Configure the Microsoft Security DevOps GitHub action
Microsoft Security DevOps is a command line application that integrates static analysis tools into the development lifecycle. Security DevOps installs, configures, and runs the latest versions of static analysis tools such as, Security Development Lifecycle (SDL), security and compliance tools. Security DevOps is data-driven with portable configurations that enable deterministic execution across multiple environments.
| Name | Language | License |
|---|---|---|
| AntiMalware | AntiMalware protection in Windows from Microsoft Defender for Endpoint, that scans for malware and breaks the build if malware has been found. This tool scans by default on windows-latest agent. | Not Open Source |
| Bandit | Python | Apache License 2.0 |
| BinSkim | Binary--Windows, ELF | MIT License |
| ESlint | JavaScript | MIT License |
| Template Analyzer | ARM Template, Bicep | MIT License |
| Terrascan | Terraform (HCL2), Kubernetes (JSON/YAML), Helm v3, Kustomize, Dockerfiles, CloudFormation | Apache License 2.0 |
| Trivy | container images, Infrastructure as Code (IaC) | Apache License 2.0 |
Prerequisites
- An Azure subscription If you don’t have an Azure subscription, create a free account before you begin.
- Connect your GitHub repositories.
- Follow the guidance to set up GitHub Advanced Security to view the DevOps posture assessments in Defender for Cloud.
- Open the Microsoft Security DevOps GitHub action in a new window.
- Ensure that Workflow permissions are set to Read and Write on the GitHub repository. This includes setting "id-token: write" permissions in the GitHub Workflow for federation with Defender for Cloud.
Configure the Microsoft Security DevOps GitHub action
To setup GitHub action:
Sign in to GitHub.
Select a repository you want to configure the GitHub action to.
Select Actions.
Select New workflow.
On the Get started with GitHub Actions page, select set-up a workflow yourself.
In the text box, enter a name for your workflow file. For example,
msdevopssec.yml.
Copy and paste the following sample action workflow into the Edit new file tab.
Select Start commit.
Select Commit new file.
Select Actions and verify the new action is running.
View Scan Results
To view your scan results:
- Sign in to GitHub.
- Navigate to Security > Code scanning alerts > Tool.
- From the dropdown menu, select Filter by tool.
Code scanning findings will be filtered by specific MSDO tools in GitHub. These code scanning results are also pulled into Defender for Cloud recommendations.