Create defender-for-devops.yml

[Dargon789]

Summary by Sourcery

CI:

• Introduce a defender-for-devops GitHub Actions workflow that runs Microsoft Security DevOps on pushes, pull requests, and a weekly schedule, uploading SARIF results to the repository Security tab.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
sequence-js-docs	Ready	Preview, Comment	Mar 12, 2026 5:30pm
sequence-js-web	Ready	Preview, Comment	Mar 12, 2026 5:30pm
sequence.js	Ready	Preview, Comment	Mar 12, 2026 5:30pm
wagmi-project	Ready	Preview, Comment	Mar 12, 2026 5:30pm

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[sourcery-ai]

Reviewer's Guide

Adds a new GitHub Actions workflow that runs Microsoft Security DevOps on master branch pushes, pull requests, and a weekly schedule, then uploads SARIF results to the repository’s Security tab.

Sequence diagram for new Microsoft Defender For Devops CI workflow execution

sequenceDiagram
  actor Developer
  participant GitHubRepo
  participant GitHubActions
  participant Runner_windows_latest as Runner_windows_latest
  participant MSDOAction as Microsoft_Security_DevOps_Action
  participant CodeQLUpload as CodeQL_Upload_SARIF_Action
  participant SecurityTab as GitHub_Security_Tab

  Developer->>GitHubRepo: push_to_master_or_open_PR
  GitHubRepo->>GitHubActions: trigger_workflow_defender_for_devops
  GitHubActions->>Runner_windows_latest: start_job_MSDO

  Runner_windows_latest->>Runner_windows_latest: actions_checkout_v4
  Runner_windows_latest->>Runner_windows_latest: actions_setup_dotnet_v4_with_5_0_x_and_6_0_x

  Runner_windows_latest->>MSDOAction: run_msdo_action
  MSDOAction-->>Runner_windows_latest: sarifFile_output_path

  Runner_windows_latest->>CodeQLUpload: upload_sarif_with_sarif_file_output
  CodeQLUpload->>SecurityTab: store_and_display_SARIF_results
  SecurityTab-->>Developer: show_security_scan_findings

Loading

File-Level Changes

Change	Details	Files
Introduce Microsoft Defender for DevOps GitHub Actions workflow to run MSDO and upload SARIF results.	Create a new workflow triggered on master branch pushes, pull requests, and a scheduled cron job. Configure the job to run on windows-latest with checkout and .NET 5/6 setup steps. Invoke the microsoft/security-devops-action to run Microsoft Security DevOps scanning. Upload the generated SARIF results to the repository Security tab using the CodeQL upload-sarif action.	.github/workflows/defender-for-devops.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 2 issues, and left some high level feedback:

• Consider pinning the GitHub Actions (actions/checkout, actions/setup-dotnet, microsoft/security-devops-action, github/codeql-action/upload-sarif) to specific commit SHAs rather than version tags to reduce the risk of breaking changes in your security pipeline.
• The workflow is configured to trigger only on the master branch; double-check that this matches your default branch name (often main) or update the branch filters accordingly.
• You are installing both .NET 5.0 and 6.0 even though 5.0 is end-of-life; if MSDO does not require 5.0 specifically, simplifying to only supported versions (e.g., 6.0) will reduce setup time and maintenance overhead.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider pinning the GitHub Actions (`actions/checkout`, `actions/setup-dotnet`, `microsoft/security-devops-action`, `github/codeql-action/upload-sarif`) to specific commit SHAs rather than version tags to reduce the risk of breaking changes in your security pipeline.
- The workflow is configured to trigger only on the `master` branch; double-check that this matches your default branch name (often `main`) or update the branch filters accordingly.
- You are installing both .NET 5.0 and 6.0 even though 5.0 is end-of-life; if MSDO does not require 5.0 specifically, simplifying to only supported versions (e.g., 6.0) will reduce setup time and maintenance overhead.

## Individual Comments

### Comment 1
<location path=".github/workflows/defender-for-devops.yml" line_range="19" />
<code_context>
+# and provide permission before this can report data back to azure.
+# Read the official documentation here : https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-github
+
+name: "Microsoft Defender For Devops"
+
+on:
</code_context>
<issue_to_address>
**nitpick (typo):** Minor naming consistency issue with "Devops" vs the canonical "DevOps".

This product is officially named “Microsoft Defender for DevOps” (see docs and Azure/GitHub UI). Please update the workflow name to match so it’s easier to recognize and search for.

```suggestion
name: "Microsoft Defender for DevOps"
```
</issue_to_address>

### Comment 2
<location path=".github/workflows/defender-for-devops.yml" line_range="35-44" />
<code_context>
+    runs-on: windows-latest
+
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-dotnet@v4
+      with:
+        dotnet-version: |
+          5.0.x
+          6.0.x
+    - name: Run Microsoft Security DevOps
+      uses: microsoft/security-devops-action@v1.6.0
+      id: msdo
+    - name: Upload results to Security tab
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: ${{ steps.msdo.outputs.sarifFile }}
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Pin third-party actions to specific commit SHAs instead of version tags for better supply-chain security.

Floating tags like `@v4`, `@v3`, or `@v1.6.0` can point to different code over time, creating an untracked supply‑chain risk. Please pin each third‑party action here to a specific commit SHA (and optionally add a comment with the corresponding version for clarity).

Suggested implementation:

```
    steps:
    # actions/checkout@v4
    - uses: actions/checkout@<COMMIT-SHA-FOR-actions/checkout-v4>
    # actions/setup-dotnet@v4
    - uses: actions/setup-dotnet@<COMMIT-SHA-FOR-actions/setup-dotnet-v4>
      with:
        dotnet-version: |
          5.0.x
          6.0.x
    - name: Run Microsoft Security DevOps
      # microsoft/security-devops-action@v1.6.0
      uses: microsoft/security-devops-action@<COMMIT-SHA-FOR-microsoft/security-devops-action-v1.6.0>
      id: msdo
    - name: Upload results to Security tab
      # github/codeql-action/upload-sarif@v3
      uses: github/codeql-action/upload-sarif@<COMMIT-SHA-FOR-github/codeql-action-v3>
      with:
        sarif_file: ${{ steps.msdo.outputs.sarifFile }}

```

To fully implement the hardening recommendation, you should replace each `<COMMIT-SHA-FOR-…>` placeholder with the actual immutable commit SHA that corresponds to the currently used tag:

1. For each action:
   - Go to its GitHub repository (e.g., `https://github.com/actions/checkout`).
   - Switch to the tag you are currently using (`v4`, `v4`, `v1.6.0`, `v3` respectively).
   - Copy the full commit SHA shown for that tag.
2. Substitute the placeholders with those SHAs, keeping the comments that document which tag the SHA corresponds to.

This keeps the workflow behavior identical while pinning the supply chain to specific, auditable revisions.
</issue_to_address>

Fix all in Cursor

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
🔚	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.