{CI} Enable Credential Scan (#29100)

* change credscan version to find failed test * try suppressed credentials * fix suppressed creds * add superssion * Fix typo
2024-06-16 19:21:17 +10:00 · 2024-06-16 19:21:17 +10:00 · 955b9cc54f
--- a/azure-pipelines.yml
+++ b/azure-pipelines.yml
@ -66,23 +66,18 @@ jobs:
  pool:
    name: ${{ variables.windows_pool }}
  steps:
-#  - task: ms-codeanalysis.vss-microsoft-security-code-analysis-devops.build-task-credscan.CredScan@2
-#    displayName: 'Run Credential Scanner'
-#    inputs:
-#      toolMajorVersion: V2
-#      suppressionsFile: './scripts/ci/credscan/CredScanSuppressions.json'
-#      toolVersionV2: '2.1.17'
+  - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3
+    displayName: 'Run Credential Scanner'
+    inputs:
+      toolVersion: '2.1.17'
+      suppressionsFile: './scripts/ci/credscan/CredScanSuppressions.json'

-  - task: ms-codeanalysis.vss-microsoft-security-code-analysis-devops.build-task-postanalysis.PostAnalysis@1
+  - task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2
    displayName: 'Post Analysis'
    inputs:
-      AllTools: false
-      BinSkim: false
-      CredScan: true
-      PoliCheck: false
-      RoslynAnalyzers: false
-      TSLint: false
-      ToolLogsNotFoundAction: 'Standard'
+      GdnBreakAllTools: false
+      GdnBreakGdnToolCredScan: true
+      GdnBreakGdnToolCredScanSeverity: Error

