fix(m365): Container security fixes (#12)

* fix(m365): set user in docker container to ContainerUser

* fix(m365): manually install opa exe for better control of version

* fix: always run image scan so we can compare PRs

Author: jacdavi

.github/workflows/m365_image_build.yaml

@@ -128,9 +128,10 @@ jobs:
           exit 0
     outputs:
       image:  ${{ steps.build-and-push.outputs.image }}
-  m365-scan:
+  scan:
     name: Scan
-    if: github.ref == 'refs/heads/main'
+    # This condition prevents duplicate runs.
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
     permissions:
       security-events: write
     needs: build

m365/image/Dockerfile

@@ -1,6 +1,9 @@
 FROM mcr.microsoft.com/windows/servercore:ltsc2022
+SHELL ["powershell"]
+
 
 ARG SCUBAGEAR_VERSION=1.5.0
+ARG OPA_VERSION=1.3.0
 # Get static URL for current version: curl -s -D- https://aka.ms/downloadazcopy-v10-windows | grep ^Location
 # https://learn.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10?tabs=dnf#obtain-a-static-download-link
 ARG AZCOPY_URL=https://azcopyvnext-awgzd8g7aagqhzhe.b02.azurefd.net/releases/release-10.29.0-20250428/azcopy_windows_amd64_10.29.0.zip 
@@ -10,15 +13,22 @@ LABEL scubagear_version=${SCUBAGEAR_VERSION}
 WORKDIR /app
 
 # download azcopy exe to workdir
-RUN powershell Invoke-WebRequest -Uri %AZCOPY_URL% -OutFile AzCopy.zip -UseBasicParsing
-RUN powershell Expand-Archive .\AzCopy.zip ./AzCopy -Force
-RUN powershell $item = Get-ChildItem .\AzCopy\*\azcopy.exe; Move-Item -Path $item -Destination .
-RUN powershell Remove-Item AzCopy.zip; Remove-Item -r .\AzCopy
+RUN $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri $Env:AZCOPY_URL -OutFile AzCopy.zip -UseBasicParsing
+RUN Expand-Archive .\AzCopy.zip ./AzCopy -Force
+RUN $item = Get-ChildItem .\AzCopy\*\azcopy.exe; Move-Item -Path $item -Destination .
+RUN Remove-Item AzCopy.zip; Remove-Item -r .\AzCopy
 
 # Needed for setup module installs
-RUN powershell Install-PackageProvider -Name NuGet -Force
-RUN powershell Install-Module -Name ScubaGear -RequiredVersion %SCUBAGEAR_VERSION% -Force
-RUN powershell Initialize-SCuBA
+RUN Install-PackageProvider -Name NuGet -Force
+RUN Install-Module -Name ScubaGear -RequiredVersion $Env:SCUBAGEAR_VERSION -Force
+RUN Initialize-SCuBA -Scope AllUsers -NoOPA
 COPY run_container.ps1 .
 
+# manually install OPA, grant ContainerUser execute permissions, then switch to user
+ENV OPA_NAME="opa_windows_amd64.exe"
+RUN $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://openpolicyagent.org/downloads/v$($Env:OPA_VERSION)/opa_windows_amd64.exe -OutFile $Env:OPA_NAME -UseBasicParsing
+RUN if ((Get-FileHash $Env:OPA_NAME -Algorithm SHA256).Hash -ne ([System.Text.Encoding]::ASCII.GetString((Invoke-WebRequest -Uri https://openpolicyagent.org/downloads/v$($Env:OPA_VERSION)/opa_windows_amd64.exe.sha256 -UseBasicParsing).Content) -split ' ')[0]) { exit 1 }
+RUN icacls.exe $env:OPA_NAME /grant 'User Manager\ContainerUser:RX'
+USER ContainerUser
+
 CMD [ "powershell", ".\\run_container.ps1" ]

m365/image/run_container.ps1

@@ -40,6 +40,7 @@ Foreach ($tenantConfig in $(Get-ChildItem 'input\')) {
             AppID = $Env:APP_ID; # App ID; Needed for Service Principal Auth
             Organization = $org; # primary domain of the tenantConfig needed for Service Principal Auth
             OutPath = ".\reports\$($org)"; # The folder path where the output will be stored
+            OPAPath = "."
             ConfigFilePath = $tenantConfig.FullName
             Quiet = $true;
         }