Tracking issue split out from the diagnostic discussion in #163 so this can be assigned and worked independently. See #163 for the full investigation history.
Spec: Promote CKV_AZUREPIPELINES_* severity from note → warning
The implementation lives in Microsoft's internal Guardian severity-policy, but the acceptance criteria below are verifiable against the public MSDO task's output, so completion can be validated end-to-end without any internal artifacts.
Background
From #163:
- Checkov 3.2.497 produces
CKV_AZUREPIPELINES_1 / _2 findings against azure-pipelines.yml.
- Guardian's Checkov severity-mapping policy maps these rule IDs to SARIF
level: "note" in the published msdo.sarif.
- The SARIF Scans Tab extension's default filter hides
note-level findings, so the results land in the published artifact but are invisible to users by default.
- The same mechanism downgrades
CKV_AZURE_177 to warning (still visible). The asymmetry between warning (visible) and note (hidden) is the user-visible bug.
Change
In Guardian's Checkov severity-mapping policy:
- Map every rule whose ID matches
^CKV_AZUREPIPELINES_ to SARIF level: "warning".
- Prefer a prefix/wildcard rule over per-rule entries, so future additions to Checkov's
azure_pipelines framework inherit the promotion without policy churn.
- Place the rule in the same policy file used for the existing
CKV_AZURE_177 downgrade, for locality and consistency.
Out of scope
- Upstream Checkov default severities (owned by Prisma Cloud).
- SARIF Scans Tab's default filter — separate UX concern; will be filed as a follow-up.
- Exposing per-rule severity overrides in
.gdnconfig — separate feature.
Acceptance criteria
Each criterion is a hard requirement and must have an automated check or a documented manual verification step.
AC1 — Severity in published SARIF. Running MicrosoftSecurityDevOps@1 (Checkov enabled, default policy: 'azuredevops') against a fixture repo whose azure-pipelines.yml triggers CKV_AZUREPIPELINES_2 (e.g., a step referencing a container image tagged :latest) MUST yield a msdo.sarif where every CKV_AZUREPIPELINES_* result has level == "warning". Verified by:
jq '[.runs[]
| select(.tool.driver.name == "checkov")
| .results[]
| select(.ruleId | startswith("CKV_AZUREPIPELINES_"))
| .level] | unique' /home/vsts/work/1/a/.gdn/msdo.sarif
# Expected: ["warning"]AC2 — Scans Tab visibility. With the SARIF Scans Tab extension at its default severity filter, CKV_AZUREPIPELINES_* findings MUST appear under the checkov tool collapse without the user enabling "Notes." Verified by screenshot of a build run against the fixture from AC1 attached to the PR.
AC3 — No regression for other Checkov rules. The severity mapping for every rule that is not CKV_AZUREPIPELINES_* MUST be unchanged. Verified by capturing baseline (pre-change) and post-change severity histograms over the fixture from AC1:
jq '[.runs[]
| select(.tool.driver.name == "checkov")
| .results[]
| {ruleId, level}]
| group_by(.ruleId)
| map({ruleId: .[0].ruleId, level: .[0].level})' /home/vsts/work/1/a/.gdn/msdo.sarifThe diff MUST contain only CKV_AZUREPIPELINES_* rows changing from note → warning.
AC4 — Build break unchanged. With MicrosoftSecurityDevOps@1 configured break: true and the default --min-severity Error, AZUREPIPELINES warnings MUST NOT break the build. Verified by running the fixture pipeline twice — once with break: true, once with break: false — both completing with succeeded status.
AC5 — Test coverage. A unit test in Guardian's severity-mapping suite MUST assert the new mapping for at least CKV_AZUREPIPELINES_1 and CKV_AZUREPIPELINES_2. Test placement and framework conventions to follow the existing tests for CKV_AZURE_177.
Deliverables
- Policy change in Guardian (one file).
- Unit test covering AC5.
