{"id":15012408,"url":"https://github.com/microsoft/security-devops-action","last_synced_at":"2025-05-16T11:03:56.292Z","repository":{"id":40412829,"uuid":"204574904","full_name":"microsoft/security-devops-action","owner":"microsoft","description":"Microsoft Security DevOps for GitHub Actions.","archived":false,"fork":false,"pushed_at":"2024-11-08T19:37:34.000Z","size":1000,"stargazers_count":129,"open_issues_count":22,"forks_count":51,"subscribers_count":11,"default_branch":"main","last_synced_at":"2025-05-05T20:22:30.862Z","etag":null,"topics":["devops","microsoft","security"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/microsoft.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":"SUPPORT.md","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-08-26T22:50:23.000Z","updated_at":"2025-05-05T09:03:12.000Z","dependencies_parsed_at":"2023-09-29T16:34:16.521Z","dependency_job_id":"318dbb4b-4436-41ea-a122-26d771ec5fde","html_url":"https://github.com/microsoft/security-devops-action","commit_stats":{"total_commits":256,"total_committers":14,"mean_commits":"18.285714285714285","dds":0.40625,"last_synced_commit":"fe9221a4e90bd9649db705e2d26b0f404294d716"},"previous_names":[],"tags_count":14,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2Fsecurity-devops-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2Fsecurity-devops-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2Fsecurity-devops-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2Fsecurity-devops-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/microsoft","download_url":"https://codeload.github.com/microsoft/security-devops-action/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254518384,"owners_count":22084374,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["devops","microsoft","security"],"created_at":"2024-09-24T19:42:35.208Z","updated_at":"2025-05-16T11:03:56.266Z","avatar_url":"https://github.com/microsoft.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# microsoft/security-devops-action (Preview)\n\nMicrosoft Security DevOps (MSDO) is a command line application which integrates static analysis tools into the development cycle. MSDO installs, configures and runs the latest versions of static analysis tools (including, but not limited to, SDL/security and compliance tools). MSDO is data-driven with portable configurations that enable deterministic execution across multiple environments. For tools that output results in or MSDO can convert their results to SARIF, MSDO imports into a normalized file database for seamlessly reporting and responding to results across tools, such as forcing build breaks.\n\nRun locally. Run remotely.\n\n![Microsoft Security DevOps](https://github.com/microsoft/security-devops-action/workflows/MSDO%20Sample%20Workflow/badge.svg)  \n\nThis action runs the [Microsoft Security DevOps CLI](https://aka.ms/msdo-nuget) for security analysis:\n\n* Installs the Microsoft Security DevOps CLI\n* Installs the latest Microsoft security policy\n* Installs the latest Microsoft and 3rd party security tools\n* Automatic or user-provided configuration of security tools\n* Execution of a full suite of security tools\n* Normalized processing of results into the SARIF format\n* Build breaks and more\n\n# Usage\n\nSee [action.yml](action.yml)\n\n## Basic\n\nRun **Microsoft Security DevOps (MSDO)** with the default policy and recommended tools.\n\n```yaml\npermissions:\n  security-events: write\n\nsteps:\n\n- uses: actions/checkout@v3\n\n- name: Run Microsoft Security DevOps\n  uses: microsoft/security-devops-action@latest\n  id: msdo\n```\n\n## Upload Results to the Security tab\n\nTo upload results to the Security tab of your repo, run the `github/codeql-action/upload-sarif` action immediately after running MSDO. MSDO sets the action output variable `sarifFile` to the path of a single SARIF file that can be uploaded to this API.\n\n```yaml\n- name: Upload results to Security tab\n  uses: github/codeql-action/upload-sarif@v2\n  with:\n    sarif_file: ${{ steps.msdo.outputs.sarifFile }}\n```\n\n## Advanced\n\nTo only run specific analyzers, use the `tools` command. This command is a comma-seperated list of tools to run. For example, to run only the `container-mapping` tool, configure this action as follows:\n\n```yaml\n- uses: microsoft/security-devops-action@latest\n  id: msdo\n  with:\n    tools: container-mapping\n```\n\n# Tools\n\n| Name | Language | License |\n| --- | --- | --- |\n| [AntiMalware](https://www.microsoft.com/en-us/windows/comprehensive-security) | code, artifacts | - |\n| [Bandit](https://github.com/PyCQA/bandit) | python | [Apache License 2.0](https://github.com/PyCQA/bandit/blob/master/LICENSE) |\n| [BinSkim](https://github.com/Microsoft/binskim) | binary - Windows, ELF | [MIT License](https://github.com/microsoft/binskim/blob/main/LICENSE) |\n| [Checkov](https://github.com/bridgecrewio/checkov) | Infrastructure-as-code (IaC), Terraform, Terraform plan, Cloudformation, AWS SAM, Kubernetes, Helm charts, Kustomize, Dockerfile, Serverless, Bicep, OpenAPI, ARM Templates, or OpenTofu  | [Apache License 2.0](https://github.com/bridgecrewio/checkov/blob/main/LICENSE) |\n| [ESlint](https://github.com/eslint/eslint) | JavaScript | [MIT License](https://github.com/eslint/eslint/blob/main/LICENSE) |\n| [Template Analyzer](https://github.com/Azure/template-analyzer) | Infrastructure-as-code (IaC), ARM templates, Bicep files | [MIT License](https://github.com/Azure/template-analyzer/blob/main/LICENSE.txt) |\n| [Terrascan](https://github.com/accurics/terrascan) | Infrastructure-as-code (IaC), Terraform (HCL2), Kubernetes (JSON/YAML), Helm v3, Kustomize, Dockerfiles, Cloudformation | [Apache License 2.0](https://github.com/accurics/terrascan/blob/master/LICENSE) |\n| [Trivy](https://github.com/aquasecurity/trivy) | container images, file systems, and git repositories | [Apache License 2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE) |\n| [container-mapping](https://learn.microsoft.com/en-us/azure/defender-for-cloud/container-image-mapping) | container images and registries (only available for DevOps security enabled CSPM plans) | [MIT License](https://github.com/microsoft/security-devops-action/blob/main/LICENSE) |\n\n# More Information\n\nPlease see the [wiki tab](https://github.com/microsoft/security-devops-action/wiki) for more information and the [Frequently Asked Questions (FAQ)](https://github.com/microsoft/security-devops-action/wiki/FAQ) page.\n\n# Report Issues\n\nPlease [file a GitHub issue](https://github.com/microsoft/security-devops-action/issues/new) in this repo. To help us investigate the issue, please include a description of the problem, a link to your workflow run (if public), and/or logs from the MSDO action's output.\n\n# License\n\nThe scripts and documentation in this project are released under the [MIT License](LICENSE)\n\n# Contributing\n\nContributions are welcome! See the [Contributor's Guide](docs/contributors.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmicrosoft%2Fsecurity-devops-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmicrosoft%2Fsecurity-devops-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmicrosoft%2Fsecurity-devops-action/lists"}