forked from PowerShell/PowerShell
/
compliance.yml
157 lines (131 loc) · 4.62 KB
/
compliance.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
parameters:
parentJobs: []
jobs:
- job: compliance
variables:
- name: runCodesignValidationInjection
value : false
- name: NugetSecurityAnalysisWarningLevel
value: none
# Defines the variables APIScanClient, APIScanTenant and APIScanSecret
- group: PS-PS-APIScan
displayName: Compliance
dependsOn:
${{ parameters.parentJobs }}
pool:
name: PowerShell1ES
demands:
- ImageOverride -equals MMS2019TLS
# APIScan can take a long time
timeoutInMinutes: 180
steps:
- checkout: self
clean: true
- template: SetVersionVariables.yml
parameters:
ReleaseTagVar: $(ReleaseTagVar)
- task: DownloadBuildArtifacts@0
displayName: 'Download artifacts'
inputs:
buildType: current
downloadType: single
artifactName: results
downloadPath: '$(System.ArtifactsDirectory)'
- powershell: |
dir "$(System.ArtifactsDirectory)\*" -Recurse
displayName: 'Capture artifacts directory'
continueOnError: true
- template: expand-compliance.yml
parameters:
architecture: fxdependent
version: $(version)
- template: expand-compliance.yml
parameters:
architecture: x86
version: $(version)
- template: expand-compliance.yml
parameters:
architecture: x64
version: $(version)
- task: securedevelopmentteam.vss-secure-development-tools.build-task-antimalware.AntiMalware@3
displayName: 'Run Defender Scan'
- task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@2
displayName: 'Run CredScan'
inputs:
suppressionsFile: tools/credScan/suppress.json
debugMode: false
continueOnError: true
- task: securedevelopmentteam.vss-secure-development-tools.build-task-binskim.BinSkim@3
displayName: 'Run BinSkim '
inputs:
InputType: Basic
AnalyzeTarget: '$(CompliancePath)\*.dll;$(CompliancePath)\*.exe'
AnalyzeSymPath: 'SRV*'
AnalyzeVerbose: true
AnalyzeHashes: true
AnalyzeStatistics: true
continueOnError: true
- task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@1
displayName: 'Run PoliCheck'
inputs:
targetType: F
optionsFC: 0
optionsXS: 1
optionsPE: '1|2|3|4'
optionsHMENABLE: 0
optionsRulesDBPath: '$(Build.SourcesDirectory)\tools\terms\PowerShell-Terms-Rules.mdb'
optionsUEPath: $(Build.SourcesDirectory)\tools\terms\TermsExclusion.xml
continueOnError: true
# add RoslynAnalyzers
- task: securedevelopmentteam.vss-secure-development-tools.build-task-autoapplicability.AutoApplicability@1
displayName: 'Run AutoApplicability'
inputs:
ExternalRelease: true
IsSoftware: true
DataSensitivity: lbi
continueOnError: true
# add codeMetrics
- task: securedevelopmentteam.vss-secure-development-tools.build-task-vulnerabilityassessment.VulnerabilityAssessment@0
displayName: 'Run Vulnerability Assessment'
continueOnError: true
# FXCop is not applicable
# PreFASt is not applicable
- task: securedevelopmentteam.vss-secure-development-tools.build-task-apiscan.APIScan@2
displayName: 'Run APIScan'
inputs:
softwareFolder: '$(CompliancePath)'
softwareName: PowerShell
softwareVersionNum: '$(ReleaseTagVar)'
isLargeApp: false
preserveTempFiles: true
env:
AzureServicesAuthConnectionString: RunAs=App;AppId=$(APIScanClient);TenantId=$(APIScanTenant);AppKey=$(APIScanSecret)
continueOnError: true
- task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@2
displayName: 'Publish Security Analysis Logs to Build Artifacts'
continueOnError: true
- task: securedevelopmentteam.vss-secure-development-tools.build-task-uploadtotsa.TSAUpload@1
displayName: 'TSA upload to Codebase: PowerShellCore_201906'
inputs:
tsaVersion: TsaV2
codeBaseName: 'PowerShellCore_201906'
uploadFortifySCA: false
uploadFxCop: false
uploadModernCop: false
uploadPREfast: false
uploadRoslyn: false
uploadTSLint: false
- task: securedevelopmentteam.vss-secure-development-tools.build-task-report.SdtReport@1
displayName: 'Create Security Analysis Report'
inputs:
TsvFile: false
APIScan: true
BinSkim: true
CredScan: true
PoliCheck: true
PoliCheckBreakOn: Severity2Above
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
displayName: 'Component Detection'
inputs:
sourceScanPath: '$(Build.SourcesDirectory)\tools'
snapshotForceEnabled: true