-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add pre/post build compliance templates and address PoliCheck issues (#…
…10468) ## Description This PR refactors some of our compliance-related tasks such as CredScan, PoliCheck, and Component Governance into two new templates: `run-compliance-prebuild.yml` and `run-compliance-postbuild.yml`. The pre-build tasks will run before CI, PR, Publish, and Compliance pipelines. Task failures will cause the CI, PR, and Publish pipelines to fail appropriately. The Compliance pipeline will convert errors into warnings (so that all of the tasks still run). In addition, this PR address existing PoliCheck issues (so that the PR passes). ### Type of Change - Bug fix (non-breaking change which fixes an issue) - New feature (non-breaking change which adds functionality) ### Why Make sure we're running compliance tasks correctly, consistently, and address existing violations. Closes #10459 ### What Refactors some tasks into new templates and fixes comments in some files. ## Screenshots N/A ## Testing For the new pipeline templates, running successfully in this PR. For the PoliCheck they're all just in comments, so if the PR checks pass, they've been resolved.
- Loading branch information
1 parent
6363177
commit 0512b19
Showing
14 changed files
with
111 additions
and
77 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
# Compliance tasks to be run post build | ||
parameters: | ||
- name: complianceWarnOnly | ||
displayName: Convert compliance errors to warnings | ||
type: boolean | ||
default: false | ||
|
||
steps: | ||
# Component Governance Detection Task (https://docs.opensource.microsoft.com/tools/cg/) | ||
# Detects open source you use and alerts you to whether it has security vulnerabilities or legal issues. | ||
# TODO: Reconcile with existing component-governance.yml template | ||
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0 | ||
displayName: '⚖️ Component Governance Detection' | ||
continueOnError: ${{ parameters.complianceWarnOnly }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
# Compliance tasks to be run pre build | ||
parameters: | ||
- name: complianceWarnOnly | ||
displayName: Convert compliance errors to warnings | ||
type: boolean | ||
default: false | ||
|
||
steps: | ||
# PoliCheck Build Task (https://aka.ms/gdn-azdo-policheck) | ||
# Scans the text of source code, comments, and content for terminology that could be sensitive for legal, cultural, or geopolitical reasons. | ||
- task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2 | ||
displayName: '⚖️ Run PoliCheck' | ||
inputs: | ||
targetType: F | ||
targetArgument: $(Build.SourcesDirectory) | ||
result: PoliCheck.xml | ||
optionsFC: 1 | ||
optionsXS: 1 | ||
optionsHMENABLE: 0 | ||
optionsPE: 1|2|3|4 | ||
optionsSEV: 1|2|3|4 | ||
optionsUEPath: $(Build.SourcesDirectory)\.ado\config\PoliCheckExclusions.xml | ||
optionsRulesDBPath: $(Build.SourcesDirectory)\.ado\config\PoliCheckRules.mdb | ||
continueOnError: ${{ parameters.complianceWarnOnly }} | ||
|
||
# CredScan Task (https://aka.ms/gdn-azdo-credscan) | ||
# Searches through source code and build outputs for credentials left behind in the open. | ||
- task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3 | ||
displayName: '⚖️ Run CredScan' | ||
inputs: | ||
outputFormat: pre | ||
suppressionsFile: $(Build.SourcesDirectory)\.ado\config\CredScanSuppressions.json | ||
batchSize: 20 | ||
debugMode: false | ||
continueOnError: ${{ parameters.complianceWarnOnly }} | ||
|
||
# PostAnalysis Task (https://docs.microsoft.com/en-us/azure/security/develop/yaml-configuration#post-analysis-task) | ||
# Breaks the build if any of the tasks failed. | ||
- task: PostAnalysis@1 | ||
displayName: "⚖️ Compliance Pre-Build Analysis" | ||
inputs: | ||
AllTools: false | ||
CredScan: true | ||
PoliCheck: true | ||
PoliCheckBreakOn: Severity4Above | ||
ToolLogsNotFoundAction: "Error" | ||
continueOnError: ${{ parameters.complianceWarnOnly }} | ||
|
||
# Restore unnecessary changes that were made by the compliance tasks | ||
- script: | | ||
git restore $(Build.SourcesDirectory)\.ado\config\PoliCheckRules.mdb | ||
displayName: "⚖️ Compliance Pre-Build Cleanup" |
7 changes: 7 additions & 0 deletions
7
change/react-native-windows-4adb017c-a018-4673-a78a-1d87d3ba43e3.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
{ | ||
"type": "prerelease", | ||
"comment": "Address PoliCheck issues", | ||
"packageName": "react-native-windows", | ||
"email": "jthysell@microsoft.com", | ||
"dependentChangeType": "patch" | ||
} |
7 changes: 7 additions & 0 deletions
7
change/react-native-windows-init-a2ce2e04-90ee-4f58-a390-f5899aa19a8d.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
{ | ||
"type": "patch", | ||
"comment": "Address PoliCheck issues", | ||
"packageName": "react-native-windows-init", | ||
"email": "jthysell@microsoft.com", | ||
"dependentChangeType": "patch" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters