Add Microsoft Defender for DevOps workflow

[cute-omega]

This workflow integrates Microsoft Security DevOps for static analysis.

Ⅰ. 描述此PR的作用：

Ⅱ. 此PR修复了哪个issue吗？

Ⅲ. 界面变化截屏

[Copilot]

Pull request overview

Adds a GitHub Actions workflow to run Microsoft Security DevOps (MSDO) static analysis and publish results to GitHub’s Security tab via SARIF upload.

Changes:

• Introduces a new defender-for-devops.yml workflow triggered on pushes/PRs to master and on a weekly schedule.
• Runs microsoft/security-devops-action and uploads generated SARIF to GitHub code scanning.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[cute-omega]

@copilot 这一份PR里使用Microsoft Security DevOps是干什么的？

[Copilot]

@copilot 这一份PR里使用Microsoft Security DevOps是干什么的？

这个 PR 引入了 Microsoft Security DevOps (MSDO) 工作流，主要用于静态代码分析和安全扫描。具体来说，它做以下几件事：

1. 运行静态分析工具：microsoft/security-devops-action 会自动安装并运行多种安全扫描工具（如反恶意软件扫描、依赖项漏洞检测、配置错误检查等），分析仓库中的代码。

2. 上传扫描结果：扫描完成后，结果会以 SARIF 格式上传到 GitHub 的 Security 标签页，方便在 GitHub 界面上直接查看安全问题和警告。

3. 持续检测：工作流会在每次推送到 master 分支、每个 PR 以及每周定期自动运行，确保代码安全问题能被及时发现。

简而言之，这是为项目添加的一层自动化安全检查，帮助发现代码中潜在的安全漏洞。

[cute-omega]

@copilot 我还需要什么手动配置吗？还是说可以直接合并？

[Copilot]

@copilot 我还需要什么手动配置吗？还是说可以直接合并？

取决于你的目标：

如果只需要在 GitHub Security 标签页查看扫描结果，可以直接合并，无需额外配置——工作流本身已包含所需权限（security-events: write）。

如果需要将数据上报到 Microsoft Defender for Cloud（Azure），则合并前需要手动完成以下配置：

1. 在 Azure 中将 GitHub 组织与 Microsoft Defender for Cloud 集成
2. 授予相应权限

详见官方文档：https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-github

如果只是想做基础的代码安全扫描，直接合并即可。