Merge branch 'main' into managed_identity

Author: jacdavi

.github/workflows/m365_image_build.yaml

@@ -16,6 +16,10 @@ env:
 
 jobs:
   build:
+    name: Build
+    runs-on: windows-latest
+    # This condition prevents duplicate runs.
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
     # based on https://github.com/orgs/community/discussions/26253#discussioncomment-6745038
     # intent is to run on current ref, unless this is a scheduled run, then run on list defined below
     strategy:
@@ -29,7 +33,6 @@ jobs:
           - { scheduled: false }
         include:
           - ref: ${{ github.head_ref || github.ref_name }} 
-    runs-on: windows-latest
     permissions:
       contents: read
       packages: write
@@ -98,6 +101,7 @@ jobs:
 
           docker build $docker_args m365/image
           echo "digest=$(docker images --no-trunc --quiet $Env:IMAGE.ToLower())" >> $Env:GITHUB_OUTPUT
+          echo "image=$($Env:IMAGE.ToLower())" >> $Env:GITHUB_OUTPUT
           if ($Env:PUSH -eq "true") {
             docker push $Env:IMAGE.ToLower() --all-tags
           }
@@ -122,3 +126,26 @@ jobs:
             cosign sign --yes "$_@$digest"
           }
           exit 0
+    outputs:
+      image:  ${{ steps.build-and-push.outputs.image }}
+  scan:
+    name: Scan
+    # This condition prevents duplicate runs.
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
+    permissions:
+      security-events: write
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          image-ref: ${{ needs.build.outputs.image }}:latest
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
+          category: m365-image

.github/workflows/terraform_scan.yaml

@@ -0,0 +1,32 @@
+name: Terraform Scan
+permissions:
+  security-events: write
+on:
+  push:
+    branches: [ "*" ]
+  pull_request:
+    branches: [ "main" ]
+jobs:
+  scan:
+    name: Scan
+    runs-on: ubuntu-latest
+    # This condition prevents duplicate runs.
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner in IaC mode
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          scan-type: 'config'
+          hide-progress: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          exit-code: '0'
+          severity: 'CRITICAL,HIGH,MEDIUM'
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
+          category: terraform

m365/image/Dockerfile

@@ -1,24 +1,34 @@
 FROM mcr.microsoft.com/windows/servercore:ltsc2022
+SHELL ["powershell"]
+
 
 ARG SCUBAGEAR_VERSION=1.5.0
-# How URL is obtained for specific version:
+ARG OPA_VERSION=1.3.0
+# Get static URL for current version: curl -s -D- https://aka.ms/downloadazcopy-v10-windows | grep ^Location
 # https://learn.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10?tabs=dnf#obtain-a-static-download-link
-ARG AZCOPY_URL=https://azcopyvnext-awgzd8g7aagqhzhe.b02.azurefd.net/releases/release-10.27.1-20241113/azcopy_windows_amd64_10.27.1.zip 
+ARG AZCOPY_URL=https://azcopyvnext-awgzd8g7aagqhzhe.b02.azurefd.net/releases/release-10.29.0-20250428/azcopy_windows_amd64_10.29.0.zip 
 
 LABEL scubagear_version=${SCUBAGEAR_VERSION}
 
 WORKDIR /app
 
 # download azcopy exe to workdir
-RUN powershell Invoke-WebRequest -Uri %AZCOPY_URL% -OutFile AzCopy.zip -UseBasicParsing
-RUN powershell Expand-Archive .\AzCopy.zip ./AzCopy -Force
-RUN powershell $item = Get-ChildItem .\AzCopy\*\azcopy.exe; Move-Item -Path $item -Destination .
-RUN powershell Remove-Item AzCopy.zip; Remove-Item -r .\AzCopy
+RUN $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri $Env:AZCOPY_URL -OutFile AzCopy.zip -UseBasicParsing
+RUN Expand-Archive .\AzCopy.zip ./AzCopy -Force
+RUN $item = Get-ChildItem .\AzCopy\*\azcopy.exe; Move-Item -Path $item -Destination .
+RUN Remove-Item AzCopy.zip; Remove-Item -r .\AzCopy
 
 # Needed for setup module installs
-RUN powershell Install-PackageProvider -Name NuGet -Force
-RUN powershell Install-Module -Name ScubaGear -RequiredVersion %SCUBAGEAR_VERSION% -Force
-RUN powershell Initialize-SCuBA
+RUN Install-PackageProvider -Name NuGet -Force
+RUN Install-Module -Name ScubaGear -RequiredVersion $Env:SCUBAGEAR_VERSION -Force
+RUN Initialize-SCuBA -Scope AllUsers -NoOPA
 COPY run_container.ps1 .
 
+# manually install OPA, grant ContainerUser execute permissions, then switch to user
+ENV OPA_NAME="opa_windows_amd64.exe"
+RUN $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://openpolicyagent.org/downloads/v$($Env:OPA_VERSION)/opa_windows_amd64.exe -OutFile $Env:OPA_NAME -UseBasicParsing
+RUN if ((Get-FileHash $Env:OPA_NAME -Algorithm SHA256).Hash -ne ([System.Text.Encoding]::ASCII.GetString((Invoke-WebRequest -Uri https://openpolicyagent.org/downloads/v$($Env:OPA_VERSION)/opa_windows_amd64.exe.sha256 -UseBasicParsing).Content) -split ' ')[0]) { exit 1 }
+RUN icacls.exe $env:OPA_NAME /grant 'User Manager\ContainerUser:RX'
+USER ContainerUser
+
 CMD [ "powershell", ".\\run_container.ps1" ]

m365/image/run_container.ps1

@@ -77,6 +77,7 @@ Foreach ($tenantConfig in $(Get-ChildItem 'input\')) {
             AppID = $Env:APP_ID; # App ID; Needed for Service Principal Auth
             Organization = $org; # primary domain of the tenantConfig needed for Service Principal Auth
             OutPath = ".\reports\$($org)"; # The folder path where the output will be stored
+            OPAPath = "."
             ConfigFilePath = $tenantConfig.FullName
             Quiet = $true;
         }