parameters: parentJobs: [] jobs: - job: compliance displayName: Compliance dependsOn: ${{ parameters.parentJobs }} pool: name: Package ES CodeHub Lab E # APIScan can take a long time timeoutInMinutes: 180 steps: - template: SetVersionVariables.yml parameters: ReleaseTagVar: $(ReleaseTagVar) - task: DownloadBuildArtifacts@0 displayName: 'Download artifacts' inputs: downloadType: specific itemPattern: | **/*.zip - powershell: | dir "$(System.ArtifactsDirectory)\*" -Recurse displayName: 'Capture artifacts directory' continueOnError: true - template: expand-compliance.yml parameters: architecture: x86 version: $(version) - template: expand-compliance.yml parameters: architecture: x64 version: $(version) - template: expand-compliance.yml parameters: architecture: fxdependent version: $(version) - task: securedevelopmentteam.vss-secure-development-tools.build-task-antimalware.AntiMalware@3 displayName: 'Run Defender Scan' - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@2 displayName: 'Run CredScan' inputs: suppressionsFile: tools/credScan/suppress.json debugMode: false continueOnError: true - task: securedevelopmentteam.vss-secure-development-tools.build-task-binskim.BinSkim@3 displayName: 'Run BinSkim ' inputs: InputType: Basic AnalyzeTarget: '$(CompliancePath)\*.dll;$(CompliancePath)\*.exe' AnalyzeSymPath: 'SRV*' AnalyzeVerbose: true AnalyzeHashes: true AnalyzeStatistics: true continueOnError: true - task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@1 displayName: 'Run PoliCheck' inputs: targetType: F optionsFC: 0 optionsXS: 0 optionsPE: '1|2|3|4' optionsHMENABLE: 0 optionsRulesDBPath: '$(Build.SourcesDirectory)\tools\terms\PowerShell-Terms-Rules.mdb' optionsFTPATH: '$(Build.SourcesDirectory)\tools\terms\FileTypeSet.xml' continueOnError: true # add RoslynAnalyzers - task: securedevelopmentteam.vss-secure-development-tools.build-task-autoapplicability.AutoApplicability@1 displayName: 'Run AutoApplicability' inputs: ExternalRelease: true IsSoftware: true DataSensitivity: lbi continueOnError: true # add codeMetrics - task: securedevelopmentteam.vss-secure-development-tools.build-task-vulnerabilityassessment.VulnerabilityAssessment@0 displayName: 'Run Vulnerability Assessment' continueOnError: true # FXCop is not applicable - task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@2 displayName: 'Publish Security Analysis Logs to Build Artifacts' continueOnError: true # PreFASt is not applicable - task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@1 displayName: 'Run PoliCheck' inputs: targetType: F optionsFC: 0 optionsXS: 0 optionsPE: '1|2|3|4' optionsHMENABLE: 0 optionsRulesDBPath: '$(Build.SourcesDirectory)\tools\terms\PowerShell-Terms-Rules.mdb' optionsFTPATH: '$(Build.SourcesDirectory)\tools\terms\FileTypeSet.xml' continueOnError: true - task: securedevelopmentteam.vss-secure-development-tools.build-task-apiscan.APIScan@1 displayName: 'Run APIScan' inputs: softwareFolder: '$(CompliancePath)' softwareName: PowerShell softwareVersionNum: '$(ReleaseTagVar)' isLargeApp: false preserveTempFiles: true continueOnError: true - task: securedevelopmentteam.vss-secure-development-tools.build-task-uploadtotsa.TSAUpload@1 displayName: 'TSA upload to Codebase: PowerShellCore_201807 Stamp: Azure' inputs: tsaStamp: $(TsaStamp) codeBaseName: $(CodeBaseName) uploadFortifySCA: false uploadFxCop: false uploadModernCop: false uploadPREfast: false uploadRoslyn: false uploadTSLint: false - task: securedevelopmentteam.vss-secure-development-tools.build-task-report.SdtReport@1 displayName: 'Create Security Analysis Report' inputs: TsvFile: false APIScan: true BinSkim: true CredScan: true PoliCheck: true PoliCheckBreakOn: Severity2Above