Skip to content

InsolvencyService/MSDO-Netcompany

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

89 Commits
.github
.github
 
 
security-devops-action
security-devops-action
 
 
README.md
README.md
 
 
gitleaks.toml
gitleaks.toml
 
 

Repository files navigation

MSDO-Netcompany

DESCRIPTION:      This repository centrally
manages reusable GitHub Action workflows for secure DevOps pipelines
using Microsoft Security DevOps (MSDO), Gitleaks, Trufflehog,
Credscan, and SARIF reporting.

It is designed for organizations with restricted environments.
*******************************************************************************

FEATURES

  • Microsoft Security DevOps (MSDO) scanning
  • Tools like ESLint, Bandit, Binskim, Checkov, Credscan, Templateanalyzer, Terrascan, Trivvy, etc
  • Secret scanning
    • Credscan for code-level secrets
    • Trufflehog for detecting API keys, passwords, and other sensitive data in source code using entropy and regex-based rules
    • Gitleaks for Git history, tokens, config, and sensitive patterns
  • Custom SARIF uploader
  • Defender for Cloud integration supported

*******************************************************************************
           GETTING STARTED GUIDE
*******************************************************************************
  • In each repo you want to scan:
    • Create a Workflow Action called msdo-repo-pipeline.yml
    • Copy and paste the msdo-repo-pipeline.yml into your newly created workflow
    • This should trigger and run - review pipeline to confirm that it runs and completes
    ---

    INCLUDED WORKFLOWS:
    Workflow NamePurpose
    msdo-main-pipeline.ymlOrchestrates all security scans + uploads
    msdo-dynamic-scanning.ymlPerforms MSDO scans on infra/code/containers. Currently added to msdo-main-pipeline but commented out
    msdo-credscan.ymlRuns credscan with .gdnsettings config for secret detection
    msdo-trufflehog.ymlRuns Trufflehog to detect passwords and secrets using entropy and regex-based rules
    msdo-gitleaks.ymlGit-aware secret scanning using Gitleaks
    upload-sarif actionComposite action to upload SARIF locally. This is mainly for uploading to GitHub Security and is commented out, but SARIF is present where it's needed to upload to Azure
    gitleaks.tomlCustom rule config for Gitleaks
    msdo-repo-pipeline.ymlTo be added into each Repo you want to scan as a Workflow Action
     ---

    HOW TO RUN:

    - Triggers automatically on push/commit to develop within the Repo
    - Or run manually via Actions tab → Select workflow → Click Run workflow

    ---

    SYSTEM REQUIREMENTS:

    - Runner: ubuntu-latest
    - .NET 6 SDK is installed via script in workflow
    - gh CLI is available by default on GitHub-hosted runners
    - Gitleaks downloaded and run as part of pipeline

    ---

    OUTPUT:

    - Results are uploaded to GitHub Code Scanning Alerts. This has been commented out, but can be re-enabled if needed.
    - Results are ingested into Microsoft Defender for Cloud's DevOps Security
    - Results will appear under "Recommendations" with a Severity of "HIGH" and a Status of "N/A - Unspecified"

    • About

    Central Repo for MSDO scanning tools

    Resources

    Readme
    Activity
    Custom properties

    Stars

    0 stars

    Watchers

    0 watching

    Forks

    1 fork
    Report repository

    Releases

    No releases published

    Packages

     
     
     

    Contributors

    Languages