PowerShell/tools/releaseBuild/azureDevOps/templates/compliance.yml
Travis Plunk 5ce5936d78
Create compliance build (#16286)
Co-authored-by: Robert Holt <rjmholt@gmail.com>
2021-10-28 11:07:09 -07:00

142 lines
4 KiB
YAML

parameters:
parentJobs: []
jobs:
- job: compliance
variables:
- name: runCodesignValidationInjection
value : false
- name: NugetSecurityAnalysisWarningLevel
value: none
# Defines the variables APIScanClient, APIScanTenant and APIScanSecret
- group: PS-PS-APIScan
displayName: Compliance
dependsOn:
${{ parameters.parentJobs }}
pool:
name: PowerShell1ES
demands:
- ImageOverride -equals MMS2019
# APIScan can take a long time
timeoutInMinutes: 180
steps:
- checkout: self
clean: true
- template: SetVersionVariables.yml
parameters:
ReleaseTagVar: $(ReleaseTagVar)
- task: DownloadBuildArtifacts@0
displayName: 'Download artifacts'
inputs:
buildType: current
downloadType: single
artifactName: results
downloadPath: '$(System.ArtifactsDirectory)'
- powershell: |
dir "$(System.ArtifactsDirectory)\*" -Recurse
displayName: 'Capture artifacts directory'
continueOnError: true
- template: expand-compliance.yml
parameters:
architecture: fxdependent
version: $(version)
- template: expand-compliance.yml
parameters:
architecture: x86
version: $(version)
- template: expand-compliance.yml
parameters:
architecture: x64
version: $(version)
- task: securedevelopmentteam.vss-secure-development-tools.build-task-antimalware.AntiMalware@3
displayName: 'Run Defender Scan'
- task: securedevelopmentteam.vss-secure-development-tools.build-task-binskim.BinSkim@3
displayName: 'Run BinSkim '
inputs:
InputType: Basic
AnalyzeTarget: '$(CompliancePath)\*.dll;$(CompliancePath)\*.exe'
AnalyzeSymPath: 'SRV*'
AnalyzeVerbose: true
AnalyzeHashes: true
AnalyzeStatistics: true
continueOnError: true
# add RoslynAnalyzers
- task: securedevelopmentteam.vss-secure-development-tools.build-task-autoapplicability.AutoApplicability@1
displayName: 'Run AutoApplicability'
inputs:
ExternalRelease: true
IsSoftware: true
DataSensitivity: lbi
continueOnError: true
# add codeMetrics
- task: securedevelopmentteam.vss-secure-development-tools.build-task-vulnerabilityassessment.VulnerabilityAssessment@0
displayName: 'Run Vulnerability Assessment'
continueOnError: true
# FXCop is not applicable
# PreFASt is not applicable
- task: securedevelopmentteam.vss-secure-development-tools.build-task-apiscan.APIScan@2
displayName: 'Run APIScan'
inputs:
softwareFolder: '$(CompliancePath)'
softwareName: PowerShell
softwareVersionNum: '$(ReleaseTagVar)'
isLargeApp: false
preserveTempFiles: true
env:
AzureServicesAuthConnectionString: RunAs=App;AppId=$(APIScanClient);TenantId=$(APIScanTenant);AppKey=$(APIScanSecret)
continueOnError: true
- task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@2
displayName: 'Publish Security Analysis Logs to Build Artifacts'
continueOnError: true
- task: securedevelopmentteam.vss-secure-development-tools.build-task-uploadtotsa.TSAUpload@1
displayName: 'TSA upload to Codebase: PowerShellCore_201906'
inputs:
tsaVersion: TsaV2
codeBaseName: 'PowerShellCore_201906'
uploadFortifySCA: false
uploadFxCop: false
uploadModernCop: false
uploadPREfast: false
uploadRoslyn: false
uploadBinSkim: false
uploadTSLint: false
uploadCredScan: false
uploadPoliCheck: false
- task: securedevelopmentteam.vss-secure-development-tools.build-task-report.SdtReport@1
displayName: 'Create Security Analysis Report'
inputs:
TsvFile: false
APIScan: true
BinSkim: true
CredScan: true
PoliCheck: true
PoliCheckBreakOn: Severity2Above
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
displayName: 'Component Detection'
inputs:
sourceScanPath: '$(Build.SourcesDirectory)'
snapshotForceEnabled: true