From ec9b1c5563517d2f64d5c46227bcd6787ef8d5fa Mon Sep 17 00:00:00 2001 From: Matthew Leibowitz Date: Wed, 10 Jan 2024 05:54:15 +0800 Subject: [PATCH] Add the new APIScan to the pipeline (#2696) --- scripts/azure-pipelines-complete-internal.yml | 4 + scripts/azure-templates-stages.yml | 86 +++++++------------ 2 files changed, 34 insertions(+), 56 deletions(-) diff --git a/scripts/azure-pipelines-complete-internal.yml b/scripts/azure-pipelines-complete-internal.yml index ca60f811a8..56a0d9b61b 100644 --- a/scripts/azure-pipelines-complete-internal.yml +++ b/scripts/azure-pipelines-complete-internal.yml @@ -31,6 +31,9 @@ parameters: pool: name: Azure Pipelines vmImage: ubuntu-20.04 + - name: runCompliance + type: boolean + default: false pool: name: Azure Pipelines @@ -52,6 +55,7 @@ stages: parameters: buildPipelineType: 'both' buildExternals: ${{ parameters.buildExternals }} + runCompliance: ${{ parameters.runCompliance }} VM_IMAGE_HOST: ${{ parameters.VM_IMAGE_HOST }} VM_IMAGE_WINDOWS: ${{ parameters.VM_IMAGE_WINDOWS }} VM_IMAGE_WINDOWS_NATIVE: ${{ parameters.VM_IMAGE_WINDOWS }} diff --git a/scripts/azure-templates-stages.yml b/scripts/azure-templates-stages.yml index b8bd1035ca..74b7b8a0c1 100644 --- a/scripts/azure-templates-stages.yml +++ b/scripts/azure-templates-stages.yml @@ -19,6 +19,9 @@ parameters: type: object - name: VM_IMAGE_LINUX_NATIVE type: object + - name: runCompliance + type: boolean + default: false stages: - stage: prepare @@ -824,62 +827,33 @@ stages: installEmsdk: true initScript: source ~/emsdk/emsdk_env.sh - - ${{ if and(eq(variables['System.TeamProject'], 'devdiv'), ne(parameters.buildPipelineType, 'tests')) }}: - - stage: checks - displayName: Run Code Checks - dependsOn: prepare - jobs: - - template: azure-templates-bootstrapper.yml # Run Code Checks - parameters: - name: native_checks_windows - displayName: Run Code Checks - buildPipelineType: ${{ parameters.buildPipelineType }} - condition: or(eq(variables['Build.SourceBranch'], 'refs/heads/main'), startsWith(variables['Build.SourceBranch'], 'refs/heads/release/')) - vmImage: ${{ parameters.VM_IMAGE_WINDOWS}} - target: git-sync-deps - installAndroidSdk: false - installDotNet: false - shouldPublish: false - postBuildSteps: - - task: CredScan@3 - displayName: Analyze source for credentials - condition: always() - inputs: - suppressionsFile: $(Build.SourcesDirectory)\scripts\guardian\CredScanSuppressions.json - - task: PoliCheck@2 - displayName: Run PoliCheck - condition: always() - inputs: - inputType: 'Basic' - targetType: 'F' - optionsUEPATH: $(Build.SourcesDirectory)\scripts\guardian\PoliCheckExclusions.xml - - task: SdtReport@2 - displayName: Create security analysis report - condition: always() - inputs: - GdnExportAllTools: false - GdnExportGdnToolCredScan: true - GdnExportGdnToolPoliCheck: true - GdnExportOutputSuppressionFile: source.gdnsuppress - - task: PublishSecurityAnalysisLogs@3 - displayName: Publish security analysis logs - condition: always() - - pwsh: | - $tsaConfig = '$(Build.SourcesDirectory)\scripts\guardian\tsaoptions-v2.json' - $tsaConfigJson = Get-Content $tsaConfig | ConvertFrom-Json - $tsaConfigJson | Add-Member -Type NoteProperty -Name 'SuppressionFiles' -Value @("$(Build.SourcesDirectory)\scripts\guardian\source.gdnsuppress") - $tsaConfigJson | Add-Member -Type NoteProperty -Name 'SuppressionSets' -Value @("default") - $tsaConfigJson | ConvertTo-Json | Out-File $tsaConfig - cat $tsaConfig - displayName: Update TSA suppressions - condition: always() - - task: TSAUpload@2 - displayName: Publish TSA logs - condition: always() - continueOnError: true - inputs: - GdnPublishTsaOnboard: true - GdnPublishTsaConfigFile: $(Build.SourcesDirectory)\scripts\guardian\tsaoptions-v2.json + - ${{ if and(eq(variables['System.TeamProject'], 'devdiv'), ne(parameters.buildPipelineType, 'tests'), ne(variables['System.PullRequest.IsFork'], 'true'), or(eq(variables['Build.SourceBranch'], 'refs/heads/main'), startsWith(variables['Build.SourceBranch'], 'refs/heads/release/'), parameters.runCompliance)) }}: + - template: security/full/v1.yml@xamarin-templates + parameters: + stageDependsOn: + - managed + - native_windows + - native_macos + - native_linux + - native_wasm + complianceEnabled: true + complianceTimeoutInMinutes: 480 + scanArtifacts: + - managed + - native + antiMalwareEnabled: true + binSkimEnabled: true + policheckExclusionFile: $(Build.SourcesDirectory)\scripts\guardian\PoliCheckExclusions.xml + policheckGdnSuppressionFilesFolder: $(Build.SourcesDirectory)\scripts\guardian + credScanEnabled: true + credScanSuppressionFile: $(Build.SourcesDirectory)\scripts\guardian\CredScanSuppressions.json + sourceGdnSuppressionFile: $(Build.SourcesDirectory)\scripts\guardian\source.gdnsuppress + tsaConfigFile: $(Build.SourcesDirectory)\scripts\guardian\tsaoptions-v2.json + tsaReportBranch: $(Build.SourceBranch) + enableCodeInspector: true + apiScanEnabled: true + apiScanSoftwareName: 'SkiaSharp' + apiScanSoftwareVersionNum: $(Build.BuildNumber) - ${{ if eq(parameters.buildPipelineType, 'tests') }}: - stage: finalize