Skip to content

feat(ci): add nightly MSDO toolchain breach monitor#219

Merged
jbrotsos merged 1 commit into
mainfrom
feat/msdo-breach-monitor
Mar 21, 2026
Merged

feat(ci): add nightly MSDO toolchain breach monitor#219
jbrotsos merged 1 commit into
mainfrom
feat/msdo-breach-monitor

Conversation

@DimaBir

@DimaBir DimaBir commented Mar 21, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Adds a nightly GitHub Agentic Workflow that monitors for supply chain breaches affecting MSDO toolchain (Trivy, Checkov, Bandit, ESLint, BinSkim, Template Analyzer, Terrascan, AntiMalware, Container Mapping)
  • Creates a labeled GitHub issue ONLY when an incident is found — stays silent when everything is clean
  • Adds .github/toolchain-inventory.yml as source of truth for monitored tools (derived from src/msdo-helpers.ts Tools enum)

Key design decisions

  • on.roles: [write] — only write-access users can manually trigger
  • engine: id: copilot — uses org-level Copilot (not personal subscription)
  • lockdown: false — matches CI Doctor pattern
  • permissions: contents: read, issues: read — minimal; all writes via safe-outputs only
  • safe-outputs: create-issue max: 1 — capped issue creation with explicit label allowlist
  • cron: daily (fuzzy schedule) — avoids load spikes
  • Network allowlist — scoped to GitHub + NVD/CVE/OSV security databases
  • Tool versions noted as "latest (runtime-resolved)" since MSDO CLI resolves all tool versions dynamically via NuGet at runtime
  • Compiled with gh-aw v0.61.0, all actions SHA-pinned

Files

File Purpose
.github/toolchain-inventory.yml What tools we use (source of truth)
.github/workflows/msdo-breach-monitor.md Agentic workflow definition
.github/workflows/msdo-breach-monitor.lock.yml Compiled Actions workflow (auto-generated)
.github/aw/actions-lock.json Added v0.61.0 SHA entry

Test plan

  • Trigger manually: gh workflow run msdo-breach-monitor
  • Verify workflow runs with org Copilot (not personal)
  • Verify labels are created on first incident detection
  • Verify no issue is created when no incidents are found
  • Verify role gate: non-write users cannot manually trigger

@DimaBir DimaBir requested a review from a team as a code owner March 21, 2026 10:11
@jbrotsos jbrotsos self-assigned this Mar 21, 2026
@jbrotsos jbrotsos merged commit 0a1ac13 into main Mar 21, 2026
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants