microsoft
diff --git a/‎.github/workflows/dependency-pinning-scan.yml‎
Lines changed: 0 additions & 26 deletions b/‎.github/workflows/dependency-pinning-scan.yml‎
Lines changed: 0 additions & 26 deletions
diff --git a/‎scripts/security/Test-ActionVersionConsistency.ps1‎
Lines changed: 57 additions & 0 deletions b/‎scripts/security/Test-ActionVersionConsistency.ps1‎
Lines changed: 57 additions & 0 deletions
diff --git a/‎scripts/security/Test-DependencyPinning.ps1‎
Lines changed: 37 additions & 22 deletions b/‎scripts/security/Test-DependencyPinning.ps1‎
Lines changed: 37 additions & 22 deletions
@@ -121,32 +121,6 @@ jobs:
             Write-Host "Compliance Score: $complianceScore%"
             Write-Host "Unpinned Dependencies: $unpinnedCount"
             Write-Host "Is Compliant (>=$threshold%): $isCompliant"
-            
-            # Fire GitHub Actions warnings for each violation
-            if ($unpinnedCount -gt 0) {
-              # Escape function to prevent workflow command injection
-              function ConvertTo-GHAEscaped($Value, [switch]$ForProperty) {
-                if ([string]::IsNullOrEmpty($Value)) { return $Value }
-                $escaped = $Value -replace '%', '%25'
-                $escaped = $escaped -replace "`r", '%0D'
-                $escaped = $escaped -replace "`n", '%0A'
-                $escaped = $escaped -replace '::', '%3A%3A'
-                if ($ForProperty) {
-                  $escaped = $escaped -replace ':', '%3A'
-                  $escaped = $escaped -replace ',', '%2C'
-                }
-                return $escaped
-              }
-              
-              foreach ($violation in $report.Violations) {
-                $escapedFile = ConvertTo-GHAEscaped $violation.File -ForProperty
-                $escapedName = ConvertTo-GHAEscaped $violation.Name
-                $escapedVersion = ConvertTo-GHAEscaped $violation.Version
-                $escapedType = ConvertTo-GHAEscaped $violation.Type
-                $escapedSeverity = ConvertTo-GHAEscaped $violation.Severity
-                Write-Output "::warning file=$escapedFile,line=$($violation.Line)::Unpinned $escapedType dependency: $escapedName@$escapedVersion (Severity: $escapedSeverity)"
-              }
-            }
           }
           else {
             Write-Error "Failed to generate dependency pinning report"
 
@@ -94,6 +94,14 @@ function Write-ConsistencyLog {
     }
 
     Write-Host "[$timestamp] [$Level] $Message" -ForegroundColor $color
+
+    # Surface warnings and errors as CI annotations so they appear in the Actions/ADO UI
+    if ($Level -eq 'Warning') {
+        Write-CIAnnotation -Message $Message -Level Warning
+    }
+    elseif ($Level -eq 'Error') {
+        Write-CIAnnotation -Message $Message -Level Error
+    }
 }
 
 function Get-ActionVersionViolations {
@@ -391,9 +399,58 @@ function Invoke-ActionVersionConsistency {
     Write-ConsistencyLog "Found $mismatchCount version mismatches" -Level $(if ($mismatchCount -gt 0) { 'Warning' } else { 'Info' })
     Write-ConsistencyLog "Found $missingCount missing version comments" -Level $(if ($missingCount -gt 0) { 'Warning' } else { 'Info' })
 
+    # Emit CI annotations per violation
+    foreach ($violation in $violations) {
+        $annotationLevel = switch ($violation.Severity) {
+            'High' { 'Error' }
+            'Medium' { 'Warning' }
+            default { 'Notice' }
+        }
+        Write-CIAnnotation `
+            -Message "$($violation.ViolationType): $($violation.Description)" `
+            -Level $annotationLevel `
+            -File $violation.File `
+            -Line $violation.Line
+    }
+
     # Export report (pipe to Out-Host to prevent pipeline pollution of return value)
     Export-ConsistencyReport -Violations $violations -Format $Format -OutputPath $OutputPath -TotalActions $result.TotalActions | Out-Host
 
