Microsoft Security DevOps (MSDO) is a command line application which integrates static analysis tools into the development cycle. MSDO installs, configures and runs the latest versions of static analysis tools (including, but not limited to, SDL/security and compliance tools). MSDO is data-driven with portable configurations that enable deterministic execution across multiple environments. For tools that output results in or MSDO can convert their results to SARIF, MSDO imports into a normalized file database for seamlessly reporting and responding to results across tools, such as forcing build breaks.
Run locally. Run remotely.
This action runs the Microsoft Security DevOps CLI for security analysis:
- Installs the Microsoft Security DevOps CLI
- Installs the latest Microsoft security policy
- Installs the latest Microsoft and 3rd party security tools
- Automatic or user-provided configuration of security tools
- Execution of a full suite of security tools
- Normalized processing of results into the SARIF format
- Build breaks and more
See action.yml
Run Microsoft Security DevOps (MSDO) with the default policy and recommended tools.
permissions:
security-events: write
steps:
- uses: actions/checkout@v3
- name: Run Microsoft Security DevOps
uses: microsoft/security-devops-action@latest
id: msdo
To upload results to the Security tab of your repo, run the github/codeql-action/upload-sarif
action immediately after running MSDO. MSDO sets the action output variable sarifFile
to the path of a single SARIF file that can be uploaded to this API.
- name: Upload results to Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.msdo.outputs.sarifFile }}
To only run specific analyzers, use the tools
command. This command is a comma-seperated list of tools to run. For example, to run only the container-mapping
tool, configure this action as follows:
- uses: microsoft/security-devops-action@latest
id: msdo
with:
tools: container-mapping
Name | Language | License |
---|---|---|
AntiMalware | code, artifacts | - |
Bandit | python | Apache License 2.0 |
BinSkim | binary - Windows, ELF | MIT License |
Checkov | Infrastructure-as-code (IaC), Terraform, Terraform plan, Cloudformation, AWS SAM, Kubernetes, Helm charts, Kustomize, Dockerfile, Serverless, Bicep, OpenAPI, ARM Templates, or OpenTofu | Apache License 2.0 |
ESlint | JavaScript | MIT License |
Template Analyzer | Infrastructure-as-code (IaC), ARM templates, Bicep files | MIT License |
Terrascan | Infrastructure-as-code (IaC), Terraform (HCL2), Kubernetes (JSON/YAML), Helm v3, Kustomize, Dockerfiles, Cloudformation | Apache License 2.0 |
Trivy | container images, file systems, and git repositories | Apache License 2.0 |
container-mapping | container images and registries (only available for DevOps security enabled CSPM plans) | MIT License |
Please see the wiki tab for more information and the Frequently Asked Questions (FAQ) page.
Please file a GitHub issue in this repo. To help us investigate the issue, please include a description of the problem, a link to your workflow run (if public), and/or logs from the MSDO action's output.
The scripts and documentation in this project are released under the MIT License
Contributions are welcome! See the Contributor's Guide.