77jobs :
88 secret-scan :
99 name : MSDO Secret Scan
10- runs-on : windows -latest
10+ runs-on : ubuntu -latest
1111
1212 permissions :
1313 contents : read
@@ -17,45 +17,23 @@ jobs:
1717
1818 steps :
1919 - name : Checkout code
20- shell : pwsh
2120 run : |
2221 git clone https://github.com/${{ github.repository }} .
2322 git checkout ${{ github.ref_name }}
2423
2524name : Set tool to only run secret scan
26- shell : pwsh
27- run : |
28- echo "TOOLS=credscan" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8
25+ run : echo "TOOLS=credscan" >> $GITHUB_ENV
2926
3027 - name : Run Microsoft Security DevOps - Secret Scan
3128 uses : theangrytech-git/security-devops-action@main
3229 id : msdo
3330 with :
3431 tools : ${{ env.TOOLS }}
3532
36- - name : Upload SARIF to GitHub (if public)
33+ - name : Upload alerts to GitHub code scanning
3734 if : github.repository_visibility == 'public'
38- shell : pwsh
39- run : |
40- Write-Host "Uploading SARIF to GitHub Code Scanning"
41- $sarifFile = "${{ steps.msdo.outputs.sarifFile }}"
42- if (-not (Test-Path $sarifFile)) {
43- Write-Host "SARIF file not found. Skipping upload."
44- exit 0
45- }
46- # Use GitHub's SARIF upload API manually (for public repos)
47- $headers = @{ Authorization = "Bearer ${{ secrets.GITHUB_TOKEN }}" }
48- $body = @{
49- commit_sha = "${{ github.sha }}"
50- ref = "${{ github.ref }}"
51- sarif = [System.IO.File]::ReadAllText($sarifFile) -replace "`r`n", "\n"
52- checkout_uri = "https://github.com/${{ github.repository }}"
53- tool_name = "msdo-credscan"
54- } | ConvertTo-Json -Depth 10
55-
56- Invoke-RestMethod `
57- -Uri "https://api.github.com/repos/${{ github.repository }}/code-scanning/sarifs" `
58- -Method POST `
59- -Headers $headers `
60- -Body $body `
61- -ContentType "application/json"
35+ uses : ./.github/actions/upload-sarif
36+ with :
37+ sarif_file : ${{ steps.msdo.outputs.sarifFile }}
38+ env :
39+ GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
0 commit comments