This action runs the Microsoft Security DevOps CLI for security analysis:

• Installs the Microsoft Security DevOps CLI
• Installs the latest Microsoft security policy
• Installs the latest Microsoft and 3rd party security tools
• Automatic or user-provided configuration of security tools
• Execution of a full suite of security tools
• Normalized processing of results into the SARIF format
• Build breaks and more

The Microsoft Security DevOps action is currently in beta and runs on the windows-latest queue, as well as Windows self hosted agents. ubuntu-latest support coming soon.

See action.yml

Run Microsoft Security DevOps (MSDO) with the default policy and recommended tools.

steps:
- uses: actions/checkout@v2
- uses: actions/setup-dotnet@v1
  with:
    dotnet-version: |
      3.1.x
      5.0.x
      6.0.x
- name: Run Microsoft Security DevOps
  uses: microsoft/security-devops-action@preview
  id: msdo
- name: Upload results to Security tab
  uses: github/codeql-action/upload-sarif@v1
  with:
    sarif_file: ${{ steps.msdo.outputs.sarifFile }}

To upload results to the Security tab of your repo, run the github/codeql-action/upload-sarif action immediately after running MSDO. MSDO sets the action output variable sarifFile to the path of a single SARIF file that can be uploaded to this API.

- name: Upload results to Security tab
  uses: github/codeql-action/upload-sarif@v1
  with:
    sarif_file: ${{ steps.msdo.outputs.sarifFile }}

Please see the wiki tab for more information and the Frequently Asked Questions (FAQ) page.

Please file a GitHub issue in this repo. To help us investigate the issue, please include a description of the problem, a link to your workflow run (if public), and/or logs from the MSDO action's output.

The scripts and documentation in this project are released under the MIT License

Contributions are welcome! See the Contributor's Guide.