From a90cb9b55705c89ee9c7eb39ce58492aae68937b Mon Sep 17 00:00:00 2001
From: Calin Lupas <lupas_calin@yahoo.com>
Date: Mon, 21 Apr 2025 09:43:40 -0400
Subject: [PATCH 1/3] Add Microsoft Security DevOps workflow for IaC scanning

---
 .../IACS-Microsoft-Security-DevOps.yml        | 66 +++++++++++++++++++
 .../MSDO-Microsoft-Security-DevOps.yml        | 54 +++++++++++++++
 2 files changed, 120 insertions(+)
 create mode 100644 .github/workflows/IACS-Microsoft-Security-DevOps.yml
 create mode 100644 .github/workflows/MSDO-Microsoft-Security-DevOps.yml

diff --git a/.github/workflows/IACS-Microsoft-Security-DevOps.yml b/.github/workflows/IACS-Microsoft-Security-DevOps.yml
new file mode 100644
index 0000000..e84b73a
--- /dev/null
+++ b/.github/workflows/IACS-Microsoft-Security-DevOps.yml
@@ -0,0 +1,66 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+#
+# Microsoft Security DevOps (MSDO) is a command line application which integrates static analysis tools into the development cycle.
+# MSDO installs, configures and runs the latest versions of static analysis tools
+# (including, but not limited to, SDL/security and compliance tools).
+#
+# The Microsoft Security DevOps action is currently in beta and runs on the windows-latest queue,
+# as well as Windows self hosted agents. ubuntu-latest support coming soon.
+#
+# https://learn.microsoft.com/en-us/azure/defender-for-cloud/github-action
+# 
+# For more information about the action , check out https://github.com/microsoft/security-devops-action
+#
+# Please note this workflow do not integrate your GitHub Org with Microsoft Defender For DevOps. You have to create an integration
+# and provide permission before this can report data back to azure.
+# Read the official documentation here : https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-github
+
+name: "IaC Scanning - Microsoft Security DevOps (MSDO) - Defender for DevOps"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '15 03 * * 5'
+
+permissions:
+  contents: read
+  id-token: write
+  actions: read
+  # Write access for security-events is only required for customers looking for MSDO results to appear in the codeQL security alerts tab on GitHub (Requires GHAS)
+  security-events: write
+
+jobs:
+  MSDO:
+    # Windows and Linux agents are supported
+    runs-on: windows-latest
+    steps:
+    - uses: actions/checkout@v4
+    
+    - name: Run Microsoft Security DevOps
+      uses: microsoft/security-devops-action@v1.12.0
+      id: msdo
+      with:
+      # config: string. Optional. A file path to an MSDO configuration file ('*.gdnconfig').
+      # policy: 'GitHub' | 'microsoft' | 'none'. Optional. The name of a well-known Microsoft policy. If no configuration file or list of tools is provided, the policy may instruct MSDO which tools to run. Default: GitHub.
+        categories: 'IaC' #string. Optional. A comma-separated list of analyzer categories to run. Values: 'code', 'artifacts', 'IaC', 'containers'. Example: 'IaC, containers'. Defaults to all.
+      # languages: string. Optional. A comma-separated list of languages to analyze. Example: 'javascript,typescript'. Defaults to all.
+      # tools: string. Optional. A comma-separated list of analyzer tools to run. Values: 'bandit', 'binskim', 'checkov', 'eslint', 'templateanalyzer', 'terrascan', 'trivy'.
+   
+    # Upload alerts to the Security tab - required for MSDO results to appear in the codeQL security alerts tab on GitHub (Requires GHAS)
