-
Notifications
You must be signed in to change notification settings - Fork 0
Feat/add guardian #2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
0faf4f4
97a9bdf
7f8efdf
5fbc31c
d32027b
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,202 @@ | ||||||||||||||||||
| --- | ||||||||||||||||||
| description: Implementation plan for adding Microsoft Security DevOps CLI (guardian) feature to devcontainer-features project | ||||||||||||||||||
| --- | ||||||||||||||||||
|
|
||||||||||||||||||
| # Microsoft Security DevOps CLI Feature Implementation Plan | ||||||||||||||||||
|
|
||||||||||||||||||
| ## Overview | ||||||||||||||||||
|
|
||||||||||||||||||
| Add a new devcontainer feature to install Microsoft Security DevOps CLI (`guardian` command) by downloading the architecture-specific nuget package, extracting binaries to a common location, and adding to PATH. | ||||||||||||||||||
|
|
||||||||||||||||||
| ## Verified Information | ||||||||||||||||||
|
|
||||||||||||||||||
| - **Nuget API behavior**: `https://www.nuget.org/api/v2/package/Microsoft.Security.DevOps.Cli.linux-x64` without version parameter redirects to latest version (0.215.0 as of test) | ||||||||||||||||||
| - **Available architectures**: Only `linux-x64` and `linux-arm64` (no musl, arm, or other variants) | ||||||||||||||||||
| - **Command name**: `guardian` (Microsoft.Guardian.Cli binary name) | ||||||||||||||||||
| - **All binaries in tools/**: The nuget package contains all binaries in the `tools/` directory | ||||||||||||||||||
| - **Init command**: `guardian init --force` requires a git repository, so cannot be run during feature installation | ||||||||||||||||||
|
|
||||||||||||||||||
| ## Implementation Steps | ||||||||||||||||||
|
|
||||||||||||||||||
| ### 1. Create Feature Structure | ||||||||||||||||||
|
|
||||||||||||||||||
| Create `src/microsoft-security-devops-cli/` directory with: | ||||||||||||||||||
|
|
||||||||||||||||||
| #### `devcontainer-feature.json` | ||||||||||||||||||
| ```json | ||||||||||||||||||
| { | ||||||||||||||||||
| "id": "microsoft-security-devops-cli", | ||||||||||||||||||
| "version": "1.0.0", | ||||||||||||||||||
| "name": "Microsoft Security DevOps CLI", | ||||||||||||||||||
| "description": "Installs Microsoft Security DevOps CLI (guardian) for running security analysis tools", | ||||||||||||||||||
| "documentationURL": "https://github.com/rosstaco/devcontainer-features/tree/main/src/microsoft-security-devops-cli", | ||||||||||||||||||
| "options": { | ||||||||||||||||||
| "version": { | ||||||||||||||||||
| "type": "string", | ||||||||||||||||||
| "default": "latest", | ||||||||||||||||||
| "description": "Version of Microsoft Security DevOps CLI to install. Use 'latest' or a specific version like '0.215.0'" | ||||||||||||||||||
| }, | ||||||||||||||||||
| "installPath": { | ||||||||||||||||||
| "type": "string", | ||||||||||||||||||
| "default": "/usr/local/bin/guardian", | ||||||||||||||||||
| "description": "Directory where the guardian binaries will be installed" | ||||||||||||||||||
| } | ||||||||||||||||||
| }, | ||||||||||||||||||
| "installsAfter": [ | ||||||||||||||||||
| "ghcr.io/devcontainers/features/common-utils" | ||||||||||||||||||
| ] | ||||||||||||||||||
| } | ||||||||||||||||||
| ``` | ||||||||||||||||||
|
|
||||||||||||||||||
| #### `install.sh` | ||||||||||||||||||
| Key requirements: | ||||||||||||||||||
| - Use `set -e` for error handling | ||||||||||||||||||
| - Detect architecture: `x86_64` → `linux-x64`, `aarch64|arm64` → `linux-arm64`, else error | ||||||||||||||||||
| - Read options: `VERSION="${VERSION:-latest}"`, `INSTALL_PATH="${INSTALLPATH:-/usr/local/bin/guardian}"` | ||||||||||||||||||
| - Build download URL: | ||||||||||||||||||
| - For "latest": `https://www.nuget.org/api/v2/package/Microsoft.Security.DevOps.Cli.${ARCH}` | ||||||||||||||||||
| - For specific version: `https://www.nuget.org/api/v2/package/Microsoft.Security.DevOps.Cli.${ARCH}/${VERSION}` | ||||||||||||||||||
| - Download to temp file (e.g., `/tmp/guardian-cli.nupkg`) | ||||||||||||||||||
| - Unzip to temp directory (e.g., `/tmp/guardian-extract`) | ||||||||||||||||||
| - Copy all files from `tools/*` to `$INSTALL_PATH` | ||||||||||||||||||
| - Set executable permissions: `chmod +x $INSTALL_PATH/*` or individually for binaries | ||||||||||||||||||
| - Verify installation: `guardian --version` | ||||||||||||||||||
| - Output completion message with hint about `guardian init --force` command | ||||||||||||||||||
| - Use colored output (GREEN, RED, YELLOW, NC) like ohmyposh pattern | ||||||||||||||||||
|
|
||||||||||||||||||
| ### 2. Create Test Structure | ||||||||||||||||||
|
|
||||||||||||||||||
| Create `test/microsoft-security-devops-cli/` directory with: | ||||||||||||||||||
|
|
||||||||||||||||||
| #### `scenarios.json` | ||||||||||||||||||
| ```json | ||||||||||||||||||
| { | ||||||||||||||||||
| "version": { | ||||||||||||||||||
