diff --git a/.github/workflows/IACS-Microsoft-Security-DevOps.yml b/.github/workflows/IACS-Microsoft-Security-DevOps.yml new file mode 100644 index 0000000..6c2af9a --- /dev/null +++ b/.github/workflows/IACS-Microsoft-Security-DevOps.yml @@ -0,0 +1,66 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Microsoft Security DevOps (MSDO) is a command line application which integrates static analysis tools into the development cycle. +# MSDO installs, configures and runs the latest versions of static analysis tools +# (including, but not limited to, SDL/security and compliance tools). +# +# The Microsoft Security DevOps action is currently in beta and runs on the windows-latest queue, +# as well as Windows self hosted agents. ubuntu-latest support coming soon. +# +# https://learn.microsoft.com/en-us/azure/defender-for-cloud/github-action +# +# For more information about the action , check out https://github.com/microsoft/security-devops-action +# +# Please note this workflow do not integrate your GitHub Org with Microsoft Defender For DevOps. You have to create an integration +# and provide permission before this can report data back to azure. +# Read the official documentation here : https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-github + +name: "IaC Scanning - Microsoft Security DevOps (MSDO) - Defender for DevOps" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '15 03 * * 5' + +permissions: + contents: read + id-token: write + actions: read + # Write access for security-events is only required for customers looking for MSDO results to appear in the codeQL security alerts tab on GitHub (Requires GHAS) + security-events: write + +jobs: + MSDO: + # Windows and Linux agents are supported + runs-on: windows-latest + steps: + - uses: actions/checkout@v4 + + - name: Run Microsoft Security DevOps + uses: microsoft/security-devops-action@v1.12.0 + id: msdo + with: + # config: string. Optional. A file path to an MSDO configuration file ('*.gdnconfig'). + # policy: 'GitHub' | 'microsoft' | 'none'. Optional. The name of a well-known Microsoft policy. If no configuration file or list of tools is provided, the policy may instruct MSDO which tools to run. Default: GitHub. + categories: 'IaC' #string. Optional. A comma-separated list of analyzer categories to run. Values: 'code', 'artifacts', 'IaC', 'containers'. Example: 'IaC, containers'. Defaults to all. + # languages: string. Optional. A comma-separated list of languages to analyze. Example: 'javascript,typescript'. Defaults to all. + # tools: string. Optional. A comma-separated list of analyzer tools to run. Values: 'bandit', 'binskim', 'checkov', 'eslint', 'templateanalyzer', 'terrascan', 'trivy'. + + # Upload alerts to the Security tab - required for MSDO results to appear in the codeQL security alerts tab on GitHub (Requires GHAS) + - name: Upload results to Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.msdo.outputs.sarifFile }} + + # Upload alerts file as a workflow artifact - required for MSDO results to appear in the codeQL security alerts tab on GitHub (Requires GHAS) + - name: Upload alerts file as a workflow artifact + uses: actions/upload-artifact@v4 + with: + name: alerts + path: ${{ steps.msdo.outputs.sarifFile }} \ No newline at end of file diff --git a/.github/workflows/MSDO-Microsoft-Security-DevOps.yml b/.github/workflows/MSDO-Microsoft-Security-DevOps.yml new file mode 100644 index 0000000..b8bedf4 --- /dev/null +++ b/.github/workflows/MSDO-Microsoft-Security-DevOps.yml @@ -0,0 +1,54 @@ +# https://learn.microsoft.com/en-us/azure/defender-for-cloud/github-action +# +# For more information about the action , check out https://github.com/microsoft/security-devops-action +# +# Please note this workflow do not integrate your GitHub Org with Microsoft Defender For DevOps. You have to create an integration +# and provide permission before this can report data back to azure. +# Read the official documentation here : https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-github + +name: "Microsoft Security DevOps (MSDO) - Microsoft Defender For Devops" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '42 13 * * 5' + +permissions: + contents: read + id-token: write + actions: read + # Write access for security-events is only required for customers looking for MSDO results to appear in the codeQL security alerts tab on GitHub (Requires GHAS) + security-events: write + +jobs: + MSDO: + # Windows and Linux agents are supported + runs-on: windows-latest + steps: + - uses: actions/checkout@v4 + + - name: Run Microsoft Security DevOps + uses: microsoft/security-devops-action@v1.12.0 + id: msdo + # with: + # config: string. Optional. A file path to an MSDO configuration file ('*.gdnconfig'). + # policy: 'GitHub' | 'microsoft' | 'none'. Optional. The name of a well-known Microsoft policy. If no configuration file or list of tools is provided, the policy may instruct MSDO which tools to run. Default: GitHub. + # categories: string. Optional. A comma-separated list of analyzer categories to run. Values: 'code', 'artifacts', 'IaC', 'containers'. Example: 'IaC, containers'. Defaults to all. + # languages: string. Optional. A comma-separated list of languages to analyze. Example: 'javascript,typescript'. Defaults to all. + # tools: string. Optional. A comma-separated list of analyzer tools to run. Values: 'bandit', 'binskim', 'checkov', 'eslint', 'templateanalyzer', 'terrascan', 'trivy'. + + # Upload alerts to the Security tab - required for MSDO results to appear in the codeQL security alerts tab on GitHub (Requires GHAS) + - name: Upload results to Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.msdo.outputs.sarifFile }} + + # Upload alerts file as a workflow artifact - required for MSDO results to appear in the codeQL security alerts tab on GitHub (Requires GHAS) + - name: Upload alerts file as a workflow artifact + uses: actions/upload-artifact@v4 + with: + name: alerts + path: ${{ steps.msdo.outputs.sarifFile }} \ No newline at end of file