CHORE: Update 1ES ADO Pipelines #325
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Co-authored-by: David Engel <dengel1012@gmail.com>
Syncing Github main to ADO main Related work items: #38037
…rosoft/mssql-python into bewithgaurav/publish_symbols
Related work items: #39534
Add the baseline and suppression file to guide Guardian. The guide is found here https://eng.ms/docs/coreai/devdiv/one-engineering-system-1es/1es-docs/1es-pipeline-templates/features/sdlanalysis/baselines The baseline and suppression file tell Guardian about the expected results of the scan. For credential scanning, the signatures of the credentials are coded in the guardian files. The files were downloaded from the failing build at https://sqlclientdrivers.visualstudio.com/mssql-python/_build/results?buildId=129570&view=results The process is to run the pipeline which will cause the failure. After doing due diligence to the credentials and making sure that they are safe to have in the source code, the baseline and suppression files can be updated. Related work items: #39894
Related work items: #39534
…l-python/_git/mssql-python into sharmag/onebranch_setup
…lse CredScan alerts #### AI description (iteration 1) #### PR Classification This pull request is a bug fix that resolves configuration issues for APIScan and BinSkim. #### PR Summary The changes ensure correct file paths for APIScan on Windows and add necessary parameters for BinSkim analysis in the build pipeline. - `OneBranchPipelines/variables/symbol-variables.yml`: Updated the API scan DLL and PDB paths to use backslashes for Windows compatibility. - `OneBranchPipelines/build-release-package-pipeline.yml`: Added parameters to configure BinSkim with the analyze target, recursion flag, and log file path. <!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->
… bewithgaurav/1ESPipelines
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| for i in {1..30}; do | ||
| docker exec sqlserver /opt/mssql-tools18/bin/sqlcmd \ | ||
| -S localhost -U SA -P "$DB_PASSWORD" -C -Q "SELECT 1" && break |
Check notice
Code scanning / devskim
Accessing localhost could indicate debug code, or could hinder scaling. Note
Contributor
There was a problem hiding this comment.
Pull Request Overview
This pull request updates the Azure DevOps (ADO) pipeline infrastructure for the mssql-python project by introducing comprehensive OneBranch 1ES pipeline configurations and Security Development Lifecycle (SDL) compliance tooling. The changes primarily focus on establishing automated build, release, and security scanning infrastructure while addressing CredScan compliance issues in test files.
Key Changes:
- Introduced complete OneBranch pipeline infrastructure for Windows, macOS, and Linux builds with security scanning integration
- Added SDL configuration files for TSA, CredScan, PoliCheck, and Guardian tools
- Updated test passwords to include "Test" prefix for CredScan compliance
- Removed unused custom
__setattr__implementation from module initialization
Reviewed Changes
Copilot reviewed 25 out of 26 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/test_012_connection_string_integration.py | Updated test password from P@ss;w}}rd to TestP@ss;w}}rd for CredScan compliance |
| tests/test_010_connection_string_parser.py | Updated test password from p@ss;w}}rd to TestP@ss;w}}rd for CredScan compliance |
| tests/test_003_connection.py | Added sys import and removed trailing whitespace |
| mssql_python/init.py | Removed custom __setattr__ implementation for lowercase setting |
| es-metadata.yml | Added 1ES metadata with service ownership and routing configuration |
| OneBranchPipelines/variables/*.yml | Added variable configuration files for common, build, signing, symbol, and OneBranch-specific settings |
| OneBranchPipelines/steps/*.yml | Added step templates for symbol publishing, malware scanning, and code signing |
| OneBranchPipelines/stages/*.yml | Added stage templates for Windows, macOS, and Linux builds |
| OneBranchPipelines/jobs/*.yml | Added job template for artifact consolidation |
| OneBranchPipelines/build-release-package-pipeline.yml | Main build pipeline with SDL scanning and multi-platform wheel building |
| OneBranchPipelines/official-release-pipeline.yml | Production release pipeline for PyPI publishing via ESRP |
| OneBranchPipelines/dummy-release-pipeline.yml | Test release pipeline using Maven ContentType for safe testing |
| .config/tsaoptions.json | TSA configuration for security issue tracking |
| .config/SDL_CONFIGURATION.md | Comprehensive SDL configuration documentation |
| .config/PolicheckExclusions.xml | PoliCheck exclusions for tests, docs, and configuration files |
| .config/CredScanSuppressions.json | CredScan suppressions for non-production code paths |
| .gdn/.gdnbaselines | Guardian security baseline signatures |
| .gdn/.gdnsuppress | Guardian suppression configuration |
| CONTRIBUTING.md | Minor formatting fix for Microsoft org members line |
Comments suppressed due to low confidence (1)
tests/test_003_connection.py:24
- Import of 'sys' is not used.
import sys
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
📊 Code Coverage Report
Diff CoverageDiff: main...HEAD, staged and unstaged changesNo lines with coverage information in this diff. 📋 Files Needing Attention📉 Files with overall lowest coverage (click to expand)mssql_python.pybind.logger_bridge.cpp: 59.2%
mssql_python.helpers.py: 66.6%
mssql_python.row.py: 67.4%
mssql_python.pybind.ddbc_bindings.cpp: 70.4%
mssql_python.pybind.connection.connection.cpp: 76.3%
mssql_python.ddbc_bindings.py: 79.6%
mssql_python.pybind.connection.connection_pool.cpp: 79.6%
mssql_python.pybind.ddbc_bindings.h: 79.7%
mssql_python.connection.py: 82.5%
mssql_python.cursor.py: 83.6%🔗 Quick Links
|
jahnvi480
approved these changes
Nov 14, 2025
sumitmsft
approved these changes
Nov 14, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Work Item / Issue Reference
Summary
Sync ADO Repo with GH
Changes:
This pull request introduces a comprehensive set of Secure Development Lifecycle (SDL) configuration files to the repository. These files establish baseline settings for automated security and compliance tools (TSA, CredScan, PoliCheck, Guardian), define which code paths and file types are included or excluded from scanning, and document the configuration for future maintenance. This setup helps ensure that only production code is scanned for credentials and terminology issues, while test, example, and documentation files are safely excluded.
SDL Tool Configuration and Documentation:
.config/SDL_CONFIGURATION.md, providing detailed documentation for how TSA, CredScan, and PoliCheck are configured, what paths are included/excluded, and maintenance guidance for the team..config/tsaoptions.jsonto configure Threat and Security Assessment (TSA) for the project, specifying project details, notification settings, and codebase scanning patterns.Security and Compliance Exclusions:
.config/CredScanSuppressions.jsonto suppress false positives from credential scanning in non-production code (tests, benchmarks, engineering, and pipeline files)..config/PolicheckExclusions.xmlto exclude specific folders and files (tests, benchmarks, docs, examples, build artifacts, virtual environments, and standard documentation files) from politically incorrect term scanning.Guardian Baseline Integration:
.gdn/.gdnbaselinesto establish Guardian security baselines, including signatures and metadata for compliance tracking.