From 9518c59325c715f953f406f24892b45c01f80d58 Mon Sep 17 00:00:00 2001
From: Julie Lee <julie.lee@microsoft.com>
Date: Thu, 4 Sep 2025 12:12:11 -0700
Subject: [PATCH 1/2] Suppress BinSkim BA2008 warning for llvm-mca.exe and
 FileCheck.exe.

---
 eng/common/sdl/configure-sdl-tool.ps1 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/common/sdl/configure-sdl-tool.ps1 b/eng/common/sdl/configure-sdl-tool.ps1
index 27f5a4115fc741..e507341824bc7e 100644
--- a/eng/common/sdl/configure-sdl-tool.ps1
+++ b/eng/common/sdl/configure-sdl-tool.ps1
@@ -95,7 +95,7 @@ try {
         if ($targetDirectory) {
           # Binskim crashes due to specific PDBs. GitHub issue: https://github.com/microsoft/binskim/issues/924.
           # We are excluding all `_.pdb` files from the scan.
-          $tool.Args += "`"Target < $TargetDirectory\**;-:file|$TargetDirectory\**\_.pdb`""
+          $tool.Args += "`"Target < $TargetDirectory\**;-:file|$TargetDirectory\**\_.pdb;-:file|$TargetDirectory\**\llvm-mca.exe;-:file|$TargetDirectory\**\FileCheck.exe`""
         }
         $tool.Args += $BinskimAdditionalRunConfigParams
       }

From 5280e741c6a850c0cb290ed95052428a4c0ef894 Mon Sep 17 00:00:00 2001
From: Julie Lee <julie.lee@microsoft.com>
Date: Fri, 5 Sep 2025 13:43:42 -0700
Subject: [PATCH 2/2] Add a comment on why external libraries are excluded from
 binskim scanning.

---
 eng/common/sdl/configure-sdl-tool.ps1 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/eng/common/sdl/configure-sdl-tool.ps1 b/eng/common/sdl/configure-sdl-tool.ps1
index e507341824bc7e..ebaffc3dafad37 100644
--- a/eng/common/sdl/configure-sdl-tool.ps1
+++ b/eng/common/sdl/configure-sdl-tool.ps1
@@ -95,6 +95,7 @@ try {
         if ($targetDirectory) {
           # Binskim crashes due to specific PDBs. GitHub issue: https://github.com/microsoft/binskim/issues/924.
           # We are excluding all `_.pdb` files from the scan.
+		  # SuperfileCheck uses two external LLVM libraries (llvm-mca.exe and FileCheck.exe) that we don't build. Excluding them to supporess BA2008. 
           $tool.Args += "`"Target < $TargetDirectory\**;-:file|$TargetDirectory\**\_.pdb;-:file|$TargetDirectory\**\llvm-mca.exe;-:file|$TargetDirectory\**\FileCheck.exe`""
         }
         $tool.Args += $BinskimAdditionalRunConfigParams