|
| 1 | +# DevOps Shield - The ultimate DevSecOps platform designed to secure your DevOps. |
| 2 | +# https://devopsshield.com |
| 3 | +############################################################## |
| 4 | +# This is a DevOps Shield - Application Security - Code Security Template. |
| 5 | + |
| 6 | +# This workflow template uses actions that are not certified by DevOps Shield. |
| 7 | +# They are provided by a third-party and are governed by separate terms of service, privacy policy, and support documentation. |
| 8 | + |
| 9 | +# Use this workflow template for integrating code security into your pipelines and workflows. |
| 10 | + |
| 11 | +# DevOps Shield Workflow Template Details: |
| 12 | +# ------------------------------------------------------------ |
| 13 | +# Code: GH_MSDO_Microsoft_Security_DevOps |
| 14 | +# Name: Microsoft Security DevOps (MSDO) - Defender for DevOps |
| 15 | +# DevSecOpsControls: SAST, CIS, IACS |
| 16 | +# Provider: Microsoft |
| 17 | +# Categories: Code Scanning, Dockerfile, Python, JavaScript, EcmaScript, TypeScript, C#, .NET, ARM Template, Bicep, Kubernetes, JSON, YAML, CloudFormation, HCL, Terraform |
| 18 | +# Description: |
| 19 | +# Microsoft Security DevOps (MSDO) is a command line application which integrates static analysis tools into the development cycle. |
| 20 | +# MSDO installs, configures and runs the latest versions of static analysis tools (including, but not limited to, SDL/security and compliance tools). |
| 21 | +# Defender for DevOps helps integrate multiple tools with Advanced Security and sends the results to Defender for Cloud dashboard. |
| 22 | +# Please note this workflow do not integrate with Microsoft Defender For DevOps. |
| 23 | +# You have to create an integration and provide permission before this can report data back to Azure. |
| 24 | +# Read the official documentation to find out more. |
| 25 | +# For more information: |
| 26 | +# https://github.com/microsoft/security-devops-action |
| 27 | +# https://learn.microsoft.com/en-us/azure/defender-for-cloud/github-action |
| 28 | +# https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-github |
| 29 | +# ------------------------------------------------------------ |
| 30 | +# Source repository: https://github.com/microsoft/security-devops-action |
| 31 | +############################################################## |
| 32 | + |
| 33 | +name: Microsoft Security DevOps (MSDO) - Defender for DevOps |
| 34 | + |
| 35 | +on: |
| 36 | + push: |
| 37 | + branches: [ main ] |
| 38 | + pull_request: |
| 39 | + branches: [ main ] |
| 40 | + schedule: |
| 41 | + - cron: 0 0 * * 0 |
| 42 | + |
| 43 | +jobs: |
| 44 | + MSDO: |
| 45 | + name: Microsoft Security DevOps (MSDO) |
| 46 | + |
| 47 | + # Windows and Linux agents are supported |
| 48 | + runs-on: windows-latest |
| 49 | + |
| 50 | + permissions: |
| 51 | + contents: read |
| 52 | + # Write access for security-events is only required for customers looking for MSDO results to appear in the codeQL security alerts tab on GitHub (Requires GHAS) |
| 53 | + security-events: write |
| 54 | + |
| 55 | + steps: |
| 56 | + # Checkout your code repository to scan |
| 57 | + - uses: actions/checkout@v4 |
| 58 | + |
| 59 | + # Run analyzers |
| 60 | + - name: Run Microsoft Security DevOps |
| 61 | + uses: microsoft/security-devops-action@v1.6.0 |
| 62 | + id: msdo |
| 63 | + # with: |
| 64 | + # config: string. Optional. A file path to an MSDO configuration file ('*.gdnconfig'). |
| 65 | + # policy: 'GitHub' | 'microsoft' | 'none'. Optional. The name of a well-known Microsoft policy. If no configuration file or list of tools is provided, the policy may instruct MSDO which tools to run. Default: GitHub. |
| 66 | + # categories: string. Optional. A comma-separated list of analyzer categories to run. Values: 'code', 'artifacts', 'IaC', 'containers'. Example: 'IaC, containers'. Defaults to all. |
| 67 | + # languages: string. Optional. A comma-separated list of languages to analyze. Example: 'javascript,typescript'. Defaults to all. |
| 68 | + # tools: string. Optional. A comma-separated list of analyzer tools to run. Values: 'bandit', 'binskim', 'checkov', 'eslint', 'templateanalyzer', 'terrascan', 'trivy'. |
| 69 | + |
| 70 | + # Upload alerts to the Security tab - required for MSDO results to appear in the codeQL security alerts tab on GitHub (Requires GHAS) |
| 71 | + - name: Upload results to Security tab |
| 72 | + uses: github/codeql-action/upload-sarif@v3 |
| 73 | + with: |
| 74 | + sarif_file: ${{ steps.msdo.outputs.sarifFile }} |
0 commit comments