- Integration fixture under
samples/ in this repo (microsoft/security-devops-azdevops) containing a minimal azure-pipelines.yml that triggers CKV_AZUREPIPELINES_2, with a short README.md describing the expected Scans Tab output. Submit as a separate PR against this repo so the fixture is reusable.
- Wiki update on the Home page Checkov section noting that
CKV_AZUREPIPELINES_* surface as warning-level findings.
Verification commands (paste-ready)
A reviewer should be able to copy these and verify a built artifact:
# All AZUREPIPELINES rules should be warning, none note:
jq '[.runs[] | select(.tool.driver.name=="checkov") | .results[]
| select(.ruleId | startswith("CKV_AZUREPIPELINES_")) | .level] | unique' msdo.sarif
# Verify no rule other than AZUREPIPELINES has flipped:
jq '[.runs[] | select(.tool.driver.name=="checkov") | .results[]
| {ruleId, level}] | unique' msdo.sarifDefinition of done
Original ask: #163
Spec: Promote
CKV_AZUREPIPELINES_*severity fromnote→warningThe implementation lives in Microsoft's internal Guardian severity-policy, but the acceptance criteria below are verifiable against the public MSDO task's output, so completion can be validated end-to-end without any internal artifacts.
Background
From #163:
CKV_AZUREPIPELINES_1/_2findings againstazure-pipelines.yml.level: "note"in the publishedmsdo.sarif.note-level findings, so the results land in the published artifact but are invisible to users by default.CKV_AZURE_177towarning(still visible). The asymmetry betweenwarning(visible) andnote(hidden) is the user-visible bug.Change
In Guardian's Checkov severity-mapping policy:
^CKV_AZUREPIPELINES_to SARIFlevel: "warning".azure_pipelinesframework inherit the promotion without policy churn.CKV_AZURE_177downgrade, for locality and consistency.Out of scope
.gdnconfig— separate feature.Acceptance criteria
Each criterion is a hard requirement and must have an automated check or a documented manual verification step.
AC1 — Severity in published SARIF. Running
MicrosoftSecurityDevOps@1(Checkov enabled, defaultpolicy: 'azuredevops') against a fixture repo whoseazure-pipelines.ymltriggersCKV_AZUREPIPELINES_2(e.g., a step referencing a container image tagged:latest) MUST yield amsdo.sarifwhere everyCKV_AZUREPIPELINES_*result haslevel == "warning". Verified by:AC2 — Scans Tab visibility. With the SARIF Scans Tab extension at its default severity filter,
CKV_AZUREPIPELINES_*findings MUST appear under thecheckovtool collapse without the user enabling "Notes." Verified by screenshot of a build run against the fixture from AC1 attached to the PR.AC3 — No regression for other Checkov rules. The severity mapping for every rule that is not
CKV_AZUREPIPELINES_*MUST be unchanged. Verified by capturing baseline (pre-change) and post-change severity histograms over the fixture from AC1:The diff MUST contain only
CKV_AZUREPIPELINES_*rows changing fromnote→warning.AC4 — Build break unchanged. With
MicrosoftSecurityDevOps@1configuredbreak: trueand the default--min-severity Error, AZUREPIPELINES warnings MUST NOT break the build. Verified by running the fixture pipeline twice — once withbreak: true, once withbreak: false— both completing withsucceededstatus.AC5 — Test coverage. A unit test in Guardian's severity-mapping suite MUST assert the new mapping for at least
CKV_AZUREPIPELINES_1andCKV_AZUREPIPELINES_2. Test placement and framework conventions to follow the existing tests forCKV_AZURE_177.Deliverables
samples/in this repo (microsoft/security-devops-azdevops) containing a minimalazure-pipelines.ymlthat triggersCKV_AZUREPIPELINES_2, with a shortREADME.mddescribing the expected Scans Tab output. Submit as a separate PR against this repo so the fixture is reusable.CKV_AZUREPIPELINES_*surface aswarning-level findings.Verification commands (paste-ready)
A reviewer should be able to copy these and verify a built artifact:
Definition of done
Original ask: #163