advanced-security · felickz · Aug 1, 2025 · Aug 1, 2025 · Aug 1, 2025 · Aug 1, 2025
@@ -66,8 +66,15 @@ typings/
 # next.js build output
 .next
 
-# Output from scanning 
+# Output from scanning
 output.json
 
 # Component Detection binary downloaded by tests
-component-detection
+component-detection
+
+# ADO VSIX
+*.vsix
+*.vsix.zip
+
+# CD EXE
+*.exe
@@ -0,0 +1,149 @@
+# Component Detection for Azure DevOps
+
+This Azure DevOps extension allows you to run Microsoft's component detection library in your Azure DevOps pipelines and submit the detected dependencies to GitHub's dependency graph.
+
+## Overview
+
+This task runs component detection against your repository and submits the discovered dependencies to a GitHub repository's dependency graph using the GitHub Dependency Submission API. This enables:
+
+- **Enhanced Security**: Get Dependabot alerts for vulnerabilities in dependencies detected by component detection
+- **Supply Chain Visibility**: Comprehensive dependency tracking across multiple package ecosystems
+- **Cross-Platform Support**: Works with Azure DevOps while submitting to GitHub
+
+## Key Features
+
+- Supports all package ecosystems that component detection supports (npm, NuGet, Maven, pip, etc.)
+- Automatic binary download of the latest component detection CLI
+- Flexible configuration options for detection parameters
+- Secure submission to GitHub using personal access tokens
+
+## Prerequisites
+
+1. **GitHub Repository**: A GitHub repository where you want to submit dependency information
+2. **GitHub Token**: A GitHub Personal Access Token with `Contents` repository permissions (write)
+3. **Azure DevOps Pipeline**: An Azure DevOps pipeline with access to your source code
+
+## Usage
+
+### Basic Usage
+
+```yaml
+# azure-pipelines.yml
+trigger:
+- main
+
+pool:
+  vmImage: 'ubuntu-latest'
+
+steps:
+- task: component-detection-task@0
+  displayName: 'Component Detection'
+  inputs:
+    githubRepository: 'your-org/your-repo'
+    token: '$(GITHUB_TOKEN)'
+```
+
+### Advanced Configuration
+
+```yaml
+steps:
+- task: component-detection-task@0
+  displayName: 'Component Detection with Custom Settings'
+  inputs:
+    githubRepository: 'your-org/your-repo'
+    token: '$(GITHUB_TOKEN)'
+    filePath: '$(Build.SourcesDirectory)/src'
+    directoryExclusionList: 'node_modules,test'
+    detectorsCategories: 'NuGet,Npm'
+    correlator: 'backend-dependencies'
+```
+
+## Configuration Options
+
+| Parameter | Description | Required | Default |
+|-----------|-------------|----------|---------|
+| `githubRepository` | GitHub repository to submit dependencies to (format: owner/repo) | Yes | |
+| `token` | GitHub Personal Access Token with Contents write permissions | Yes | |
+| `filePath` | Path to scan for dependencies | No | `$(Build.SourcesDirectory)` |
+| `directoryExclusionList` | Directories to exclude (minimatch pattern) | No | |
+| `detectorArgs` | Comma-separated detector arguments | No | |
+| `dockerImagesToScan` | Docker images to scan | No | |
+| `detectorsFilter` | Specific detectors to use | No | |
+| `detectorsCategories` | Categories of detectors to run | No | |
+| `correlator` | Identifier for dependency snapshots | No | Job name |
+| `detector-name` | Custom detector name | No | |
+| `detector-version` | Custom detector version | No | |
+| `detector-url` | Custom detector URL | No | |
+| `snapshot-sha` | Override commit SHA | No | |
+| `snapshot-ref` | Override Git reference | No | |
+
+## Setting Up GitHub Token
+
+1. Go to GitHub → Settings → Developer settings → Personal access tokens
+2. Create a new token with `Contents` repository permissions (write)
+3. Store the token as a pipeline variable in Azure DevOps:
+   - Go to your pipeline → Edit → Variables
+   - Add a new variable named `GITHUB_TOKEN`
+   - Set the value to your GitHub token
+   - Mark it as secret
+
+## Supported Package Ecosystems
+
+Component detection supports:
+- **JavaScript**: npm, Yarn
+- **.NET**: NuGet, .NET CLI
+- **Java**: Maven, Gradle
+- **Python**: pip, Poetry, conda
+- **Ruby**: RubyGems, Bundler
+- **Go**: Go modules
+- **Rust**: Cargo
+- **PHP**: Composer
