ChaosStudioLab/.github/workflows/msdevsecops.yml at main · theangrytech-git/ChaosStudioLab · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
name: MSDO
on:
  push:
    branches:
      - main

jobs:
  sample:
    name: Microsoft Security DevOps

    runs-on: windows-latest

    permissions:
      contents: read
      id-token: write
      actions: read
      security-events: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v3

      # Determine which tools should be enabled based on file presence (Windows PowerShell compatible)
      - name: Set environment variables for tools
        shell: pwsh
        run: |
          $TOOLS = ""

          # Enable ESLint if JS/TS files exist
          if ((Get-ChildItem -Recurse -Include *.js, *.jsx, *.ts, *.tsx  | Measure-Object).Count -gt 0) {
            $TOOLS += "eslint,"
            echo "ESLint enabled - JS/JSX/TS/TSX files detected."
          } else {
            echo "ESLint skipped - No JS/JSX/TS/TSX files found."
          }

          # Enable BinSkim if EXE/DLL files exist
          if ((Get-ChildItem -Recurse -Include *.exe, *.dll | Measure-Object).Count -gt 0) {
            $TOOLS += "binskim,"
            echo "BinSkim enabled - EXE/DLL files detected."
          } else {
            echo "BinSkim skipped - No EXE/DLL files found."
          }

          # Enable Bandit if Python files exist
          if ((Get-ChildItem -Recurse -Include *.py | Measure-Object).Count -gt 0) {
            $TOOLS += "bandit,"
            echo "Bandit enabled - Python files detected."
          } else {
            echo "Bandit skipped - No Python files found."
          }

          # Enable Checkov if Terraform files exist
          if ((Get-ChildItem -Recurse -Include *.tf, *.json, *.yml, *.yaml, *.dockerfile, *.template, *.bicep | Measure-Object).Count -gt 0) {
            $TOOLS += "checkov,"
            echo "Checkov enabled - Terraform/JSON/YML/YAML/Dockerfiles/Templates/Bicep files detected."
          } else {
            echo "Checkov skipped - No Terraform/JSON/YML/YAML/Dockerfiles/Templates/Bicep files found."
          }

          # Enable Template Analyzer if ARM templates exist
          if ((Get-ChildItem -Recurse -Include *.json | Select-String 'resources' | Measure-Object).Count -gt 0) {
            $TOOLS += "templateanalyzer,"
            echo "Template Analyzer enabled - ARM templates detected."
          } else {
            echo "Template Analyzer skipped - No ARM templates found."
          }

          # Enable Template Analyzer if Bicep files exist
          if ((Get-ChildItem -Recurse -Include *.bicep | Measure-Object).Count -gt 0) {
            $TOOLS += "templateanalyzer,"
            echo "Template Analyzer enabled - Bicep files detected."
          } else {
            echo "Template Analyzer skipped - No Bicep files found."
          }

          # Enable Terrascan if Terraform files exist
          if ((Get-ChildItem -Recurse -Include *.tf, *.json, *.yml, *.yaml | Measure-Object).Count -gt 0) {
            $TOOLS += "terrascan,"
            echo "Terrascan enabled - Terraform/JSON/YML/YAML files detected."
          } else {
            echo "Terrascan skipped - No Terraform/JSON/YML/YAML files found."
          }

          # Enable Trivy if Dockerfiles exist
          if ((Get-ChildItem -Recurse -Include Dockerfile | Measure-Object).Count -gt 0) {
            $TOOLS += "trivy,"
            echo "Trivy enabled - Dockerfiles detected."
          } else {
            echo "Trivy skipped - No Dockerfiles found."
          }
          #trivy rootfs --input $(docker export <container_id>) - can be included for scanning Containers, but requires Docker CLI access and elevated perms

          # Remove trailing comma if no tools found
          $TOOLS = $TOOLS.TrimEnd(',')

          if ($TOOLS -eq "") {
            echo "No applicable tools found. The MSDO scan will be skipped."
            exit 0
          }

          echo "TOOLS=$TOOLS" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8

      # Run analyzers only with available tools
      - name: Run Microsoft Security DevOps
        uses: microsoft/security-devops-action@latest
        id: msdo
        with:
          tools: ${{ env.TOOLS }}

      # Check if the repository is private and display a message
      - name: Check Repository Visibility
        shell: bash
        run: |
          if [ "${{ github.repository_visibility }}" == "private" ]; then
            echo "This is a private repository. Code Scanning is not available unless GitHub Advanced Security (GHAS) is enabled."
            echo "For private repositories, consider enabling GHAS or using external security tools like SonarQube or Snyk."
            exit 0
          fi

      # Upload alerts to the Security tab (only if the repo is public)
      - name: Upload alerts to Security tab
        if: github.repository_visibility == 'public'
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ steps.msdo.outputs.sarifFile }}