+    # Emit CI step summary
+    if ($violations.Count -eq 0) {
+        Write-CIStepSummary -Content @"
+## Action Version Consistency
+
+:white_check_mark: **Status**: Passed
+
+All $($result.TotalActions) SHA-pinned actions have consistent version comments.
+"@
+    }
+    else {
+        $summaryLines = [System.Collections.ArrayList]::new()
+        [void]$summaryLines.Add(@"
+## Action Version Consistency
+
+:x: **Status**: Failed
+
+| Metric | Count |
+|--------|-------|
+| SHA-Pinned Actions | $($result.TotalActions) |
+| Version Mismatches | $mismatchCount |
+| Missing Comments | $missingCount |
+
+### Violations
+
+| File | Line | Type | Action | Severity | Description |
+|------|------|------|--------|----------|-------------|
+"@)
+        foreach ($v in $violations) {
+            [void]$summaryLines.Add("| ``$($v.File)`` | $($v.Line) | $($v.ViolationType) | ``$($v.Name)`` | $($v.Severity) | $($v.Description) |")
+        }
+
+        Write-CIStepSummary -Content ($summaryLines -join "`n")
+    }
+
     # Determine exit code
     $exitCode = 0
 
 
@@ -319,7 +319,21 @@ function Write-PinningLog {
     )
 
     $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
-    Write-Output "[$timestamp] [$Level] $Message"
+    $color = switch ($Level) {
+        'Info'    { 'Cyan' }
+        'Warning' { 'Yellow' }
+        'Error'   { 'Red' }
+        'Success' { 'Green' }
+    }
+    Write-Host "[$timestamp] [$Level] $Message" -ForegroundColor $color
+
+    # Surface warnings and errors as CI annotations so they appear in the Actions/ADO UI
+    if ($Level -eq 'Warning') {
+        Write-CIAnnotation -Message $Message -Level Warning
+    }
+    elseif ($Level -eq 'Error') {
+        Write-CIAnnotation -Message $Message -Level Error
+    }
 }
 
 function Get-FilesToScan {
@@ -860,32 +874,35 @@ function Invoke-DependencyPinningAnalysis {
         $allViolations += $violations
     }
 
-    # Per-violation CI output — grouped by file
-    if (@($allViolations).Count -gt 0) {
-        Write-Host "`n❌ Found $(@($allViolations).Count) unpinned dependencies:" -ForegroundColor Red
+    Write-PinningLog "Found $(@($allViolations).Count) dependency pinning violations" -Level Info
+
+    # Emit per-violation CI annotations and console output
+    if ($allViolations.Count -gt 0) {
+        Write-Host "`n❌ Found $($allViolations.Count) unpinned dependencies:" -ForegroundColor Red
         $groupedByFile = $allViolations | Group-Object -Property File
         foreach ($fileGroup in $groupedByFile) {
             Write-Host "`n📄 $($fileGroup.Name)" -ForegroundColor Cyan
             foreach ($dep in $fileGroup.Group) {
-                $displayVersion = if ($dep.Version) { $dep.Version } elseif ($dep.CurrentRef) { $dep.CurrentRef } else { '<unknown>' }
-                Write-Host "  ⚠️ Line $($dep.Line): $($dep.Name) — $displayVersion (type: $($dep.Type))" -ForegroundColor Yellow
-
-                # Normalize file path for CI annotations: prefer absolute path based on scan root
-                $annotationFile = $dep.File
-                try {
-                    if ($Path) {
-                        $resolved = Resolve-Path -LiteralPath (Join-Path -Path $Path -ChildPath $dep.File) -ErrorAction Stop
-                        $annotationFile = $resolved.Path
-                    }
+                $annotationLevel = switch ($dep.Severity) {
+                    'High'   { 'Error' }
+                    'Medium' { 'Warning' }
+                    default  { 'Notice' }
                 }
-                catch {
-                    $annotationFile = $dep.File
+                $icon = switch ($dep.Severity) {
+                    'High'   { '❌' }
+                    'Medium' { '⚠️' }
+                    default  { 'ℹ️' }
                 }
-
+                $color = switch ($dep.Severity) {
+                    'High'   { 'Red' }
+                    'Medium' { 'Yellow' }
+                    default  { 'Cyan' }
+                }
+                Write-Host "  $icon [$($dep.Severity)] $($dep.Name)@$($dep.Version): $($dep.Description) (Line $($dep.Line))" -ForegroundColor $color
                 Write-CIAnnotation `
-                    -Message "Unpinned $($dep.Type) dependency: $($dep.Name)@$($dep.CurrentRef)" `
-                    -Level Warning `
-                    -File $annotationFile `
+                    -Message "[$($dep.ViolationType)] $($dep.Name): $($dep.Description)" `
+                    -Level $annotationLevel `
+                    -File $dep.File `
                     -Line $dep.Line
             }
         }
@@ -894,8 +911,6 @@ function Invoke-DependencyPinningAnalysis {
         Write-Host "`n✅ All dependencies are properly SHA-pinned." -ForegroundColor Green
     }
 
-    Write-PinningLog "Found $(@($allViolations).Count) dependency pinning violations" -Level Info
-
     # Generate compliance report
     $report = Get-ComplianceReportData -Violations $allViolations -ScannedFiles $filesToScan -ScanPath $Path -Remediate:$Remediate