+- **C/C++**: vcpkg, Conan
+- **Container Images**: Docker
+- And more...
+
+## How It Works
+
+1. **Download**: The task downloads the latest component detection binary
+2. **Scan**: Runs component detection against your specified directory
+3. **Process**: Converts the detected components into dependency manifests
+4. **Submit**: Submits the dependency snapshot to GitHub's dependency graph via API
+
+## Troubleshooting
+
+### Common Issues
+
+**"githubRepository input is required"**
+- Ensure you've specified the `githubRepository` parameter in the correct format: `owner/repo`
+
+**"Failed to download latest release"**
+- Check network connectivity and GitHub API access
+- Verify the GitHub token has appropriate permissions
+
+**"Failed to submit snapshot"**
+- Verify the GitHub token has `Contents` write permissions for the target repository
+- Check that the repository exists and is accessible
+
+### Debug Mode
+
+Enable debug logging by setting the system debug variable:
+
+```yaml
+variables:
+  system.debug: true
+```
+
+## Architecture
+
+This extension uses a platform abstraction layer that allows the same core component detection logic to work in both GitHub Actions and Azure DevOps environments. The key differences:
+
+- **GitHub Actions**: Uses native GitHub context and submits to the same repository
+- **Azure DevOps**: Requires explicit GitHub repository configuration and token
+
+## Contributing
+
+See the [main repository](https://github.com/advanced-security/component-detection-dependency-submission-action) for contribution guidelines.
+
+## License
+
+This project is licensed under the MIT License.
@@ -0,0 +1,113 @@
+# Deployment Guide
+
+This repository now supports both GitHub Actions and Azure DevOps platforms through a platform abstraction layer.
+
+## GitHub Actions (Original)
+
+The GitHub Actions version continues to work as before:
+
+```bash
+npm install
+npm run prepare
+npm test
+```
+
+## Azure DevOps Extension
+
+### Prerequisites
+
+1. Install tfx-cli globally:
+```bash
+npm install -g tfx-cli
+```
+
+2. Install dependencies:
+```bash
+npm install
+```
+
+### Building the ADO Extension
+
+1. Build the ADO-specific bundle:
+```bash
+npm run ado:build
+```
+
+2. Create the extension package:
+```bash
+npm run ado:package
+```
+
+This creates a `.vsix` file that can be uploaded to Azure DevOps.
+
+### Publishing to Azure DevOps Marketplace
+
+1. Get a Personal Access Token from Azure DevOps with Marketplace (Publish) scope
+2. Login to tfx:
+```bash
+tfx login
+```
+
+3. Publish the extension:
+```bash
+tfx extension publish --manifest-globs vss-extension.json
+```
+
+### Installing in Azure DevOps
+
+1. Go to Azure DevOps → Organization Settings → Extensions
+2. Browse Marketplace or upload the .vsix file
+3. Install the extension to your organization
+
+### Usage in Azure Pipelines
+
+```yaml
+# azure-pipelines.yml
+trigger:
+- main
+
+pool:
+  vmImage: 'ubuntu-latest'
+
+steps:
+- task: component-detection-task@0
+  displayName: 'Component Detection'
+  inputs:
+    githubRepository: 'your-org/your-repo'
+    token: '$(GITHUB_TOKEN)'
+    filePath: '$(Build.SourcesDirectory)'
+```
+
+## Architecture Notes
+
+### Platform Abstraction
+
+The code uses a platform abstraction layer with these interfaces:
+- `ILoggerProvider`: Handles logging (core.debug vs console.log)
+- `IInputProvider`: Handles input parameters (core.getInput vs process.env)
+- `IContextProvider`: Handles repository context (GitHub context vs ADO variables)
+
+### Key Differences
+
+**GitHub Actions**:
+- Uses `@actions/core` and `@actions/github`
+- Automatically gets repository context
+- Uses GitHub token from action context
+
+**Azure DevOps**:
+- Uses Azure DevOps task library patterns
+- Requires explicit GitHub repository specification
+- Requires explicit GitHub token input
+- Creates mock GitHub context for dependency submission
+
+### Testing
+
+Tests are designed to work with both platforms by using the platform abstraction layer.
+
+```bash
+# Run tests
+npm test
+
+# Run tests in watch mode
+npm run test -- --watch
+```
@@ -1,11 +1,35 @@
 # Component detection dependency submission action
 
