-
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmsdo-dynamic-scanning.yml
More file actions
134 lines (113 loc) · 4.55 KB
/
msdo-dynamic-scanning.yml
File metadata and controls
134 lines (113 loc) · 4.55 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: msdo-dynamic-scanning
on:
workflow_dispatch:
workflow_call:
inputs:
branch:
required: false
type: string
default: 'main'
secrets:
GH_TOKEN:
required: false
jobs:
msdo:
name: Microsoft Security DevOps
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
actions: read
security-events: write
steps:
- name: Manually checkout repository (internal-safe)
run: |
git clone https://github.com/${{ github.repository }} .
git checkout ${{ inputs.branch }}
- name: Set environment variables for tools
shell: pwsh
run: |
$TOOLS = ""
if ((Get-ChildItem -Recurse -Include *.js, *.jsx, *.ts, *.tsx | Measure-Object).Count -gt 0) {
$TOOLS += "eslint,"
echo "ESLint enabled - JS/JSX/TS/TSX files detected."
} else {
echo "ESLint skipped - No JS/JSX/TS/TSX files found."
}
if ((Get-ChildItem -Recurse -Include *.exe, *.dll | Measure-Object).Count -gt 0) {
$TOOLS += "binskim,"
echo "BinSkim enabled - EXE/DLL files detected."
} else {
echo "BinSkim skipped - No EXE/DLL files found."
}
if ((Get-ChildItem -Recurse -Include *.py | Measure-Object).Count -gt 0) {
$TOOLS += "bandit,"
echo "Bandit enabled - Python files detected."
} else {
echo "Bandit skipped - No Python files found."
}
if ((Get-ChildItem -Recurse -Include *.tf, *.json, *.yml, *.yaml, *.dockerfile, *.template, *.bicep | Measure-Object).Count -gt 0) {
$TOOLS += "checkov,"
echo "Checkov enabled - Terraform/JSON/YML/YAML/Dockerfiles/Templates/Bicep files detected."
} else {
echo "Checkov skipped - No Terraform/JSON/YML/YAML/Dockerfiles/Templates/Bicep files found."
}
if ((Get-ChildItem -Recurse -Include *.json | Select-String 'resources' | Measure-Object).Count -gt 0) {
$TOOLS += "templateanalyzer,"
echo "Template Analyzer enabled - ARM templates detected."
}
if ((Get-ChildItem -Recurse -Include *.bicep | Measure-Object).Count -gt 0) {
$TOOLS += "templateanalyzer,"
echo "Template Analyzer enabled - Bicep files detected."
}
if ((Get-ChildItem -Recurse -Include *.tf, *.json, *.yml, *.yaml | Measure-Object).Count -gt 0) {
$TOOLS += "terrascan,"
echo "Terrascan enabled - Terraform/JSON/YML/YAML files detected."
}
if ((Get-ChildItem -Recurse -Include Dockerfile | Measure-Object).Count -gt 0) {
$TOOLS += "trivy,"
echo "Trivy enabled - Dockerfiles detected."
}
$TOOLS = $TOOLS.TrimEnd(',')
if ($TOOLS -eq "") {
echo "No applicable tools found. The MSDO scan will be skipped."
exit 0
}
echo "TOOLS=$TOOLS" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8
- name: Run Microsoft Security DevOps
uses: theangrytech-git/security-devops-action@main
id: msdo
with:
tools: ${{ env.TOOLS }}
- name: Check Repository Visibility
shell: bash
run: |
if [ "${{ github.repository_visibility }}" == "private" ]; then
echo "This is a private repository. Code Scanning is not available unless GitHub Advanced Security (GHAS) is enabled."
exit 0
fi
- name: Upload SARIF to GitHub Code Scanning
if: github.repository_visibility == 'public'
run: |
echo "Compressing and uploading SARIF..."
sarif_file="${{ steps.msdo.outputs.sarifFile }}"
if [ ! -f "$sarif_file" ]; then
echo "SARIF file not found at $sarif_file"
exit 0
fi
gzip -c "$sarif_file" | base64 -w 0 > msdo.sarif.base64
encoded_sarif=$(cat msdo.sarif.base64)
curl -s -X POST \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-H "Accept: application/vnd.github+json" \
-H "Content-Type: application/json" \
https://api.github.com/repos/${{ github.repository }}/code-scanning/sarifs \
-d @- <<EOF
{
"commit_sha": "${{ github.sha }}",
"ref": "${{ github.ref }}",
"sarif": "$encoded_sarif",
"checkout_uri": "https://github.com/${{ github.repository }}",
"tool_name": "MSDO"
}
EOF