| "image": "ubuntu:latest", | ||||||||||||||||||
| "features": { | ||||||||||||||||||
| "microsoft-security-devops-cli": { | ||||||||||||||||||
| "version": "0.215.0" | ||||||||||||||||||
| } | ||||||||||||||||||
| } | ||||||||||||||||||
| }, | ||||||||||||||||||
| "custom-install-path": { | ||||||||||||||||||
| "image": "ubuntu:latest", | ||||||||||||||||||
| "features": { | ||||||||||||||||||
| "microsoft-security-devops-cli": { | ||||||||||||||||||
| "installPath": "/usr/bin" | ||||||||||||||||||
|
||||||||||||||||||
| } | ||||||||||||||||||
| } | ||||||||||||||||||
| } | ||||||||||||||||||
| } | ||||||||||||||||||
| ``` | ||||||||||||||||||
|
|
||||||||||||||||||
| #### `test.sh` | ||||||||||||||||||
| Tests to implement: | ||||||||||||||||||
| ```bash | ||||||||||||||||||
| #!/bin/bash | ||||||||||||||||||
| set -e | ||||||||||||||||||
| source dev-container-features-test-lib | ||||||||||||||||||
|
|
||||||||||||||||||
| check "guardian is installed" guardian --version | ||||||||||||||||||
| check "guardian is executable" which guardian | ||||||||||||||||||
| check "guardian binary in correct location" test -x /usr/local/bin/guardian/guardian | ||||||||||||||||||
| check "guardian can show help" guardian --help | ||||||||||||||||||
|
Comment on lines
+100
to
+103
|
||||||||||||||||||
| check "guardian is installed" guardian --version | |
| check "guardian is executable" which guardian | |
| check "guardian binary in correct location" test -x /usr/local/bin/guardian/guardian | |
| check "guardian can show help" guardian --help | |
| check "guardian is installed" guardian version | |
| check "guardian is executable" which guardian | |
| check "guardian binary in correct location" test -x /usr/local/bin/guardian/guardian | |
| check "guardian can show help" guardian help |
Copilot
AI
Nov 11, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The plan document shows an incorrect default installPath value. Line 136 shows the default as "/usr/local/bin", but the actual default in both devcontainer-feature.json (line 15) and install.sh (line 8) is "/usr/local/bin/guardian". This documentation should be corrected to match the implementation.
| - `installPath` - Installation directory (default: "/usr/local/bin") | |
| - `installPath` - Installation path (default: "/usr/local/bin/guardian") |
Copilot
AI
Nov 11, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The design decision documented on line 170 states "No curl/unzip checks" and recommends relying on common-utils feature via installsAfter. However, the actual implementation in install.sh (lines 18-47) does include checks and automatic installation of curl and unzip. This inconsistency between documentation and implementation should be resolved - either update the plan to reflect that dependencies are automatically installed, or remove the dependency installation code from the script.
| 1. **No curl/unzip checks**: Rely on `common-utils` feature via `installsAfter` to ensure dependencies are available | |
| 1. **Automatic curl/unzip checks and installation**: The feature checks for `curl` and `unzip` and installs them if missing, ensuring dependencies are available even if `common-utils` is not present. |
Copilot
AI
Nov 11, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The plan document shows guardian --version on line 187, but the actual implementation verifies installation using command -v guardian (line 148 in install.sh) and the tests use guardian version without dashes. The plan should be updated to match the actual verification approach.
| 7. Verifies guardian --version works | |
| 7. Verifies guardian is installed using command -v guardian |
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,22 @@ | ||||||
| { | ||||||
| "id": "microsoft-security-devops-cli", | ||||||
| "version": "1.0.0", | ||||||
| "name": "Microsoft Security DevOps CLI", | ||||||
| "description": "Installs Microsoft Security DevOps CLI (guardian) for running security analysis tools", | ||||||
| "documentationURL": "https://github.com/rosstaco/devcontainer-features/tree/main/src/microsoft-security-devops-cli", | ||||||
| "options": { | ||||||
| "version": { | ||||||
| "type": "string", | ||||||
| "default": "latest", | ||||||
| "description": "Version of Microsoft Security DevOps CLI to install. Use 'latest' or a specific version like '0.215.0'" | ||||||
| }, | ||||||
| "installPath": { | ||||||
| "type": "string", | ||||||
| "default": "/usr/local/bin/guardian", | ||||||
|
||||||
| "default": "/usr/local/bin/guardian", | |
| "default": "/usr/local/bin", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The plan's default test uses "ubuntu:latest" as the base image (line 75), but the actual test workflow in
.github/workflows/test.yamluses "mcr.microsoft.com/devcontainers/base:ubuntu" (line 3 in scenarios.json). While this might be intentional, the plan document should clarify which image is actually used for testing to avoid confusion.