+    - name: Upload results to Security tab
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: ${{ steps.msdo.outputs.sarifFile }}
+
+    # Upload alerts file as a workflow artifact - required for MSDO results to appear in the codeQL security alerts tab on GitHub (Requires GHAS)
+    - name: Upload alerts file as a workflow artifact
+      uses: actions/upload-artifact@v3
+      with:  
+        name: alerts
+        path: ${{ steps.msdo.outputs.sarifFile }}
\ No newline at end of file
diff --git a/.github/workflows/MSDO-Microsoft-Security-DevOps.yml b/.github/workflows/MSDO-Microsoft-Security-DevOps.yml
new file mode 100644
index 0000000..7900b82
--- /dev/null
+++ b/.github/workflows/MSDO-Microsoft-Security-DevOps.yml
@@ -0,0 +1,54 @@
+# https://learn.microsoft.com/en-us/azure/defender-for-cloud/github-action
+# 
+# For more information about the action , check out https://github.com/microsoft/security-devops-action
+#
+# Please note this workflow do not integrate your GitHub Org with Microsoft Defender For DevOps. You have to create an integration
+# and provide permission before this can report data back to azure.
+# Read the official documentation here : https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-github
+
+name: "Microsoft Security DevOps (MSDO) - Microsoft Defender For Devops"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '42 13 * * 5'
+
+permissions:
+  contents: read
+  id-token: write
+  actions: read
+  # Write access for security-events is only required for customers looking for MSDO results to appear in the codeQL security alerts tab on GitHub (Requires GHAS)
+  security-events: write
+
+jobs:
+  MSDO:
+    # Windows and Linux agents are supported
+    runs-on: windows-latest
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Run Microsoft Security DevOps
+      uses: microsoft/security-devops-action@v1.12.0
+      id: msdo
+    # with:
+      # config: string. Optional. A file path to an MSDO configuration file ('*.gdnconfig').
+      # policy: 'GitHub' | 'microsoft' | 'none'. Optional. The name of a well-known Microsoft policy. If no configuration file or list of tools is provided, the policy may instruct MSDO which tools to run. Default: GitHub.
+      # categories: string. Optional. A comma-separated list of analyzer categories to run. Values: 'code', 'artifacts', 'IaC', 'containers'. Example: 'IaC, containers'. Defaults to all.
+      # languages: string. Optional. A comma-separated list of languages to analyze. Example: 'javascript,typescript'. Defaults to all.
+      # tools: string. Optional. A comma-separated list of analyzer tools to run. Values: 'bandit', 'binskim', 'checkov', 'eslint', 'templateanalyzer', 'terrascan', 'trivy'.
+   
+    # Upload alerts to the Security tab - required for MSDO results to appear in the codeQL security alerts tab on GitHub (Requires GHAS)
+    - name: Upload results to Security tab
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: ${{ steps.msdo.outputs.sarifFile }}
+
+    # Upload alerts file as a workflow artifact - required for MSDO results to appear in the codeQL security alerts tab on GitHub (Requires GHAS)
+    - name: Upload alerts file as a workflow artifact
+      uses: actions/upload-artifact@v3
+      with:  
+        name: alerts
+        path: ${{ steps.msdo.outputs.sarifFile }}
\ No newline at end of file

