Skip to content

Commit

Permalink
Add the new APIScan to the pipeline (#2694)
Browse files Browse the repository at this point in the history
  • Loading branch information
mattleibow committed Jan 9, 2024
1 parent 1c36d90 commit bef60ae
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 57 deletions.
4 changes: 4 additions & 0 deletions scripts/azure-pipelines-complete-internal.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,9 @@ parameters:
pool:
name: Azure Pipelines
vmImage: ubuntu-20.04
- name: runCompliance
type: boolean
default: false

pool:
name: Azure Pipelines
Expand All @@ -52,6 +55,7 @@ stages:
parameters:
buildPipelineType: 'both'
buildExternals: ${{ parameters.buildExternals }}
runCompliance: ${{ parameters.runCompliance }}
VM_IMAGE_HOST: ${{ parameters.VM_IMAGE_HOST }}
VM_IMAGE_WINDOWS: ${{ parameters.VM_IMAGE_WINDOWS }}
VM_IMAGE_WINDOWS_NATIVE: ${{ parameters.VM_IMAGE_WINDOWS }}
Expand Down
87 changes: 30 additions & 57 deletions scripts/azure-templates-stages.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,9 @@ parameters:
type: object
- name: VM_IMAGE_LINUX_NATIVE
type: object
- name: runCompliance
type: boolean
default: false

stages:
- stage: prepare
Expand Down Expand Up @@ -910,63 +913,33 @@ stages:
installEmsdk: true
initScript: source ~/emsdk/emsdk_env.sh

- ${{ if and(eq(variables['System.TeamProject'], 'devdiv'), ne(parameters.buildPipelineType, 'tests')) }}:
- stage: checks
displayName: Run Code Checks
dependsOn: prepare
jobs:
- template: azure-templates-bootstrapper.yml # Run Code Checks
parameters:
name: native_checks_windows
displayName: Run Code Checks
buildPipelineType: ${{ parameters.buildPipelineType }}
condition: or(eq(variables['Build.SourceBranch'], 'refs/heads/main'), startsWith(variables['Build.SourceBranch'], 'refs/heads/release/'))
vmImage: ${{ parameters.VM_IMAGE_WINDOWS}}
target: git-sync-deps
installWindowsSdk: false
installAndroidSdk: false
installDotNet: false
shouldPublish: false
postBuildSteps:
- task: CredScan@3
displayName: Analyze source for credentials
condition: always()
inputs:
suppressionsFile: $(Build.SourcesDirectory)\scripts\guardian\CredScanSuppressions.json
- task: PoliCheck@2
displayName: Run PoliCheck
condition: always()
inputs:
inputType: 'Basic'
targetType: 'F'
optionsUEPATH: $(Build.SourcesDirectory)\scripts\guardian\PoliCheckExclusions.xml
- task: SdtReport@2
displayName: Create security analysis report
condition: always()
inputs:
GdnExportAllTools: false
GdnExportGdnToolCredScan: true
GdnExportGdnToolPoliCheck: true
GdnExportOutputSuppressionFile: source.gdnsuppress
- task: PublishSecurityAnalysisLogs@3
displayName: Publish security analysis logs
condition: always()
- pwsh: |
$tsaConfig = '$(Build.SourcesDirectory)\scripts\guardian\tsaoptions-v2.json'
$tsaConfigJson = Get-Content $tsaConfig | ConvertFrom-Json
$tsaConfigJson | Add-Member -Type NoteProperty -Name 'SuppressionFiles' -Value @("$(Build.SourcesDirectory)\scripts\guardian\source.gdnsuppress")
$tsaConfigJson | Add-Member -Type NoteProperty -Name 'SuppressionSets' -Value @("default")
$tsaConfigJson | ConvertTo-Json | Out-File $tsaConfig
cat $tsaConfig
displayName: Update TSA suppressions
condition: always()
- task: TSAUpload@2
displayName: Publish TSA logs
condition: always()
continueOnError: true
inputs:
GdnPublishTsaOnboard: true
GdnPublishTsaConfigFile: $(Build.SourcesDirectory)\scripts\guardian\tsaoptions-v2.json
- ${{ if and(eq(variables['System.TeamProject'], 'devdiv'), ne(parameters.buildPipelineType, 'tests'), ne(variables['System.PullRequest.IsFork'], 'true'), or(eq(variables['Build.SourceBranch'], 'refs/heads/main'), startsWith(variables['Build.SourceBranch'], 'refs/heads/release/'), parameters.runCompliance)) }}:
- template: security/full/v1.yml@xamarin-templates
parameters:
stageDependsOn:
- managed
- native_windows
- native_macos
- native_linux
- native_wasm
complianceEnabled: true
complianceTimeoutInMinutes: 480
scanArtifacts:
- managed
- native
antiMalwareEnabled: true
binSkimEnabled: true
policheckExclusionFile: $(Build.SourcesDirectory)\scripts\guardian\PoliCheckExclusions.xml
policheckGdnSuppressionFilesFolder: $(Build.SourcesDirectory)\scripts\guardian
credScanEnabled: true
credScanSuppressionFile: $(Build.SourcesDirectory)\scripts\guardian\CredScanSuppressions.json
sourceGdnSuppressionFile: $(Build.SourcesDirectory)\scripts\guardian\source.gdnsuppress
tsaConfigFile: $(Build.SourcesDirectory)\scripts\guardian\tsaoptions-v2.json
tsaReportBranch: $(Build.SourceBranch)
enableCodeInspector: true
apiScanEnabled: true
apiScanSoftwareName: 'SkiaSharp'
apiScanSoftwareVersionNum: $(Build.BuildNumber)

- ${{ if eq(parameters.buildPipelineType, 'tests') }}:
- stage: finalize
Expand Down

0 comments on commit bef60ae

Please sign in to comment.