-
Notifications
You must be signed in to change notification settings - Fork 59
Tool Configuration
Dima Birenbaum edited this page Apr 6, 2026
·
1 revision
MSDO supports passing arguments to individual security tools via environment variables or .gdnconfig configuration files.
Set environment variables in your workflow using the pattern:
GDN_<TOOLNAME>_<ARGUMENTID>
-
<TOOLNAME>is the tool name in uppercase (e.g.,CHECKOV,TRIVY) -
<ARGUMENTID>is the argument ID in PascalCase with no separators (e.g.,DownloadExternalModules)
- uses: microsoft/security-devops-action@latest
env:
GDN_CHECKOV_DOWNLOADEXTERNALMODULES: "true"
GDN_TRIVY_SEVERITIES: "HIGH,CRITICAL"
with:
tools: 'checkov,trivy'For complex configurations involving multiple tools or many arguments, use a .gdnconfig JSON file:
{
"fileVersion": "1.0.0",
"jobs": [{
"tools": [{
"tool": { "name": "checkov" },
"arguments": {
"DownloadExternalModules": { "values": ["true"] },
"Framework": { "values": ["terraform"] }
}
}]
}]
}Reference it in your workflow:
- uses: microsoft/security-devops-action@latest
with:
config: '.msdo.gdnconfig'When to use which: Use environment variables for 1-2 settings. Use .gdnconfig for complex multi-tool configurations.
| Argument ID | CLI Flag | Description | Example Value |
|---|---|---|---|
| DownloadExternalModules | --download-external-modules |
Download external Terraform modules from public git repositories | true |
| Framework | --framework |
Limit scan to specific framework (terraform, cloudformation, kubernetes, dockerfile, helm, bicep, arm, etc.) | terraform |
| Check | --check |
Checks to run (Checkov IDs or severities) | CKV_AWS_123,HIGH |
| SkipCheck | --skip-check |
Checks to skip | CKV_AWS_1,CKV_AWS_2 |
| ConfigFile | --config-file |
Path to a Checkov configuration YAML file | .checkov.yml |
| ExternalChecksDir | --external-checks-dir |
Directory for custom checks | ./custom-checks |
| SkipFramework | --skip-framework |
Frameworks to skip | dockerfile |
| TargetDirectory | --directory |
Scan target directory | . |
| Argument ID | CLI Flag | Description | Example Value |
|---|---|---|---|
| Severities | --severity |
Filter by severity (UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL) | HIGH,CRITICAL |
| Scanners | --scanners |
Scanner types (vuln, config, secret, license) | vuln,secret |
| IgnoreUnfixed | --ignore-unfixed |
Ignore unfixed vulnerabilities | true |
| IgnoreFile | --ignorefile |
Path to a Trivy ignore file | .trivyignore |
| SkipDirectories | --skip-dirs |
Directories to skip | node_modules,vendor |
| Action | (positional) | Scan type: filesystem, image, repository | filesystem |
| Target | (positional) | Scan target | . |
| TableFormat | --format |
Output format (sarif, json, text) | sarif |
| Argument ID | CLI Flag | Description | Example Value |
|---|---|---|---|
| ConfigurationFile | --config |
Additional ESLint configuration file | .eslintrc.js |
| Rules | --rule |
Additional rules to merge | no-console: error |
| Quiet | --quiet |
Suppress warnings | true |
| MaxWarnings | --max-warnings |
Warning threshold for error exit | 10 |
| Parser | --parser |
Parser for ESLint | @typescript-eslint/parser |
| ExclusionPatterns | --ignore-pattern |
File patterns to ignore | *.d.ts |
| Argument ID | CLI Flag | Description | Example Value |
|---|---|---|---|
| IacType | --iac-type |
IaC type (arm, cft, docker, helm, k8s, kustomize, terraform, tfplan) | terraform |
| Severity | --severity |
Minimum severity to report | HIGH |
| SkipRules | --skip-rules |
Rules to skip | AC_AWS_001,AC_AWS_002 |
| ScanRules | --scan-rules |
Specific rules to scan | AC_AWS_001 |
| PolicyType | --policy-type |
Policy type (all, aws, azure, gcp, github, k8s) | azure |
| IacDir | --iac-dir |
Directory containing IaC files | . |
| OutputType | --output |
Output format (sarif, json, yaml, human) | github-sarif |