Configure the Microsoft Security DevOps GitHub action

Microsoft Security DevOps is a command line application that integrates static analysis tools into the development lifecycle. Security DevOps installs, configures, and runs the latest versions of static analysis tools such as, SDL, security and compliance tools. Security DevOps is data-driven with portable configurations that enable deterministic execution across multiple environments.

Security DevOps uses the following Open Source tools:

Name Language License
Bandit Python Apache License 2.0
BinSkim Binary--Windows, ELF MIT License
ESlint JavaScript MIT License
Template Analyzer ARM template, Bicep file MIT License
Terrascan Terraform (HCL2), Kubernetes (JSON/YAML), Helm v3, Kustomize, Dockerfiles, Cloud Formation Apache License 2.0
Trivy container images, file systems, git repositories Apache License 2.0

Prerequisites

Configure the Microsoft Security DevOps GitHub action

To setup GitHub action:

  1. Sign in to GitHub.

  2. Select a repository on which you want to configure the GitHub action.

  3. Select Actions.

    Screenshot that shows you where the Actions button is located.

  4. Select New workflow.

  5. On the Get started with GitHub Actions page, select set up a workflow yourself

    Screenshot showing where to select the new workflow button.

  6. In the text box, enter a name for your workflow file. For example, msdevopssec.yml.

    Screenshot that shows you where to enter a name for your new workflow.

  7. Copy and paste the following sample action workflow into the Edit new file tab.

    name: MSDO windows-latest
    on:
      push:
        branches: [ main ]
      pull_request:
        branches: [ main ]
      workflow_dispatch:
    
    jobs:
      sample:
    
        # MSDO runs on windows-latest and ubuntu-latest.
        # macos-latest supporting coming soon
        runs-on: windows-latest
    
        steps:
        - uses: actions/checkout@v2
    
        - uses: actions/setup-dotnet@v1
          with:
            dotnet-version: |
              5.0.x
              6.0.x
    
        # Run analyzers
        - name: Run Microsoft Security DevOps Analysis
          uses: microsoft/security-devops-action@preview
          id: msdo
    
        # Upload alerts to the Security tab
        - name: Upload alerts to Security tab
          uses: github/codeql-action/upload-sarif@v1
          with:
            sarif_file: ${{ steps.msdo.outputs.sarifFile }}
    

    For details on various input options, see action.yml

  8. Select Start commit

    Screenshot showing you where to select start commit.

  9. Select Commit new file.

    Screenshot showing you how to commit a new file.

    The process can take up to one minute to complete.

  10. Select Actions and verify the new action is running.

    Screenshot showing you where to navigate to, to see that your new action is running.

View Scan Results

To view your scan results:

  1. Sign in to GitHub.

  2. Navigate to Security > Code scanning alerts > Tool.

  3. From the dropdown menu, select Filter by tool.

Code scanning findings will be filtered by specific MSDO tools in GitHub. These code scanning results are also pulled into Defender for Cloud recommendations.

Learn more

Next steps

Learn more about Defender for DevOps.

Learn how to connect your GitHub to Defender for Cloud.

Discover misconfigurations in Infrastructure as Code (IaC)