Skip to content
You're viewing an older version of this GitHub Action. Do you want to see the latest version instead?
microsoft image/svg+xml

GitHub Action

security-devops-action

v1.5.0

security-devops-action

microsoft image/svg+xml

security-devops-action

Run security analyzers

Installation

Copy and paste the following snippet into your .yml file.

              

- name: security-devops-action

uses: microsoft/security-devops-action@v1.5.0

Learn more about this action in microsoft/security-devops-action

Choose a version

microsoft/security-devops-action (Preview)

Microsoft Security DevOps (MSDO) is a command line application which integrates static analysis tools into the development cycle. MSDO installs, configures and runs the latest versions of static analysis tools (including, but not limited to, SDL/security and compliance tools). MSDO is data-driven with portable configurations that enable deterministic execution across multiple environments. For tools that output results in or MSDO can convert their results to SARIF, MSDO imports into a normalized file database for seamlessly reporting and responding to results across tools, such as forcing build breaks.

Run locally. Run remotely.

Microsoft Security DevOps windows-latest
Microsoft Security DevOps ubuntu-latest

This action runs the Microsoft Security DevOps CLI for security analysis:

  • Installs the Microsoft Security DevOps CLI
  • Installs the latest Microsoft security policy
  • Installs the latest Microsoft and 3rd party security tools
  • Automatic or user-provided configuration of security tools
  • Execution of a full suite of security tools
  • Normalized processing of results into the SARIF format
  • Build breaks and more

Limitations

The Microsoft Security DevOps action is currently in beta and runs on the windows-latest queue, as well as Windows self hosted agents. ubuntu-latest support coming soon.

Usage

See action.yml

Basic

Run Microsoft Security DevOps (MSDO) with the default policy and recommended tools.

steps:
- uses: actions/checkout@v2
- uses: actions/setup-dotnet@v1
  with:
    dotnet-version: |
      5.0.x
      6.0.x
- name: Run Microsoft Security DevOps
  uses: microsoft/security-devops-action@preview
  id: msdo
- name: Upload results to Security tab
  uses: github/codeql-action/upload-sarif@v1
  with:
    sarif_file: ${{ steps.msdo.outputs.sarifFile }}

Upload Results to the Security tab

To upload results to the Security tab of your repo, run the github/codeql-action/upload-sarif action immediately after running MSDO. MSDO sets the action output variable sarifFile to the path of a single SARIF file that can be uploaded to this API.

- name: Upload results to Security tab
  uses: github/codeql-action/upload-sarif@v1
  with:
    sarif_file: ${{ steps.msdo.outputs.sarifFile }}

Open Source Tools

Name Language License
Bandit python Apache License 2.0
BinSkim binary - Windows, ELF MIT License
ESlint JavaScript MIT License
Template Analyzer Infrastructure-as-code (IaC), ARM templates MIT License
Terrascan Infrastructure-as-code (IaC), Terraform (HCL2), Kubernetes (JSON/YAML), Helm v3, Kustomize, Dockerfiles Apache License 2.0
Trivy container images, file systems, and git repositories Apache License 2.0

More Information

Please see the wiki tab for more information and the Frequently Asked Questions (FAQ) page.

Report Issues

Please file a GitHub issue in this repo. To help us investigate the issue, please include a description of the problem, a link to your workflow run (if public), and/or logs from the MSDO action's output.

License

The scripts and documentation in this project are released under the MIT License

Contributing

Contributions are welcome! See the Contributor's Guide.