Skip to content

Commit da4431b

Browse files
theangrytech-gittheangrytech-git
authored
Add files via upload
Added file for visibility
1 parent 9dc8c66 commit da4431b

File tree

3 files changed

+250
-0
lines changed

3 files changed

+250
-0
lines changed

msdo-main-pipeline.yml

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
name: msdo-main-pipeline
2+
3+
on:
4+
push:
5+
branches: [main]
6+
workflow_dispatch:
7+
8+
jobs:
9+
msdo-core-scan:
10+
uses: ./.github/workflows/msdo-reusable.yml
11+
permissions:
12+
contents: read
13+
id-token: write
14+
actions: read
15+
security-events: write
16+
with:
17+
branch: main
18+
secrets:
19+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
20+
21+
secret-scan:
22+
uses: ./.github/workflows/secret-scanning.yml
23+
permissions:
24+
contents: read
25+
id-token: write
26+
actions: read
27+
security-events: write
28+
needs: msdo-core-scan

msdo-reusable.yml

Lines changed: 134 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,134 @@
1+
name: msdo-reusable
2+
3+
on:
4+
workflow_dispatch:
5+
workflow_call:
6+
inputs:
7+
branch:
8+
required: false
9+
type: string
10+
default: 'main'
11+
secrets:
12+
GH_TOKEN:
13+
required: false
14+
15+
jobs:
16+
msdo:
17+
name: Microsoft Security DevOps
18+
runs-on: ubuntu-latest
19+
20+
permissions:
21+
contents: read
22+
id-token: write
23+
actions: read
24+
security-events: write
25+
26+
steps:
27+
- name: Manually checkout repository (internal-safe)
28+
run: |
29+
git clone https://github.com/${{ github.repository }} .
30+
git checkout ${{ inputs.branch }}
31+
32+
- name: Set environment variables for tools
33+
shell: pwsh
34+
run: |
35+
$TOOLS = ""
36+
37+
if ((Get-ChildItem -Recurse -Include *.js, *.jsx, *.ts, *.tsx | Measure-Object).Count -gt 0) {
38+
$TOOLS += "eslint,"
39+
echo "ESLint enabled - JS/JSX/TS/TSX files detected."
40+
} else {
41+
echo "ESLint skipped - No JS/JSX/TS/TSX files found."
42+
}
43+
44+
if ((Get-ChildItem -Recurse -Include *.exe, *.dll | Measure-Object).Count -gt 0) {
45+
$TOOLS += "binskim,"
46+
echo "BinSkim enabled - EXE/DLL files detected."
47+
} else {
48+
echo "BinSkim skipped - No EXE/DLL files found."
49+
}
50+
51+
if ((Get-ChildItem -Recurse -Include *.py | Measure-Object).Count -gt 0) {
52+
$TOOLS += "bandit,"
53+
echo "Bandit enabled - Python files detected."
54+
} else {
55+
echo "Bandit skipped - No Python files found."
56+
}
57+
58+
if ((Get-ChildItem -Recurse -Include *.tf, *.json, *.yml, *.yaml, *.dockerfile, *.template, *.bicep | Measure-Object).Count -gt 0) {
59+
$TOOLS += "checkov,"
60+
echo "Checkov enabled - Terraform/JSON/YML/YAML/Dockerfiles/Templates/Bicep files detected."
61+
} else {
62+
echo "Checkov skipped - No Terraform/JSON/YML/YAML/Dockerfiles/Templates/Bicep files found."
63+
}
64+
65+
if ((Get-ChildItem -Recurse -Include *.json | Select-String 'resources' | Measure-Object).Count -gt 0) {
66+
$TOOLS += "templateanalyzer,"
67+
echo "Template Analyzer enabled - ARM templates detected."
68+
}
69+
70+
if ((Get-ChildItem -Recurse -Include *.bicep | Measure-Object).Count -gt 0) {
71+
$TOOLS += "templateanalyzer,"
72+
echo "Template Analyzer enabled - Bicep files detected."
73+
}
74+
75+
if ((Get-ChildItem -Recurse -Include *.tf, *.json, *.yml, *.yaml | Measure-Object).Count -gt 0) {
76+
$TOOLS += "terrascan,"
77+
echo "Terrascan enabled - Terraform/JSON/YML/YAML files detected."
78+
}
79+
80+
if ((Get-ChildItem -Recurse -Include Dockerfile | Measure-Object).Count -gt 0) {
81+
$TOOLS += "trivy,"
82+
echo "Trivy enabled - Dockerfiles detected."
83+
}
84+
85+
$TOOLS = $TOOLS.TrimEnd(',')
86+
87+
if ($TOOLS -eq "") {
88+
echo "No applicable tools found. The MSDO scan will be skipped."
89+
exit 0
90+
}
91+
92+
echo "TOOLS=$TOOLS" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8
93+
94+
- name: Run Microsoft Security DevOps
95+
uses: theangrytech-git/security-devops-action@main
96+
id: msdo
97+
with:
98+
tools: ${{ env.TOOLS }}
99+
100+
- name: Check Repository Visibility
101+
shell: bash
102+
run: |
103+
if [ "${{ github.repository_visibility }}" == "private" ]; then
104+
echo "This is a private repository. Code Scanning is not available unless GitHub Advanced Security (GHAS) is enabled."
105+
exit 0
106+
fi
107+
108+
- name: Upload SARIF to GitHub Code Scanning
109+
if: github.repository_visibility == 'public'
110+
run: |
111+
echo "Compressing and uploading SARIF..."
112+
sarif_file="${{ steps.msdo.outputs.sarifFile }}"
113+
if [ ! -f "$sarif_file" ]; then
114+
echo "SARIF file not found at $sarif_file"
115+
exit 0
116+
fi
117+
118+
gzip -c "$sarif_file" | base64 -w 0 > msdo.sarif.base64
119+
encoded_sarif=$(cat msdo.sarif.base64)
120+
121+
curl -s -X POST \
122+
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
123+
-H "Accept: application/vnd.github+json" \
124+
-H "Content-Type: application/json" \
125+
https://api.github.com/repos/${{ github.repository }}/code-scanning/sarifs \
126+
-d @- <<EOF
127+
{
128+
"commit_sha": "${{ github.sha }}",
129+
"ref": "${{ github.ref }}",
130+
"sarif": "$encoded_sarif",
131+
"checkout_uri": "https://github.com/${{ github.repository }}",
132+
"tool_name": "MSDO"
133+
}
134+
EOF

