Adding Defender CLI#213

Open

omerb97 wants to merge 19 commits intomicrosoft:mainfrom

omerb97 commented Mar 18, 2026

This pull request introduces significant improvements to the GitHub Action's documentation, workflow validation, and code organization for Defender for DevOps. The changes include new self-hosted validation workflows for both v1 and v2, a comprehensive documentation file for contributors, updates to the action's entry points, and the addition of a new container-mapping implementation for v2. These updates enhance clarity, maintainability, and support for advanced scanning scenarios.

Documentation enhancements:

Added .github/copilot-instructions.md with build, test, architecture, and conventions for contributors, improving onboarding and maintenance.

Workflow validation improvements:

Added .github/workflows/self-hosted-validation-v1.yml for MSDO v1 self-hosted security scan validation.
Added .github/workflows/self-hosted-validation-v2.yml for Defender CLI v2 self-hosted image, model, and filesystem scan validation.

Codebase and entry point updates:

Updated action.yml to reference lib/v1/main.js, lib/v1/pre.js, and lib/v1/post.js as entry points, supporting clearer version separation.

New functionality:

Added lib/v2/container-mapping.js, implementing the v2 container mapping logic for pre/post job Docker event/image collection and reporting to Defender for DevOps.

Omer Bareket and others added 15 commits

March 15, 2026 16:50


          Add self-hosted validation workflow for release testing

9ce8a9a

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>


          feat: implement Defender CLI v2 with v1/v2 folder structure

13f7371

- Add v2 Defender CLI implementation (filesystem, image, model scans)
- Restructure src/ and lib/ into v1/ and v2/ folders
- Port defender-client and defender-installer from AzDevOps task-lib
- Add job summary with SARIF parsing for GitHub Actions
- Add self-hosted validation workflow for image scan testing
- Add 70 new tests for v2 components

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>


          chore: update validation workflow policy to azuredevops

0ebbec9

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>


          chore: remove debug flag from validation workflow

f941645

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>


          chore: change validation policy to mdc

b3cc53f

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>


          fix: set sarifFile output for downstream SARIF upload

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>


          chore: add model scan job for Qwen3.5-35B-A3B validation

96bd737

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>


          fix: call setupEnvironment in model scan to install Defender CLI

d38c90d

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>


          chore: add vulnerable model scan job for bert-tiny-torch-vuln

148f542

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>


          chore: remove upload-sarif from model scan jobs (incompatible URI sch…

b57d3ad

…eme)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>


          chore: add filesystem scan job with azuredevops policy

38abab4

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>


          refactor: split validation into v1/v2 workflows, restore v1 action.yml

cfe50ee

- Revert action.yml to v1 MSDO inputs (paths updated to lib/v1/)
- Create v2/action.yml for Defender CLI v2
- Split self-hosted-validation into v1 and v2 workflows
- v1 workflow uses ./ (root action.yml)
- v2 workflow uses ./v2/ (v2 action.yml)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>


          chore: gitignore copilot-instructions.md

0d4071e

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>


          chore: add comprehensive v2 test variations

57c1be2

- Policy variations: github, microsoft, none, azuredevops, mdc
- Break on critical: image (vuln), model (vuln), fs
- Debug logging: image with debug=true
- PR summary toggle: image with pr-summary=false
- Custom args: image with --defender-list-findings
- Different images: nginx, pycontribs/ubuntu (vulnerable)
- Defaults only: no inputs (verify all defaults)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>


          fix: change default policy from github to mdc

3dfd65b

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

omerb97 requested a review from a team as a code owner

March 18, 2026 13:15

Omer Bareket and others added 2 commits

March 19, 2026 10:17


          merge resolution


          Merge branch 'main' into main

21a4605

Signed-off-by: Omer Bareket <34472645+omerb97@users.noreply.github.com>

Author

omerb97 commented Mar 19, 2026

@microsoft-github-policy-service agree company="Microsoft"

Omer Bareket added 2 commits

March 19, 2026 10:45


          remove obselete arch

3a42543


          Merge branch 'main' of https://github.com/omerb97/security-devops-action

2f77780

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet