Azure · dmereszMS · Mar 5, 2024
@@ -36,9 +36,6 @@
   [optional] 
   Threshold to fail gate on Low severity findings count in scan (default is 15)
   ** In the case of High servirty finging gate will always fail.**
-.PARAMETER ignoreNonPatchable
-  [optional]
-  Flag to set whether to fileter out non patchble findings from report (default is $false)
 
 
 .EXAMPLE
@@ -75,10 +72,7 @@ Param(
 	$mediumFindingsCountFailThreshold = 5,
 
 	# Low servrity findings failure threshold
-	$lowFindingsCountFailThreshold = 15,
-
-	# Image tag
- 	$ignoreNonPatchable = $false
+	$lowFindingsCountFailThreshold = 15
 )
 
 
@@ -98,14 +92,14 @@ Write-Host "Image Digest: $imageDigest"
 # All images scan summary ARG query.
 $query = "securityresources
  | where type == 'microsoft.security/assessments/subassessments'
- | where id matches regex  '(.+?)/providers/Microsoft.ContainerRegistry/registries/(.+)/providers/Microsoft.Security/assessments/dbd0cb49-b563-45e7-9724-889e799fa648/'
+ | where id matches regex  '(.+?)/providers/Microsoft.ContainerRegistry/registries/(.+)/providers/Microsoft.Security/assessments/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5/'
  | extend registryResourceId = tostring(split(id, '/providers/Microsoft.Security/assessments/')[0])
  | extend registryResourceName = tostring(split(registryResourceId, '/providers/Microsoft.ContainerRegistry/registries/')[1])
- | extend imageDigest = tostring(properties.additionalData.imageDigest)
- | extend repository = tostring(properties.additionalData.repositoryName)
- | extend patchable = tobool(properties.additionalData.patchable)
+ | extend imageDigest = tostring(properties.additionalData.artifactDetails.digest)
+ | extend repository = tostring(properties.additionalData.artifactDetails.repositoryName)
+ | extend fixStatus = tostring(properties.additionalData.softwareDetails.fixStatus)
  | extend scanFindingSeverity = tostring(properties.status.severity), scanStatus = tostring(properties.status.code)
- | summarize findingsCountOverAll = count(), scanFindingSeverityCount = countif(patchable or not(tobool($ignoreNonPatchable))) by scanFindingSeverity, scanStatus, registryResourceId, registryResourceName, repository, imageDigest
+ | summarize findingsCountOverAll = count(), scanFindingSeverityCount = countif(fixStatus == 'FixAvailable') by scanFindingSeverity, scanStatus, registryResourceId, registryResourceName, repository, imageDigest
  | summarize findingsCountOverAll = sum(findingsCountOverAll), severitySummary = make_bag(pack(scanFindingSeverity, scanFindingSeverityCount)) by registryResourceId, registryResourceName, repository, imageDigest, scanStatus
  | summarize findingsCountOverAll = sum(findingsCountOverAll) , scanReport = make_bag_if(pack('scanStatus', scanStatus, 'scanSummary', severitySummary), scanStatus != 'NotApplicable')by registryResourceId, registryResourceName, repository, imageDigest
  | extend IsScanned = iif(findingsCountOverAll > 0, true, false)"
@@ -148,13 +142,6 @@ if($scanReportRow.IsScanned -ne 1){
 	exit 1
 }
 
-if ($ignoreNonPatchable)
-{
-  Write-Host "Notice: Filtering non patchble findings Flag is on! this will be cleared from $($scanReportRow.findingsCountOverAll) findinds overall"
-  Write-Host ""
-}
-
-
 $scanReport = $scanReportRow.scanReport
 Write-Host "Scan report $($scanReport | out-string)"
 
@@ -171,7 +158,7 @@ if($scanReport.scanstatus -eq "unhealthy")
 	}
 	else
 	{
-		Write-Warning "Helathy scan result, as vulnerabilities found in image did not surpass thresholds"
+		Write-Warning "Healthy scan result, as vulnerabilities found in image did not surpass thresholds"
 		exit 0
 	}
 }
@@ -180,7 +167,7 @@ elseif($scanReport.scanstatus -eq "healthy"){
 	exit 0
 }
 else{
-	Write-Host "All non Applicable reuslts Scan -> default as all findings non applicable"
+	Write-Host "All non Applicable results Scan -> default as all findings non applicable"
 	exit 0
 }