*******************************************************************************

PROJECT NAME:     MSDO Central Repo
CREATED BY:      THEANGRYTECH-GIT
REPO:         [(MSDO Repo)]

DESCRIPTION:      This repository centrally
manages reusable GitHub Action workflows for secure DevOps pipelines
using Microsoft Security DevOps (MSDO), Gitleaks, Trufflehog,
Credscan, and SARIF reporting.

It is designed for organizations with restricted environments and does not
rely on any external GitHub Actions.

*******************************************************************************

FEATURES

• 🔍 Microsoft Security DevOps (MSDO) scanning
  
• Tools like ESLint, Bandit, Binskim, Checkov, Credscan, Templateanalyzer, Terrascan, Trivvy, etc
  
• 🔐 Secret scanning
  
  • Credscan for code-level secrets
    
  • Trufflehog for detecting API keys, passwords, and other sensitive data in source code using entropy and regex-based rules
    
  • Gitleaks for Git history, tokens, config, and sensitive patterns
    
• 📦 Custom SARIF uploader (no marketplace action)
  
• 🌐 Defender for Cloud integration supported
  
• 🚫 No external marketplace dependencies — fully self-contained
  

---

           GETTING STARTED GUIDE

---

Use this section to clone or fork this repo and configure GitHub Security
DevOps scanning tools (MSDO) in your own environment.

HOW TO SET UP:

1. Create a Central MSDO Security Repo:
   Create a new repository in your org called MSDO-Security (or a name of your choosing),
   and copy these files from this repository:
   • .github/workflows/msdo-main-pipeline.yml
   • .github/workflows/msdo-dynamic-scanning.yml
   • .github/workflows/msdo-credscan.yml
   • .github/workflows/msdo-gitleaks.yml
   • .github/workflows/msdo-trufflehog.yml
   • .github/actions/upload-sarif/ ← composite action for native SARIF upload
   • gitleaks.toml ← centralized scanning config


2. Add a GH_TOKEN secret (if needed):
   Navigate to Settings → Secrets and variables → Actions in the central repo and add:

   Name	Description
   GH_TOKEN	GitHub PAT with repo permissions (optional; usually ${{ secrets.GITHUB_TOKEN }} is sufficient)



3. In each repo you want to scan:
   • Create a new file: .github/workflows/msdo-repo-pipeline.yml
   • Create a Workflow Action called msdo-repo-pipeline.yml
   • Copy and paste the msdo-repo-pipeline.yml into your newly created workflow
   • This should trigger and run - review pipeline to confirm that it runs and completes

   ---
   
   INCLUDED WORKFLOWS:
   

   Workflow Name	Purpose
   msdo-main-pipeline.yml	Orchestrates all security scans + uploads
   msdo-dynamic-scanning.yml	Performs MSDO scans on infra/code/containers
   msdo-credscan.yml	Runs credscan with .gdnsettings config for secret detection
   msdo-trufflehog.yml	Runs Trufflehog to detect passwords and secrets using entropy and regex-based rules
   msdo-gitleaks.yml	Git-aware secret scanning using Gitleaks
   upload-sarif action	Composite action to upload SARIF locally
   gitleaks.toml	Custom rule config for Gitleaks
   msdo-repo-pipeline.yml	To be added into each Repo you want to scan as a Workflow Action

   ---
   
   HOW TO RUN:
   
   - Triggers automatically on push/commit to main within the Repo
   - Or run manually via Actions tab → Select workflow → Click Run workflow
   
   ---
   
   SYSTEM REQUIREMENTS:
   
   - Runner: ubuntu-latest
   - .NET 6 SDK is installed via script in workflow
   - gh CLI is available by default on GitHub-hosted runners
   - Gitleaks downloaded and run as part of pipeline
   - No GitHub Marketplace dependencies required
   ---
   
   OUTPUT:
   
   - Results are uploaded to GitHub Code Scanning Alerts
   - Optionally ingested into Microsoft Defender for Cloud if configured
   
   ---
   
   NEED HELP?
   
   Open an issue or contact [@theangrytech-git](https://github.com/theangrytech-git)
   
   *******************************************************************************
              RESOURCE VISUALISATION
   *******************************************************************************
   *******************************************************************************
                HIGH LEVEL DESIGN
   *******************************************************************************
   This section will be used to insert a High-Level Design to give an
   impression of how this solution is made up.
   *******************************************************************************
   
   
   
   *******************************************************************************
               LOWER LEVEL DESIGN
   ********************************************************************************
   Notes: This section will be used to insert Low-Level Design to give a detailed
   map of how this solution is made up.
   *******************************************************************************
   
   
   
   *******************************************************************************
                ESTIMATE COSTS (£)
   *******************************************************************************
   Daily: £0.00
   Weekly: £0.00
   Monthly: £0.00
   Yearly: £0.00
   
   *******************************************************************************
                Roadmap (Planned)
   *******************************************************************************
   
   Add Slack/MS Teams alerting
   
   Upload SARIF as downloadable artifacts
   
   Add cloud cost scanning support
   
   Add GitHub Enterprise integration templates