secret-scanning.yml

Lines changed: 88 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,88 @@
1+
name: msdo-secret-scanning
2+
3+
on:
4+
workflow_call:
5+
secrets:
6+
GH_TOKEN:
7+
required: false
8+
workflow_dispatch:
9+
10+
jobs:
11+
secret-scan:
12+
name: MSDO Secret Scan
13+
runs-on: ubuntu-latest
14+
15+
permissions:
16+
contents: read
17+
id-token: write
18+
actions: read
19+
security-events: write
20+
21+
steps:
22+
- name: Checkout repository manually
23+
run: |
24+
git clone https://github.com/${{ github.repository }} .
25+
git checkout ${{ github.ref_name }}
26+
27+
- name: Set tool to only run secret scan
28+
run: echo "TOOLS=credscan" >> $GITHUB_ENV
29+
30+
- name: Install .NET 6 SDK (for CredScan)
31+
run: |
32+
wget https://dot.net/v1/dotnet-install.sh -O dotnet-install.sh
33+
chmod +x dotnet-install.sh
34+
./dotnet-install.sh --version 6.0.415 --install-dir "$HOME/dotnet"
35+
36+
echo "DOTNET_ROOT=$HOME/dotnet" >> $GITHUB_ENV
37+
echo "$HOME/dotnet" >> $GITHUB_PATH
38+
39+
- name: Run Microsoft Security DevOps - Secret Scan
40+
uses: theangrytech-git/security-devops-action@main
41+
id: msdo
42+
with:
43+
tools: ${{ env.TOOLS }}
44+
45+
- name: Upload SARIF to GitHub Code Scanning
46+
if: github.repository_visibility == 'public'
47+
run: |
48+
echo "Compressing and uploading SARIF..."
49+
sarif_file="${{ steps.msdo.outputs.sarifFile }}"
50+
if [ ! -f "$sarif_file" ]; then
51+
echo "SARIF file not found at $sarif_file"
52+
exit 0
53+
fi
54+
55+
gzip -c "$sarif_file" | base64 -w 0 > msdo.sarif.base64
56+
encoded_sarif=$(cat msdo.sarif.base64)
57+
58+
curl -s -X POST \
59+
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
60+
-H "Accept: application/vnd.github+json" \
61+
-H "Content-Type: application/json" \
62+
https://api.github.com/repos/${{ github.repository }}/code-scanning/sarifs \
63+
-d @- <<EOF
64+
{
65+
"commit_sha": "${{ github.sha }}",
66+
"ref": "${{ github.ref }}",
67+
"sarif": "$encoded_sarif",
68+
"checkout_uri": "https://github.com/${{ github.repository }}",
69+
"tool_name": "MSDO-CredScan"
70+
}
71+
EOF
72+
73+
# - name: Alert to Microsoft Teams on secret detection
74+
# if: github.repository_visibility == 'public'
75+
# run: |
76+
# echo "Checking for CredScan findings in SARIF..."
77+
# gzip -cd msdo.sarif.base64 | base64 -d > decoded.sarif || true
78+
# findings=$(jq '.runs[].results | length' decoded.sarif 2>/dev/null || echo 0)
79+
80+
# if [ "$findings" -gt 0 ]; then
81+
# echo "\uD83D\uDEA8 Secrets detected: $findings"
82+
# curl -H 'Content-Type: application/json' -d '{
83+
# "title": "\u26A0\uFE0F MSDO CredScan Alert",
84+
# "text": "**Secrets detected in '${{ github.repository }}' on branch '${{ github.ref_name }}'**\nTotal findings: '"$findings"'"
85+
# }' ${{ secrets.TEAMS_WEBHOOK_URL }}
86+
# else
87+
# echo "\u2705 No secrets found."
88+
# fi

0 commit comments

Comments
 (0)