Configure the Microsoft Security DevOps GitHub action

Microsoft Security DevOps is a command line application that integrates static analysis tools into the development lifecycle. Security DevOps installs, configures, and runs the latest versions of static analysis tools such as, SDL, security and compliance tools. Security DevOps is data-driven with portable configurations that enable deterministic execution across multiple environments.

Microsoft Security DevOps uses the following Open Source tools:

Name Language License
AntiMalware AntiMalware protection in Windows from Microsoft Defender for Endpoint, that scans for malware and breaks the build if malware has been found. This tool scans by default on windows-latest agent. Not Open Source
Bandit Python Apache License 2.0
BinSkim Binary--Windows, ELF MIT License
Checkov Terraform, Terraform plan, CloudFormation, AWS SAM, Kubernetes, Helm charts, Kustomize, Dockerfile, Serverless, Bicep, OpenAPI, ARM Apache License 2.0
ESlint JavaScript MIT License
Template Analyzer ARM Template, Bicep MIT License
Terrascan Terraform (HCL2), Kubernetes (JSON/YAML), Helm v3, Kustomize, Dockerfiles, CloudFormation Apache License 2.0
Trivy container images, Infrastructure as Code (IaC) Apache License 2.0


Configure the Microsoft Security DevOps GitHub action

To setup GitHub action:

  1. Sign in to GitHub.

  2. Select a repository you want to configure the GitHub action to.

  3. Select Actions.

    Screenshot that shows you where the Actions button is located.

  4. Select New workflow.

  5. On the Get started with GitHub Actions page, select set up a workflow yourself

    Screenshot showing where to select the new workflow button.

  6. In the text box, enter a name for your workflow file. For example, msdevopssec.yml.

    Screenshot that shows you where to enter a name for your new workflow.

  7. Copy and paste the following sample action workflow into the Edit new file tab.

    name: MSDO
          - master
        name: Microsoft Security DevOps
        # MSDO runs on windows-latest.
        # ubuntu-latest also supported
        runs-on: windows-latest
          contents: read
          id-token: write
          actions: read
          security-events: write
          # Checkout your code repository to scan
        - uses: actions/checkout@v3
          # Run analyzers
        - name: Run Microsoft Security DevOps Analysis
          uses: microsoft/security-devops-action@latest
          id: msdo
        # with:
          # config: string. Optional. A file path to an MSDO configuration file ('*.gdnconfig').
          # policy: 'GitHub' | 'microsoft' | 'none'. Optional. The name of a well-known Microsoft policy. If no configuration file or list of tools is provided, the policy may instruct MSDO which tools to run. Default: GitHub.
          # categories: string. Optional. A comma-separated list of analyzer categories to run. Values: 'code', 'artifacts', 'IaC', 'containers'. Example: 'IaC, containers'. Defaults to all.
          # languages: string. Optional. A comma-separated list of languages to analyze. Example: 'javascript,typescript'. Defaults to all.
          # tools: string. Optional. A comma-separated list of analyzer tools to run. Values: 'bandit', 'binskim', 'checkov', 'eslint', 'templateanalyzer', 'terrascan', 'trivy'.
          # Upload alerts to the Security tab
        - name: Upload alerts to Security tab
          uses: github/codeql-action/upload-sarif@v2
            sarif_file: ${{ steps.msdo.outputs.sarifFile }}
          # Upload alerts file as a workflow artifact
        - name: Upload alerts file as a workflow artifact
          uses: actions/upload-artifact@v3
            name: alerts
            path: ${{ steps.msdo.outputs.sarifFile }}


    For additional tool configuration options and instructions, see the Microsoft Security DevOps wiki

  8. Select Start commit

    Screenshot showing you where to select start commit.

  9. Select Commit new file.

    Screenshot showing you how to commit a new file.

    The process can take up to one minute to complete.

  10. Select Actions and verify the new action is running.

    Screenshot showing you where to navigate to, to see that your new action is running.

View Scan Results

To view your scan results:

  1. Sign in to GitHub.

  2. Navigate to Security > Code scanning alerts > Tool.

  3. From the dropdown menu, select Filter by tool.

Code scanning findings will be filtered by specific MSDO tools in GitHub. These code scanning results are also pulled into Defender for Cloud recommendations.

Learn more

Learn more about DevOps security in Defender for Cloud.

Learn how to connect your GitHub Organizations to Defender for Cloud.