feat(break): add break-on-detections input to enable build failure on vulnerabilities AB#36807380 (#160)

Co-authored-by: Dima Birenbaum <dbirenbaum@microsoft.com>

Author: DimaBir

action.yml

@@ -20,6 +20,9 @@ inputs:
     description: A comma separated list of analyzer to run. Example bandit, binskim, container-mapping, eslint, templateanalyzer, terrascan, trivy.
   includeTools:
     description: Deprecated
+  break-on-detections:
+    description: If true, the action will fail the build when vulnerabilities are detected at or above the configured severity. Requires toolkit support for MSDO_BREAK.
+    default: 'false'
   existingFilename:
     description: A SARIF filename that already exists. If it does, then the normal run will not take place and the file will instead be uploaded to MSDO backend.
 outputs:

lib/msdo.js

@@ -112,6 +112,11 @@ class MicrosoftSecurityDevOps {
                 }
                 args.push('--github');
             }
+            let breakOnDetections = core.getInput('break-on-detections');
+            if (breakOnDetections && breakOnDetections.trim().toUpperCase() === 'TRUE') {
+                process.env.MSDO_BREAK = 'true';
+                core.debug('break-on-detections is enabled, set MSDO_BREAK=true');
+            }
             yield client.run(args, 'microsoft/security-devops-action');
         });
     }

src/msdo.ts

@@ -97,6 +97,12 @@ export class MicrosoftSecurityDevOps implements IMicrosoftSecurityDevOps {
             args.push('--github');
         }
 
+        let breakOnDetections: string = core.getInput('break-on-detections');
+        if (breakOnDetections && breakOnDetections.trim().toUpperCase() === 'TRUE') {
+            process.env.MSDO_BREAK = 'true';
+            core.debug('break-on-detections is enabled, set MSDO_BREAK=true');
+        }
+
         await client.run(args, 'microsoft/security-devops-action');
     }
 }