Skip to content
Latchkey

Bicep Security Scan workflow (Azure-Samples/rag-postgres-openai-python)

The Bicep Security Scan workflow from Azure-Samples/rag-postgres-openai-python, explained and optimized by Latchkey.

C

CI health: C - fair

Point runs-on at Latchkey and get run de-duplication, job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: Azure-Samples/rag-postgres-openai-python.github/workflows/bicep-security-scan.yamlLicense MITView source

What it does

This is the Bicep Security Scan workflow from the Azure-Samples/rag-postgres-openai-python repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Bicep Security Scan
on:
  push:
    branches: [ main ]
    paths:
      - "infra/**"
  pull_request:
    branches: [ main ]
    paths:
      - "infra/**"
  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Build Bicep for linting
        uses: azure/CLI@v2
        with:
          inlineScript: |
            export DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1
            az config set bicep.use_binary_from_path=false && az bicep build -f infra/main.bicep --stdout

      - name: Run Microsoft Security DevOps Analysis
        uses: microsoft/security-devops-action@preview
        id: msdo
        continue-on-error: true
        with:
          tools: templateanalyzer

      - name: Upload alerts to Security tab
        uses: github/codeql-action/upload-sarif@v3
        if: github.repository == 'Azure-Samples/azure-search-openai-demo'
        with:
          sarif_file: ${{ steps.msdo.outputs.sarifFile }}

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

name: Bicep Security Scan
on:
  push:
    branches: [ main ]
    paths:
      - "infra/**"
  pull_request:
    branches: [ main ]
    paths:
      - "infra/**"
  workflow_dispatch:
 
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 
jobs:
  build:
    timeout-minutes: 30
    runs-on: latchkey-small
    permissions:
      security-events: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4
 
      - name: Build Bicep for linting
        uses: azure/CLI@v2
        with:
          inlineScript: |
            export DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1
            az config set bicep.use_binary_from_path=false && az bicep build -f infra/main.bicep --stdout
 
      - name: Run Microsoft Security DevOps Analysis
        uses: microsoft/security-devops-action@preview
        id: msdo
        continue-on-error: true
        with:
          tools: templateanalyzer
 
      - name: Upload alerts to Security tab
        uses: github/codeql-action/upload-sarif@v3
        if: github.repository == 'Azure-Samples/azure-search-openai-demo'
        with:
          sarif_file: ${{ steps.msdo.outputs.sarifFile }}
 

What changed

2 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.

This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow