Compliance issue for [SFI-ES5.1] Azure Artifacts - Central Feed Services (CFS)

[Xieyan]

Hi Team,

I integrated this tool into our repo build pipeline, but encountered a compliance issue [SFI-ES5.1] related to Azure Artifacts - Central Feed Services (CFS). The requirement is that builds must pull open-source libraries from an [Azure Artifacts] feed. To resolve this, I tried using configuration options similar to those provided by other Azure DevOps tasks, providing the params like feedsToUse and nugetConfigPath, such as:

- task: MicrosoftSecurityDevOps@1
  displayName: 'Run Template Analyzer'
  inputs:    
    tools: 'templateanalyzer'
    break: false
    feedsToUse: config
    nugetConfigPath: 'nuget.config'

However, this didn't work as expected. The logs show that MSDO is still retrieving the feed from the public source:

Installing Microsoft.Security.DevOps.Tools.Configuration from feed...
  ------------------------------------------------------------------------------
      GET https://msdous.pkgs.visualstudio.com/d1ee6cdc-c4ce-4e34-95df-4c038f0d3683/_packaging/7c44b921-ee7b-48f1-bad3-d9227399a9fc/nuget/v3/registrations2-semver2/microsoft.security.devops.tools.configuration/index.json
      OK https://msdous.pkgs.visualstudio.com/d1ee6cdc-c4ce-4e34-95df-4c038f0d3683/_packaging/7c44b921-ee7b-48f1-bad3-d9227399a9fc/nuget/v3/registrations2-semver2/microsoft.security.devops.tools.configuration/index.json 84ms

Should we consider supporting a feed suppression feature to help meet security compliance requirements?

Thanks,
Best regards,

[chrisnielsen-MS]

The feed from the logs here (msdous.pkgs.visualstudio.com/...) is an Azure Artifacts feed that we have set up to use for MSDO tools and configuration packages. It should be SFI-compliant. Are you running eslint as one of the static analysis tools in your pipeline? We have also been seeing this issue and believe it may be caused by the eslint tool install, as it is currently the only package that is an NPM package instead of a nuget package and it currently installs from registry.npmjs.org instead of the Azure Artifacts feed everything else uses. We have a feature planned to download the NPM package also through our public feed, and another feature planned to enable users to override the package source location, but they do not yet have ETAs.