-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy path.vsts-compliance.yml
99 lines (90 loc) · 3.4 KB
/
.vsts-compliance.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# Copyright (C) Microsoft Corporation. All rights reserved.
# Licensed under the MIT license. See LICENSE.txt in the project root for license information.
variables:
- group: vssetup-apiscan
resources:
repositories:
- repository: MicroBuildTemplate
type: git
name: 1ESPipelineTemplates/MicroBuildTemplate
ref: refs/tags/release
extends:
template: azure-pipelines/MicroBuild.1ES.Unofficial.yml@MicroBuildTemplate
parameters:
pool:
name: VSEngSS-MicroBuild2022-1ES
sdl:
sourceAnalysisPool:
name: AzurePipelines-EO
image: 1ESPT-Windows2022
antimalwareScan:
enabled: true
armory:
enabled: true
binskim:
enabled: true
scanOutputDirectoryOnly: true
analyzeTargetGlob: +:f|$(Build.SourcesDirectory)\bin\Release\*.exe;+:f|$(Build.SourcesDirectory)\bin\Release\*.dll;-:f|$(Build.SourcesDirectory)\bin\Release\*.test.*
codeql:
compiled:
enabled: true
credscan:
enabled: true
policheck:
enabled: true
psscriptanalyzer:
enabled: true
prefast:
enabled: true
tsa:
enabled: true
configFile: $(Build.SourcesDirectory)\.config\tsaoptions.json
onboard: false # We already onboarded
stages:
- stage: Compliance
jobs:
- job: Compliance
steps:
- template: /build/templates/build.yml@self
parameters:
BuildConfiguration: $(BuildConfiguration)
BuildPlatform: $(BuildPlatform)
PublishArtifactTemplate: /build/templates/1es-publish-task.yml@self
- task: CopyFiles@2
displayName: Copy files for API scan
inputs:
SourceFolder: $(Build.SourcesDirectory)\bin\$(BuildConfiguration)
Contents: |
**\*.?(pdb|exe|dll|xml)
!**\*.Test.*
TargetFolder: $(Build.StagingDirectory)\apiscan-inputs
- task: APIScan@2
displayName: Run APIScan
inputs:
softwareFolder: $(Build.StagingDirectory)\apiscan-inputs
softwareName: 'Microsoft.VsixBootstrapper'
softwareVersionNum: '2' # Must match the version of ApiScan tooling
toolVersion: Latest
env:
AzureServicesAuthConnectionString: runAs=App;AppId=$(ApiScanClientId)
- task: PublishSecurityAnalysisLogs@3
displayName: Publish 'SDLAnalysis-APIScan' artifact
condition: succeededOrFailed()
inputs:
ArtifactName: SDLAnalysis-APIScan
AllTools: false
APIScan: true
- task: PostAnalysis@2
displayName: Post Analysis
inputs:
GdnBreakAllTools: false
GdnBreakGdnToolApiScan: true
- task: TSAUpload@2
displayName: Upload APIScan results to TSA
inputs:
GdnPublishTsaOnboard: false
GdnPublishTsaConfigFile: '$(Build.SourcesDirectory)\.config\tsaoptions.json'
GdnPublishTsaExportedResultsPublishable: true
continueOnError: true
condition: succeededOrFailed()
enabled: true