Skip to content

Bulk Update

Bulk Update #473

name: DevOps Secure Scanning
on:
workflow_dispatch:
pull_request:
branches:
- main
push:
branches:
- main
permissions:
contents: read # This is required for actions/checkout
security-events: write # Required to publish security alerts
jobs:
sample:
name: devops-security-analysis
# MSDO runs on windows-latest.
# ubuntu-latest also supported
runs-on: ubuntu-latest
steps:
# Checkout your code repository to scan
- uses: actions/checkout@v4
# Run analyzers
- name: Run Microsoft Security DevOps Analysis
uses: microsoft/security-devops-action@v1.12.0
id: msdo
#with:
# config: string. Optional. A file path to an MSDO configuration file ('*.gdnconfig').
# policy: 'GitHub' | 'microsoft' | 'none'. Optional. The name of a well-known Microsoft policy. If no configuration file or list of tools is provided, the policy may instruct MSDO which tools to run. Default: GitHub.
# categories: string. Optional. A comma-separated list of analyzer categories to run. Values: 'secrets', 'code', 'artifacts', 'IaC', 'containers. Example: 'IaC,secrets'. Defaults to all.
# languages: string. Optional. A comma-separated list of languages to analyze. Example: 'javascript,typescript'. Defaults to all.
# tools: string. Optional. A comma-separated list of analyzer tools to run. Values: 'bandit', 'binskim', 'eslint', 'templateanalyzer', 'terrascan', 'trivy'.
# Upload alerts to the Security tab
- name: Upload alerts to Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.msdo.outputs.sarifFile }}
# Upload alerts file as a workflow artifact
- name: Upload alerts file as a workflow artifact
uses: actions/upload-artifact@v4
with:
name: alerts
path: ${{ steps.msdo.outputs.sarifFile }}