Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable Binskim scan in CI builds #8967

Merged
merged 1 commit into from
Jul 19, 2023
Merged

Enable Binskim scan in CI builds #8967

merged 1 commit into from
Jul 19, 2023

Conversation

MilenaHristova
Copy link
Member

Enabling BinSkim scan over build artifacts in CI based on company requirements.

We are required to run SDL tools on official builds and implement automated bug filling for the tools output. Currently we are running SDL checks over the source code in the nightly builds, inline in the builds for some of the product repos and in the .NET staging pipeline, but to be compliant we need to also run BinSkim over the produced artifacts.

This PRs is enabling BinSkim checks in the Run SDL tool job of razor-ci-official.

More information is in the Automate BinSkim runs over official builds issue

@MilenaHristova MilenaHristova requested review from a team as code owners July 18, 2023 10:36
@MilenaHristova MilenaHristova mentioned this pull request Jul 18, 2023
Closed
16 tasks
maryamariyan
maryamariyan approved these changes Jul 19, 2023
View reviewed changes
Copy link
Member

@maryamariyan maryamariyan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In Razor Tooling Compliance build pipeline we also run APIScan. I think to be coherent we need this setup in that pipeline as well for compliance checks.

@davidwengier davidwengier merged commit 8c4a14e into dotnet:main Jul 19, 2023
12 checks passed
@ghost ghost added this to the Next milestone Jul 19, 2023
@MilenaHristova MilenaHristova deleted the enable-binskim-scan branch July 19, 2023 08:16
@MilenaHristova
Copy link
Member Author

MilenaHristova commented Jul 19, 2023
edited
Loading

In Razor Tooling Compliance build pipeline we also run APIScan. I think to be coherent we need this setup in that pipeline as well for compliance checks.

The goal is to scan all assets that are getting shipped, so it's enough to run the tool in the official CI - that would cover all changes to the repo
cc @andriipatsula @mmitche

@allisonchou allisonchou mentioned this pull request Jul 19, 2023
Closed
@mmitche
Copy link
Member

mmitche commented Jul 20, 2023
edited
Loading

@maryamariyan You are welcome to add the binskim to the compliance runs in https://devdiv.visualstudio.com/DevDiv/_build?definitionId=16802&_a=summary. I don't think that dnceng implemented any infra for that pipeline though. That looks to be custom for razor.

FYI it looks like that APIScan run has been failing for a while due to an authentication error.

@allisonchou allisonchou modified the milestones: Next, 17.8 P1 Jul 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davidwengier davidwengier davidwengier approved these changes

@maryamariyan maryamariyan maryamariyan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
17.8 P1
Development

Successfully merging this pull request may close these issues.
5 participants
@MilenaHristova @mmitche @davidwengier @maryamariyan @allisonchou