipeline code is

pool:
  vmImage: 'windows-latest'
steps:
- task: UseDotNet@2
  displayName: 'Use dotnet'
  inputs:
    version: 3.1.x
- task: UseDotNet@2
  displayName: 'Use dotnet'
  inputs:
    version: 5.0.x
- task: UseDotNet@2
  displayName: 'Use dotnet'
  inputs:
    version: 6.0.x
- task: MicrosoftSecurityDevOps@1
  displayName: 'Microsoft Security DevOps'
  inputs:
    categories: 'IaC'

Attaching the logs from the build for reference.
logs_325.zip

We have a situation where we use azd to deploy Bicep files, and we intentionally leave one of the parameters unspecified, so that azd prompts for that parameter.

However, the template-analyzer errors out in that case:
https://github.com/Azure-Samples/azure-search-openai-demo/actions/runs/5612367638/job/15205930925

    Directory: /home/runner/work/azure-search-openai-demo/azure-search-openai-demo
    Error: An exception occurred while analyzing template /home/runner/work/azure-search-openai-demo/azure-search-openai-demo/infra/main.bicep with parameters file /home/runner/work/azure-search-openai-demo/azure-search-openai-demo/infra/main.parameters.json
    Exception details:
    Microsoft.Azure.Templates.Analyzer.Core.TemplateAnalyzerException: Error while processing template.
     ---> Azure.Deployments.Templates.Exceptions.TemplateValidationException: The value for the template parameter 'openAiResourceGroupLocation' at line '83' and column '36' is not provided. Please see https://aka.ms/arm-create-parameter-file for usage details.

I tried providing test.parameters.json with it filled in, but that doesn't work due to issue #47

It'd be great if either #47 was fixed or if it didn't error with an unprovided parameter.

Testing support issue automation, please ignore

On github marketplace, it suggests to include this action with the following snippet:

- name: security-devops-action
  uses: microsoft/[email protected]

However, doing that results in a workflow failure. I tried this on my repo, but the resulting pipeline failed saying that Guardian wants --config or --tools

This is a test issue to get the format of the notification emails for setting up support automation. Will close after opening.

// 14 in security-devops-action / gulpfile.js
if [;] = true delete [;]
open - import {
debugger to (FileSystemDirectoryReader) if true (return (qw) )
(qw) = [encode in 128-B ]

  fetch (GeolocationPosition)

} to .them(() => cb() );

Could the Microsoft.Security.DevOps.CLI be repackaged as a chocolatey package so that it could be installed and used more cleanly from the command line:

choco install MicrosoftSecurityDevOpsCli (or whatever name you choose)

Hello everyone, I am trying to use task: MicrosoftSecurityDevOps@1 to scan through my code. I leave it as default which I assume that it will run all the tools it covers. However, when I run the pipeline, this is the tools it runs (it doesn't have binskim) . Anyone has any idea why this happened. Thanks!

Issue

When using the MicrosoftSecurityDevops@1 task in an ADO pipeline, I am not seeing in the logs where the env parameters being passed are being used? I am passing a IacDir / SkipRules and both are being ignored as far as I can tell.

Configuration

Agent: Windows Latest
Terraform: 1.1.7

- task: MicrosoftSecurityDevOps@1
  displayName: 'Microsoft Defender - IaC Scan'
  inputs:
    categories: IaC
    tools: terrascan
  env:
    IacType: "terraform"
    IacDir: "$(System.DefaultWorkingDirectory)\\$(Build.Repository.Name)\\iac\\modules"
    SkipRules: "AC_AWS_0214"

Error

See attached file for raw log of output. Notice that the Target Directory is not being set and that it is still throwing errors for the rule that should be skipped.
iacscan.txt

Expected results

I am expecting the scan to ONLY scan the directory that I pass in, instead it is scanning everything in the root system.defaultworkingdirectory and ignore the rule listed in the skiprules parameter.

I want to know the meaning and remediation steps for the alerts generated by IaCFileScanner, a tool for mapping IaC templates and cloud resources. For example, I see this alert on our dashboard, but I don't know what it means or how to fix it. Does it just indicate that my resource has an IaC tag, or is there something else I need to do?

[Description]
An IaC tag(s) was found on this resource.

[Severity]
Low

[Status]
Unhealthy

[Tool Name]
iacfilescanner

[Rule ID]
IFS-1

Where can I find more information about this tool and the rules it detects? I have read these documents, but they don't provide enough details:
https://learn.microsoft.com/en-us/azure/defender-for-cloud/azure-devops-extension
https://learn.microsoft.com/en-us/azure/defender-for-cloud/iac-template-mapping

This is a test to see if it gets auto-assigned correctly.

There are open compliance tasks that need to be reviewed for your security-code-analysis-action repo.

Action required: 4 compliance tasks

To bring this repository to the standard required for 2021, we require administrators of this and all Microsoft GitHub repositories to complete a small set of tasks within the next 60 days. This is critical work to ensure the compliance and security of your microsoft GitHub organization.

Please take a few minutes to complete the tasks at: https://repos.opensource.microsoft.com/orgs/microsoft/repos/security-code-analysis-action/compliance

• The GitHub AE (GitHub inside Microsoft) migration survey has not been completed for this private repository
• No Service Tree mapping has been set for this repo. If this team does not use Service Tree, they can also opt-out of providing Service Tree data in the Compliance tab.
• No repository maintainers are set. The Open Source Maintainers are the decision-makers and actionable owners of the repository, irrespective of administrator permission grants on GitHub.
• Classification of the repository as production/non-production is missing in the Compliance tab.

You can close this work item once you have completed the compliance tasks, or it will automatically close within a day of taking action.

If you no longer need this repository, it might be quickest to delete the repo, too.

GitHub inside Microsoft program information

More information about GitHub inside Microsoft and the new GitHub AE product can be found at https://aka.ms/gim.

FYI: current admins at Microsoft include @Arvind-Ravi, @matt-desai, @davidknise, @sukhans

provide a way to set a proxy in the devops task to avoid copying .npmrc manually to the account running pipeline on a self-hosted agent server

Hello,

We are getting the error below in this CI run:

Error:    Error downloading 'Microsoft.Security.CodeAnalysis.Policy.Names.1.0.2' from 'https://pkgs.dev.azure.com/secdevtools/fbe8430b-c7d4-4187-8c71-a0083ead3d4b/_packaging/a2fd5474-7706-4971-8654-fd0403cf8e6a/nuget/v3/flat2/microsoft.security.codeanalysis.policy.names/1.0.2/microsoft.security.codeanalysis.policy.names.1.0.2.nupkg'.
Error:      An error occurred while sending the request.
Error:      Unable to connect to the remote server
Error:      A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 13.107.6.175:443
  ------------------------------------------------------------------------------
Error:    PackageInstallerException: Failed to install NuGet package: Microsoft.Security.CodeAnalysis.Policy.Names vundefined
Error: Error: The process 'D:\a\_msdo\versions\microsoft.security.devops.cli\0.122.0\tools\guardian.cmd' failed with exit code 1

We recently reported #23, which we patched with microsoft/hi-ml#490. These issues might be related.

Hi,

Please can you tell me whether this is the same as 'Microsoft Security Code Analysis':

https://docs.microsoft.com/en-us/azure/security/develop/security-code-analysis-overview

The action.yml file uses a deprecated Node.js 12 image which no longer receices any kind of security updates:

https://nodejs.org/en/blog/release/v12.22.12/

Please upgrade it to a higher supported version.