
This action can be used to publish security scans done as part of CI/CD on Github to Azure Security Center.

Publish Security Scans

Deprecation Notice

This project is no longer actively maintained, and has had some deficiencies for sometime now. If anyone is interested to implement the action logic on their own or fork the repo then feel free to do so.

This action may be archived in the future, but it will still be consumable in the workflows. Just that it won't be maintained in the future.


This action can be used to publish security assessments done as part of CI workflows on GitHub to Azure Security Center. This will help to enhance the security posture of resources on Azure by shifting left and getting visibility of the security scans done earlier in the software supply chain.


To use this action, the following prerequisites must be met on Azure -

  • Enable the container registry bundle on ASC: This is required to enable container image security insights. Refer to the documentation for more information.
  • Configure an application insights workspace: Scan assessments will be published to this workspace which will then be picked up by ASC. Going forward, ASC will introduce managed workspaces which can be used in lieu of creating your own one.

Action Inputs

Input Description Default Value
artifact-type (Required) The type of artifact scanned. Supported values - containerImage containerImage
artifact-id (Optional) Unique identifier for the artifact. For artifact-type containerImage, the action will take the image digest by default by using docker cli. Container image digest
subscription-token (Required) ASC subscription token which can be found on the ASC portal. -
instrumentation-key (Optional) Instrumentation key of the application insights instance. **Note** Either this or connection-string needs to be provided. -
connection-string (Optional) Connection string of the application insights instance. **Note** Either this or instrumentation-key needs to be provided. -
scan-provider (Required) The tool used to scan the artifact. Supported values - trivy. For artifact-type containerImage, the default value will be trivy trivy
scan-results-path (Required) Path to the file containing the scan results. Based on the scan-provider, supported file types and schema will change. -

Sample Yaml snippets

Publish container scan results to ASC

- name: Publish container scan results to ASC
  uses: azure/publish-security-assessments@v0
    artifact-type: containerImage
    subscription-token: ${{ secrets.asc_subscription_token }}
    instrumentation-key: ${{ secrets.ai_instrumentation_key }}
    scan-results-path: <path-to-scan-results-file>

End to end workflow

The following is an example of not just this action, but how this action could be used along with other actions to setup a CI.

This workflow does the following -

  • Build a docker image
  • Scan the docker image for any security vulnerabilities
  • Publish scan results to ASC
  • Publish it to your private container registry.
on: [push]

    runs-on: ubuntu-latest
    - uses: actions/checkout@master

    - run: docker build . -t contoso.azurecr.io/k8sdemo:${{ github.sha }}
    - name: Scan container image for vulnerabilities
      id: container_scan
      uses: Azure/container-scan@v0
        image-name: contoso.azurecr.io/k8sdemo:${{ github.sha }}

    - name: Publish container scan results to ASC
      uses: azure/publish-security-assessments@v0
        subscription-token: ${{ secrets.asc_subscription_token }}
        instrumentation-key: ${{ secrets.ai_instrumentation_key }}
        scan-results-path: ${{ steps.container_scan.outputs.scan-report-path }}
    - uses: Azure/docker-login@v1
        login-server: contoso.azurecr.io
        username: ${{ secrets.REGISTRY_USERNAME }}
        password: ${{ secrets.REGISTRY_PASSWORD }}
    - run: docker push contoso.azurecr.io/k8sdemo:${{ github.sha }}

Scan Results Schema

Container Scan result

  "imageName": "nginx:1.17",
  "vulnerabilityScanTimestamp": "2020-12-01T08:28:54.245Z",
  "vulnerabilities": [
      "vulnerabilityId": "CVE-2020-10878",
      "packageName": "perl-base",
      "severity": "HIGH",
      "description": "..."
  "bestPracticeViolations": [
      "code": "CIS-DI-0001",
      "title": "Create a user for the container",
      "level": "WARN",
      "alerts": "Last user should not be root"

Sample ScanResult event

    "name": "MS.CloudSecurity.CI.ScanResult",
    "properties": {
        "__version": "0.1",
        "context": {
            "artifactType": "containerImage",
            "artifactId": "sha256:d8a928b2043db77e340b523547bf16cb4aa483f0645fe0a290ed1f20aab76257",
            "requestId": "7a432b5e-dfbd-4a83-a72a-03c15a43606c",
            "token": "***"
        "workflow": {
            "provider": "githubAction",
            "runUrl": "https://github.com/octocat/hello-world/actions/runs/12345",
            "repositoryUrl": "https://github.com/octocat/hello-world",
            "additionalData": {
                "GITHUB_REF": "refs/heads/check",
                "GITHUB_SHA": "eca0572326b3a8bb4423c8ab2482d1e9f59df6c3"
        "vulnscan": {
            "provider": "trivy",
            "scanTime": "2021-06-14T11:05:33.154Z",
            "identifiers": [
                    "severity": "HIGH",
                    "type": "cve",
                    "values": [
                    "severity": "CRITICAL",
                    "type": "cve",
                    "values": [
            "allowList": []