-This GitHub Action runs the [microsoft/component-detection](https://github.com/microsoft/component-detection) library to automate dependency extraction at build time. It uses a combination of static and dynamic scanning to build a dependency tree and then uploads that to GitHub's dependency graph via the dependency submission API. This gives you more accurate Dependabot alerts, and support for a bunch of additional ecosystems.
+This project provides component detection and dependency submission for both **GitHub Actions** and **Azure DevOps** platforms. It runs the [microsoft/component-detection](https://github.com/microsoft/component-detection) library to automate dependency extraction at build time and uploads the results to GitHub's dependency graph via the dependency submission API.
+
+## Platform Support
+
+- **GitHub Actions**: Run component detection and submit to the same repository's dependency graph
+- **Azure DevOps**: Run component detection in ADO pipelines and submit to a specified GitHub repository
+
+Both platforms provide enhanced Dependabot alerts and support for numerous package ecosystems.
+
+## Configuration Options
+
+All the following configuration options are available for both GitHub Actions and Azure DevOps platforms:
+
+| Parameter | Description | Example |
+| --- | --- | --- |
+filePath | The path to the directory containing the environment files to upload. Defaults to Actions working directory. | `'.'`
+directoryExclusionList | Filters out specific directories following a minimatch pattern. | `test`
+detectorArgs | Comma separated list of properties that can affect the detectors execution, like EnableIfDefaultOff that allows a specific detector that is in beta to run, the format for this property is DetectorId=EnableIfDefaultOff, for example Pip=EnableIfDefaultOff. | `Pip=EnableIfDefaultOff`
+dockerImagesToScan |Comma separated list of docker image names or hashes to execute container scanning on |  ubuntu:16.04,56bab49eef2ef07505f6a1b0d5bd3a601dfc3c76ad4460f24c91d6fa298369ab |
+detectorsFilter | A comma separated list with the identifiers of the specific detectors to be used. | `Pip, RustCrateDetector`
+detectorsCategories | A comma separated list with the categories of components that are going to be scanned. The detectors that are going to run are the ones that belongs to the categories. | `NuGet,Npm`
+correlator | An optional identifier to distinguish between multiple dependency snapshots of the same type. Defaults to the [job_id](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_id) of the current job | `csharp-backend`
+
+For more information: https://github.com/microsoft/component-detection
+
+## GitHub Actions Usage
 
 ### Example workflow
 
 ```yaml
-
 name: Component Detection
 
 on:
@@ -25,19 +49,31 @@ jobs:
         uses: advanced-security/[email protected]
 ```
 
-### Configuration options
+## Azure DevOps Usage
 
-| Parameter | Description | Example |
-| --- | --- | --- |
-filePath | The path to the directory containing the environment files to upload. Defaults to Actions working directory. | `'.'`
-directoryExclusionList | Filters out specific directories following a minimatch pattern. | `test`
-detectorArgs | Comma separated list of properties that can affect the detectors execution, like EnableIfDefaultOff that allows a specific detector that is in beta to run, the format for this property is DetectorId=EnableIfDefaultOff, for example Pip=EnableIfDefaultOff. | `Pip=EnableIfDefaultOff`
-dockerImagesToScan |Comma separated list of docker image names or hashes to execute container scanning on |  ubuntu:16.04,56bab49eef2ef07505f6a1b0d5bd3a601dfc3c76ad4460f24c91d6fa298369ab |
-detectorsFilter | A comma separated list with the identifiers of the specific detectors to be used. | `Pip, RustCrateDetector`
-detectorsCategories | A comma separated list with the categories of components that are going to be scanned. The detectors that are going to run are the ones that belongs to the categories. | `NuGet,Npm`
-correlator | An optional identifier to distinguish between multiple dependency snapshots of the same type. Defaults to the [job_id](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_id) of the current job | `csharp-backend`
+### Quick Start
 
-For more information: https://github.com/microsoft/component-detection
+```yaml
+# azure-pipelines.yml
+steps:
+- task: component-detection-task@0
+  displayName: 'Component Detection'
+  inputs:
+    githubRepository: 'your-org/your-repo'
+    token: '$(GITHUB_TOKEN)'
+```
+
+### Azure DevOps Requirements
+
+The Azure DevOps version requires:
+- A GitHub repository where dependencies will be submitted
+- A GitHub Personal Access Token with Contents write permissions
+
+For detailed setup and usage instructions, see the [Azure DevOps README](ADO-README.md).
+
+## Development
+
+See [DEPLOYMENT.md](DEPLOYMENT.md) for information about building and deploying both versions.
 
 # License
 This project is licensed under the terms of the MIT open source license. Please refer to [MIT](LICENSE.md) for the full terms.
@@ -0,0 +1 @@
+export {};