From 9aa22a0ac38fc9d43942d09b908ed94214db0e1a Mon Sep 17 00:00:00 2001
From: Calin Lupas <lupas_calin@yahoo.com>
Date: Mon, 21 Apr 2025 09:51:12 -0400
Subject: [PATCH 2/3] Update Microsoft Security DevOps action version and
 upload artifact action

---
 .github/workflows/IACS-Microsoft-Security-DevOps.yml | 4 ++--
 .github/workflows/MSDO-Microsoft-Security-DevOps.yml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/IACS-Microsoft-Security-DevOps.yml b/.github/workflows/IACS-Microsoft-Security-DevOps.yml
index e84b73a..317f769 100644
--- a/.github/workflows/IACS-Microsoft-Security-DevOps.yml
+++ b/.github/workflows/IACS-Microsoft-Security-DevOps.yml
@@ -43,7 +43,7 @@ jobs:
     - uses: actions/checkout@v4
     
     - name: Run Microsoft Security DevOps
-      uses: microsoft/security-devops-action@v1.12.0
+      uses: microsoft/security-devops-action@1c2d3e4f5g6h7i8j9k0l1m2n3o4p5q6r7s8t9u0v
       id: msdo
       with:
       # config: string. Optional. A file path to an MSDO configuration file ('*.gdnconfig').
@@ -60,7 +60,7 @@ jobs:
 
     # Upload alerts file as a workflow artifact - required for MSDO results to appear in the codeQL security alerts tab on GitHub (Requires GHAS)
     - name: Upload alerts file as a workflow artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:  
         name: alerts
         path: ${{ steps.msdo.outputs.sarifFile }}
\ No newline at end of file
diff --git a/.github/workflows/MSDO-Microsoft-Security-DevOps.yml b/.github/workflows/MSDO-Microsoft-Security-DevOps.yml
index 7900b82..a1b2f1b 100644
--- a/.github/workflows/MSDO-Microsoft-Security-DevOps.yml
+++ b/.github/workflows/MSDO-Microsoft-Security-DevOps.yml
@@ -31,7 +31,7 @@ jobs:
     - uses: actions/checkout@v4
 
     - name: Run Microsoft Security DevOps
-      uses: microsoft/security-devops-action@v1.12.0
+      uses: microsoft/security-devops-action@1c2d3e4f5g6h7i8j9k0l1m2n3o4p5q6r7s8t9u0v
       id: msdo
     # with:
       # config: string. Optional. A file path to an MSDO configuration file ('*.gdnconfig').
@@ -48,7 +48,7 @@ jobs:
 
     # Upload alerts file as a workflow artifact - required for MSDO results to appear in the codeQL security alerts tab on GitHub (Requires GHAS)
     - name: Upload alerts file as a workflow artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:  
         name: alerts
         path: ${{ steps.msdo.outputs.sarifFile }}
\ No newline at end of file

From 037ba625e06b2571187cd192db7ab72891d88448 Mon Sep 17 00:00:00 2001
From: Calin Lupas <lupas_calin@yahoo.com>
Date: Mon, 21 Apr 2025 09:53:17 -0400
Subject: [PATCH 3/3] Update Microsoft Security DevOps action version to
 v1.12.0 in workflows

---
 .github/workflows/IACS-Microsoft-Security-DevOps.yml | 2 +-
 .github/workflows/MSDO-Microsoft-Security-DevOps.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/IACS-Microsoft-Security-DevOps.yml b/.github/workflows/IACS-Microsoft-Security-DevOps.yml
index 317f769..6c2af9a 100644
--- a/.github/workflows/IACS-Microsoft-Security-DevOps.yml
+++ b/.github/workflows/IACS-Microsoft-Security-DevOps.yml
@@ -43,7 +43,7 @@ jobs:
     - uses: actions/checkout@v4
     
     - name: Run Microsoft Security DevOps
-      uses: microsoft/security-devops-action@1c2d3e4f5g6h7i8j9k0l1m2n3o4p5q6r7s8t9u0v
+      uses: microsoft/security-devops-action@v1.12.0
       id: msdo
       with:
       # config: string. Optional. A file path to an MSDO configuration file ('*.gdnconfig').
diff --git a/.github/workflows/MSDO-Microsoft-Security-DevOps.yml b/.github/workflows/MSDO-Microsoft-Security-DevOps.yml
index a1b2f1b..b8bedf4 100644
--- a/.github/workflows/MSDO-Microsoft-Security-DevOps.yml
+++ b/.github/workflows/MSDO-Microsoft-Security-DevOps.yml
@@ -31,7 +31,7 @@ jobs:
     - uses: actions/checkout@v4
 
     - name: Run Microsoft Security DevOps
-      uses: microsoft/security-devops-action@1c2d3e4f5g6h7i8j9k0l1m2n3o4p5q6r7s8t9u0v
+      uses: microsoft/security-devops-action@v1.12.0
       id: msdo
     # with:
       # config: string. Optional. A file path to an MSDO configuration file ('*.gdnconfig').