Summary

This PR adds Microsoft's Attack Surface Analyzer (ASA) as a security test to the Windows packaging workflow. ASA helps identify potential security vulnerabilities and unexpected system changes introduced during PowerShell package installation.

ASA runs in a clean Windows container for the x64/stable matrix configuration only to eliminate noise from pre-installed PowerShell 7, build/packaging/testing activities, and other running tasks on the GitHub Actions runner.

Changes

Modified .github/workflows/windows-packaging-reusable.yml to integrate Attack Surface Analyzer testing using Windows containers:

1. Added x64/stable matrix configuration - New matrix entry with runASA: true flag
2. Build MSI on Host - Runs Invoke-CIFinish on the normal GitHub Actions runner to build packages
3. Container-Based ASA Testing - Launches a clean Windows container (mcr.microsoft.com/dotnet/sdk:9.0-windowsservercore-ltsc2022) to run ASA:
   • Installs Attack Surface Analyzer .NET global tool (pinned to version 2.3.328) in container
   • Takes baseline snapshot of clean container state (no pre-installed PowerShell)
   • Installs only the PowerShell MSI in container (no build/packaging/testing noise)
   • Takes post-installation snapshot
   • Exports comparison results with SARIF format
   • Copies results back to host for artifact upload
4. Upload Results - Uploads ASA output files (summary, detailed results, SARIF, database, and install log) as artifacts for later analysis
5. Conditional Execution - All ASA steps include if: matrix.runASA == true condition to skip execution for all other matrix configurations

Modified .github/actions/infrastructure/path-filters/action.yml:

• Added .github/workflows/windows-packaging-reusable.yml to the packagingChanged filter

How It Works

Attack Surface Analyzer performs a differential analysis in an isolated Windows container by:

• Launching a clean Windows Server Core container with .NET SDK 9.0
• Installing ASA and taking a baseline snapshot (clean container, no PowerShell installed)
• Installing the PowerShell MSI that was built on the host
• Taking a post-installation snapshot
• Comparing the snapshots to identify changes to:
  • File system (PowerShell installation directories)
  • Registry
  • Services
  • Network ports
  • User accounts
  • Windows event logs
• Uploading all analysis results as GitHub Actions artifacts

This container-based approach eliminates noise from:

• Pre-installed PowerShell 7 on GitHub Actions runners
• Build, packaging, and testing processes
• Other running tasks and processes on the host

The MSI is built on the normal GitHub Actions runner where all build tools are available, then copied into a clean container for isolated testing.

Performance Optimizations

To ensure fast execution and reduce noise, ASA is configured with:

• Container Isolation: Runs in clean mcr.microsoft.com/dotnet/sdk:9.0-windowsservercore-ltsc2022 container without pre-installed PowerShell
• Single Configuration: Only runs for x64/stable matrix configuration (skips x64/preview, x86/stable, x86/preview, arm64/preview)
• Targeted Collectors: Only uses collectors relevant to package installation (File, Service, Registry, User, Port, EventLog)
• Limited Filesystem Scanning: Scans only PowerShell installation directories (C:\Program Files\PowerShell and C:\Program Files (x86)\PowerShell)
• Excluded Collectors: Skips slow collectors not relevant to package testing (WiFi, TPM, Cryptographic Keys, Firewall, COM, Certificates)
• Process Isolation: Uses --isolation process for better performance on Windows runners

Benefits

• Enhanced Security: Automatically detects unexpected system changes during package installation
• Early Detection: Identifies potential security issues before packages are released
• Clean Baseline: Container provides pristine Windows environment without pre-installed software
• No Build Noise: Eliminates false positives from build, packaging, and testing processes
• Isolated Testing: Container isolation ensures only MSI installation changes are captured
• Compliance: Provides audit trail of system changes for security reviews
• CI Integration: Runs automatically as part of the packaging workflow
• Reproducible: Version pinned to 2.3.328 and uses specific container image for consistent behavior
• Fast Execution: Optimized collector configuration and container isolation reduces execution time
• Analysis Ready: All results uploaded as artifacts including install logs for troubleshooting

Matrix Configuration

ASA execution status by configuration:

• ✅ x64/stable - ASA enabled in Windows container (newly added)
• ❌ x64/preview - ASA disabled
• ❌ x86/stable - ASA disabled
• ❌ x86/preview - ASA disabled
• ❌ arm64/preview - ASA disabled

Testing

• YAML syntax validated with yamllint
• CodeQL security analysis passed with no vulnerabilities
• Implementation follows GitHub Actions best practices
• Path filters updated to ensure the workflow triggers correctly on changes
• Container-based approach tested with volume mounts and PowerShell script execution

References

• Attack Surface Analyzer GitHub Repository
• Attack Surface Analyzer Documentation
• Microsoft .NET SDK Container Images

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.