5ce5936d78
Co-authored-by: Robert Holt <rjmholt@gmail.com>
142 lines
4 KiB
YAML
142 lines
4 KiB
YAML
parameters:
|
|
parentJobs: []
|
|
|
|
jobs:
|
|
- job: compliance
|
|
variables:
|
|
- name: runCodesignValidationInjection
|
|
value : false
|
|
- name: NugetSecurityAnalysisWarningLevel
|
|
value: none
|
|
|
|
# Defines the variables APIScanClient, APIScanTenant and APIScanSecret
|
|
- group: PS-PS-APIScan
|
|
|
|
displayName: Compliance
|
|
dependsOn:
|
|
${{ parameters.parentJobs }}
|
|
pool:
|
|
name: PowerShell1ES
|
|
demands:
|
|
- ImageOverride -equals MMS2019
|
|
|
|
# APIScan can take a long time
|
|
timeoutInMinutes: 180
|
|
|
|
steps:
|
|
- checkout: self
|
|
clean: true
|
|
|
|
- template: SetVersionVariables.yml
|
|
parameters:
|
|
ReleaseTagVar: $(ReleaseTagVar)
|
|
|
|
- task: DownloadBuildArtifacts@0
|
|
displayName: 'Download artifacts'
|
|
inputs:
|
|
buildType: current
|
|
downloadType: single
|
|
artifactName: results
|
|
downloadPath: '$(System.ArtifactsDirectory)'
|
|
|
|
- powershell: |
|
|
dir "$(System.ArtifactsDirectory)\*" -Recurse
|
|
displayName: 'Capture artifacts directory'
|
|
continueOnError: true
|
|
|
|
- template: expand-compliance.yml
|
|
parameters:
|
|
architecture: fxdependent
|
|
version: $(version)
|
|
|
|
- template: expand-compliance.yml
|
|
parameters:
|
|
architecture: x86
|
|
version: $(version)
|
|
|
|
- template: expand-compliance.yml
|
|
parameters:
|
|
architecture: x64
|
|
version: $(version)
|
|
|
|
- task: securedevelopmentteam.vss-secure-development-tools.build-task-antimalware.AntiMalware@3
|
|
displayName: 'Run Defender Scan'
|
|
|
|
- task: securedevelopmentteam.vss-secure-development-tools.build-task-binskim.BinSkim@3
|
|
displayName: 'Run BinSkim '
|
|
inputs:
|
|
InputType: Basic
|
|
AnalyzeTarget: '$(CompliancePath)\*.dll;$(CompliancePath)\*.exe'
|
|
AnalyzeSymPath: 'SRV*'
|
|
AnalyzeVerbose: true
|
|
AnalyzeHashes: true
|
|
AnalyzeStatistics: true
|
|
continueOnError: true
|
|
|
|
# add RoslynAnalyzers
|
|
|
|
- task: securedevelopmentteam.vss-secure-development-tools.build-task-autoapplicability.AutoApplicability@1
|
|
displayName: 'Run AutoApplicability'
|
|
inputs:
|
|
ExternalRelease: true
|
|
IsSoftware: true
|
|
DataSensitivity: lbi
|
|
continueOnError: true
|
|
|
|
# add codeMetrics
|
|
|
|
- task: securedevelopmentteam.vss-secure-development-tools.build-task-vulnerabilityassessment.VulnerabilityAssessment@0
|
|
displayName: 'Run Vulnerability Assessment'
|
|
continueOnError: true
|
|
|
|
# FXCop is not applicable
|
|
|
|
# PreFASt is not applicable
|
|
|
|
- task: securedevelopmentteam.vss-secure-development-tools.build-task-apiscan.APIScan@2
|
|
displayName: 'Run APIScan'
|
|
inputs:
|
|
softwareFolder: '$(CompliancePath)'
|
|
softwareName: PowerShell
|
|
softwareVersionNum: '$(ReleaseTagVar)'
|
|
isLargeApp: false
|
|
preserveTempFiles: true
|
|
env:
|
|
AzureServicesAuthConnectionString: RunAs=App;AppId=$(APIScanClient);TenantId=$(APIScanTenant);AppKey=$(APIScanSecret)
|
|
continueOnError: true
|
|
|
|
- task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@2
|
|
displayName: 'Publish Security Analysis Logs to Build Artifacts'
|
|
continueOnError: true
|
|
|
|
- task: securedevelopmentteam.vss-secure-development-tools.build-task-uploadtotsa.TSAUpload@1
|
|
displayName: 'TSA upload to Codebase: PowerShellCore_201906'
|
|
inputs:
|
|
tsaVersion: TsaV2
|
|
codeBaseName: 'PowerShellCore_201906'
|
|
uploadFortifySCA: false
|
|
uploadFxCop: false
|
|
uploadModernCop: false
|
|
uploadPREfast: false
|
|
uploadRoslyn: false
|
|
uploadBinSkim: false
|
|
uploadTSLint: false
|
|
uploadCredScan: false
|
|
uploadPoliCheck: false
|
|
|
|
- task: securedevelopmentteam.vss-secure-development-tools.build-task-report.SdtReport@1
|
|
displayName: 'Create Security Analysis Report'
|
|
inputs:
|
|
TsvFile: false
|
|
APIScan: true
|
|
BinSkim: true
|
|
CredScan: true
|
|
PoliCheck: true
|
|
PoliCheckBreakOn: Severity2Above
|
|
|
|
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
|
|
displayName: 'Component Detection'
|
|
inputs:
|
|
sourceScanPath: '$(Build.SourcesDirectory)'
|
|
snapshotForceEnabled: true
|