From 925876597a6ba7b4f93f16cc1b61dedf8e11772b Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Wed, 10 Feb 2021 10:29:27 -0800
Subject: [PATCH] Add examples to readme

---
 README.md | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 62 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 2190cca..60732af 100644
--- a/README.md
+++ b/README.md
@@ -5,6 +5,8 @@
 This repository contains Azure DevOPS YAML template for the compliance tasks needed for release products.
 The step templates can be included in the repository using [multi-checkout](https://docs.microsoft.com/en-us/azure/devops/pipelines/repos/multi-repo-checkout?view=azure-devops).
 
+## Template setup
+
 The following sample shows how the templates can be included in your release YAML.
 
 1. Create a repository resource and a service connection to connect to this repository.
@@ -15,7 +17,7 @@ The following sample shows how the templates can be included in your release YAM
      - repository: ComplianceRepo
        type: github
        endpoint: ComplianceGHRepo
-       name: PowerShell/compliance
+       name: PowerShell/Compliance
    ```
 
 1. In the compliance stage, checkout `self` repo and the `compliance` repo.
@@ -62,7 +64,65 @@ The following sample shows how the templates can be included in your release YAM
             APIScan: false # set to false when not using Windows APIs.
     ```
 
-For “TermCheck” see the [wiki](https://www.1eswiki.com/wiki/PoliCheck_Build_Task).
+### Credential Scanner
+
+The Credential Scanner can be configured to ignore paths (including folders),
+with a JSON file (usually stored at `tools/credScan/suppress.json`):
+
+```json
+{
+  "tool": "Credential Scanner",
+  "suppressions": [
+    {
+      "folder": "node_modules",
+      "_justification": "Third-party code must not be scanned"
+    },
+    {
+      "file": "Cert.pfx",
+      "_justification": "Test certificate with private key"
+    }
+  ]
+}
+```
+
+Then supply the path to this file in your repo as the `suppresionsFile`
+parameter. Enabling folders is only supported by running this tool in "debug"
+mode, so be aware of and ignore this warning given by the task:
+
+> [WARNING] Running in DebugMode! Result file is *NOT* to be treated as OFFICIAL!
+
+### TermCheck AKA PoliCheck
+
+The term checker is setup to recursively scan the given folder at
+`targetArgument`. Because the use these templates necessitates multi-repo
+checkout, you will likely want to supply the path to your specific sources, e.g.
+`targetArgument: '$(Build.SourcesDirectory)/my-repo-name'`.
+
+User exclusions can be specified in an XML file at the path given with the
+parameter `optionsUEPATH`. An example (usually stored at
+`tools/terms/UserExclusions.xml`) looks like:
+
+```xml
+<PoliCheckExclusions>
+  <!-- All strings must be UPPER CASE -->
+  <!--Each of these exclusions is a folder name -if \[name]\exists in the file path, it will be skipped -->
+  <!--<Exclusion Type="FolderPathFull">ABC|XYZ</Exclusion>-->
+  <Exclusion Type="FolderPathFull">.GIT|NODE_MODULES</Exclusion>
+  <!--Each of these exclusions is a folder name -if any folder or file starts with "\[name]", it will be skipped -->
+  <!--<Exclusion Type="FolderPathStart">ABC|XYZ</Exclusion>-->
+  <!--Each of these file types will be completely skipped for the entire scan -->
+  <!--<Exclusion Type="FileType">.ABC|.XYZ</Exclusion>-->
+  <!--The specified file names will be skipped during the scan regardless which folder they are in -->
+  <!--<Exclusion Type="FileName">ABC.TXT|XYZ.CS</Exclusion>-->
+</PoliCheckExclusions>
+```
+
+The paths given _must_ be upper case as the tool upper cases all paths before
+doing its comparison. Multiple patterns of the same exclusion type _must_ be
+specified with the "or" operator: `|`, not with multiple XML tags.
+
+See the internal [wiki](https://www.1eswiki.com/wiki/PoliCheck_Build_Task) for
+more information about this ADO task.
 
 ## ESRP Signing Template Overview