Configure the Microsoft Security DevOps GitHub action
Microsoft Security DevOps is a command line application that integrates static analysis tools into the development lifecycle. Security DevOps installs, configures, and runs the latest versions of static analysis tools such as, SDL, security and compliance tools. Security DevOps is data-driven with portable configurations that enable deterministic execution across multiple environments.
Microsoft Security DevOps uses the following Open Source tools:
| Name | Language | License |
|---|---|---|
| AntiMalware | AntiMalware protection in Windows from Microsoft Defender for Endpoint, that scans for malware and breaks the build if malware has been found. This tool scans by default on windows-latest agent. | Not Open Source |
| Bandit | Python | Apache License 2.0 |
| BinSkim | Binary--Windows, ELF | MIT License |
| ESlint | JavaScript | MIT License |
| Template Analyzer | ARM Template, Bicep | MIT License |
| Terrascan | Terraform (HCL2), Kubernetes (JSON/YAML), Helm v3, Kustomize, Dockerfiles, CloudFormation | Apache License 2.0 |
| Trivy | container images, Infrastructure as Code (IaC) | Apache License 2.0 |
Prerequisites
An Azure subscription If you don’t have an Azure subscription, create a free account before you begin.
Follow the guidance to set up GitHub Advanced Security to view the DevOps posture assessments in Defender for Cloud.
Open the Microsoft Security DevOps GitHub action in a new window.
Ensure that Workflow permissions are set to Read and Write on the GitHub repository. This includes setting "id-token: write" permissions in the GitHub Workflow for federation with Defender for Cloud.
Configure the Microsoft Security DevOps GitHub action
To setup GitHub action:
Sign in to GitHub.
Select a repository you want to configure the GitHub action to.
Select Actions.
Select New workflow.
On the Get started with GitHub Actions page, select set up a workflow yourself
In the text box, enter a name for your workflow file. For example,
msdevopssec.yml.
Copy and paste the following sample action workflow into the Edit new file tab.
name: MSDO windows-latest on: push: branches: - main jobs: sample: name: Microsoft Security DevOps Analysis # MSDO runs on windows-latest. # ubuntu-latest also supported runs-on: windows-latest permissions: contents: read id-token: write security-events: write steps: # Checkout your code repository to scan - uses: actions/checkout@v3 # Run analyzers - name: Run Microsoft Security DevOps Analysis uses: microsoft/security-devops-action@latest id: msdo with: # config: string. Optional. A file path to an MSDO configuration file ('*.gdnconfig'). # policy: 'GitHub' | 'microsoft' | 'none'. Optional. The name of a well-known Microsoft policy. If no configuration file or list of tools is provided, the policy may instruct MSDO which tools to run. Default: GitHub. # categories: string. Optional. A comma-separated list of analyzer categories to run. Values: 'code', 'artifacts', 'IaC', 'containers'. Example: 'IaC, containers'. Defaults to all. # languages: string. Optional. A comma-separated list of languages to analyze. Example: 'javascript,typescript'. Defaults to all. # tools: string. Optional. A comma-separated list of analyzer tools to run. Values: 'bandit', 'binskim', 'eslint', 'templateanalyzer', 'terrascan', 'trivy'. # Upload alerts to the Security tab - name: Upload alerts to Security tab uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ${{ steps.msdo.outputs.sarifFile }} # Upload alerts file as a workflow artifact - name: Upload alerts file as a workflow artifact uses: actions/upload-artifact@v3 with: name: alerts path: ${{ steps.msdo.outputs.sarifFile }}Note
For additional tool configuration options, see the Microsoft Security DevOps wiki
Select Start commit
Select Commit new file.
The process can take up to one minute to complete.
Select Actions and verify the new action is running.
View Scan Results
To view your scan results:
Sign in to GitHub.
Navigate to Security > Code scanning alerts > Tool.
From the dropdown menu, select Filter by tool.
Code scanning findings will be filtered by specific MSDO tools in GitHub. These code scanning results are also pulled into Defender for Cloud recommendations.
Learn more
Learn about GitHub actions for Azure.
Learn how to deploy apps from GitHub to Azure.
Related content
Learn more about DevOps security in Defender for Cloud.
Learn how to connect your GitHub Organizations to Defender for Cloud.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for