 - job: PolicyCheck
  displayName: "Policy Check"
--- a/scripts/ci/credscan/CredScanSuppressions.json
+++ b/scripts/ci/credscan/CredScanSuppressions.json
@ -38,7 +38,6 @@
        "src\\azure-cli\\azure\\cli\\command_modules\\appservice\\tests\\latest\\recordings\\test_functionapp_keys_delete_slot.yaml",
        "src\\azure-cli\\azure\\cli\\command_modules\\appservice\\tests\\latest\\recordings\\test_functionapp_keys_list.yaml",
        "src\\azure-cli\\azure\\cli\\command_modules\\appservice\\tests\\latest\\recordings\\test_functionapp_keys_list_slot.yaml",
-        "src\\azure-cli\\azure\\cli\\command_modules\\appservice\\tests\\latest\\recordings\\test_acr_deployment_function_app.yaml",
        "src\\azure-cli\\azure\\cli\\command_modules\\appservice\\tests\\latest\\recordings\\test_download_win_web_log.yaml",
        "src\\azure-cli\\azure\\cli\\command_modules\\appservice\\tests\\latest\\recordings\\test_webapp_show_deployment_logs.yaml",
        "src\\azure-cli\\azure\\cli\\command_modules\\appservice\\tests\\latest\\recordings\\test_deploy_zip.yaml",
@ -66,7 +65,14 @@
        "src\\azure-cli\\azure\\cli\\command_modules\\appservice\\tests\\latest\\recordings\\test_webapp_up_generate_default_name.yaml",
        "src\\azure-cli\\azure\\cli\\command_modules\\appservice\\tests\\latest\\recordings\\test_windows_to_linux_fail.yaml",
        "src\\azure-cli\\azure\\cli\\command_modules\\appservice\\tests\\latest\\recordings\\test_one_deploy.yaml",
-        "src\\azure-cli\\azure\\cli\\command_modules\\appservice\\tests\\latest\\recordings\\test_webapp_up_linux_windows_sharing_resource_group.yaml"
+        "src\\azure-cli\\azure\\cli\\command_modules\\appservice\\tests\\latest\\recordings\\test_webapp_up_linux_windows_sharing_resource_group.yaml",
+        "src\\azure-cli\\azure\\cli\\command_modules\\appservice\\tests\\latest\\recordings\\test_functionapp_config_with_appcontainer_managed_environment_error.yaml",
+        "src\\azure-cli\\azure\\cli\\command_modules\\appservice\\tests\\latest\\recordings\\test_functionapp_container_config_set_replicas.yaml",
+        "src\\azure-cli\\azure\\cli\\command_modules\\appservice\\tests\\latest\\recordings\\test_functionapp_create_with_appcontainer_managed_environment.yaml",
+        "src\\azure-cli\\azure\\cli\\command_modules\\appservice\\tests\\latest\\recordings\\test_functionapp_create_with_replicas.yaml",
+        "src\\azure-cli\\azure\\cli\\command_modules\\appservice\\tests\\latest\\recordings\\test_functionapp_delete_functions.yaml",
+        "src\\azure-cli\\azure\\cli\\command_modules\\appservice\\tests\\latest\\recordings\\test_functionapp_enable_dapr.yaml",
+        "src\\azure-cli\\azure\\cli\\command_modules\\appservice\\tests\\latest\\recordings\\test_functionapp_workloadprofiles.yaml"     
      ],
      "_justification": "[AppService] response body contains random value recognized as secret"
    },
@ -450,7 +456,15 @@
      "_justification": "[AMS] Test certs"
    },
    {
-      "file": "src\\azure-cli\\azure\\cli\\command_modules\\appservice\\tests\\latest\\server.pfx",
+      "file": [
+        "src\\azure-cli\\azure\\cli\\command_modules\\appservice\\tests\\latest\\server.pfx",
+        "src\\azure-cli\\azure\\cli\\command_modules\\appservice\\tests\\latest\\recordings\\test_acr_deployment_function_app.yaml",
+        "src\\azure-cli\\azure\\cli\\command_modules\\appservice\\tests\\latest\\recordings\\test_functionapp_create_with_appcontainer_managed_environment_add_vnet_error.yaml",
+        "src\\azure-cli\\azure\\cli\\command_modules\\appservice\\tests\\latest\\recordings\\test_functionapp_create_with_appcontainer_managed_environment_existing_app_insights.yaml",
+        "src\\azure-cli\\azure\\cli\\command_modules\\appservice\\tests\\latest\\recordings\\test_functionapp_create_with_appcontainer_managed_environment_list_vnet_error.yaml",
+        "src\\azure-cli\\azure\\cli\\command_modules\\appservice\\tests\\latest\\recordings\\test_functionapp_create_with_appcontainer_managed_environment_remove_vnet_error.yaml",
+        "src\\azure-cli\\azure\\cli\\command_modules\\appservice\\tests\\latest\\recordings\\test_functionapp_create_with_appcontainer_managed_environment_list_vnet_error.yaml"
+      ],
      "_justification": "[AppService] Test certs"
    },
    {
@ -486,6 +500,8 @@
        "src\\azure-cli\\azure\\cli\\command_modules\\batchai\\tests\\latest\\data\\auto_scale_cluster_with_azure_files.json",
        "src\\azure-cli\\azure\\cli\\command_modules\\batchai\\tests\\latest\\data\\cluster_with_azure_files.json",
        "src\\azure-cli\\azure\\cli\\command_modules\\batchai\\tests\\latest\\data\\file_server.json",
+        "src\\azure-cli\\azure\\cli\\command_modules\\batchai\\tests\\latest\\data\\test_batchai_auto_scale_scenario.json",
+        "src\\azure-cli\\azure\\cli\\command_modules\\batchai\\tests\\latest\\data\\test_batchai_manual_scale_scenario.json",
        "src\\azure-cli\\azure\\cli\\command_modules\\batch\\tests\\latest\\data\\batch-pool-create.json"
      ],
      "_justification": "unclear file contains password, need to remove in the future"
@ -577,7 +593,8 @@
    },
    {
      "file": [
-        "src\\azure-cli\\azure\\cli\\command_modules\\acs\\tests\\latest\\data\\setup_proxy.sh"
+        "src\\azure-cli\\azure\\cli\\command_modules\\acs\\tests\\latest\\data\\setup_proxy.sh",
+        "src\\azure-cli\\azure\\cli\\command_modules\\acs\\_help.py"
      ],
      "_justification": "Dummy self-signed certificate + private key used for testing only."
    },
@ -605,6 +622,37 @@
        "src\\azure-cli\\azure\\cli\\command_modules\\containerapp\\tests\\latest\\data\\cert.txt"
      ],
      "_justification": "[containerapp] Test certs"
+    },
+    {
+      "placeholder": "abc@123.com",
+      "_justification": "[VM] publisher contact/email for testing"
+    },
+    {
+      "file": [
+        "src\\azure-cli\\azure\\cli\\command_modules\\acr\\tests\\latest\\recordings\\test_acr_artifact_streaming.yaml"
+      ],
+      "_justification": "[ACR] test response body contains token"
+    },
+    {
+      "file":[
+        "src\\azure-cli\\azure\\cli\\command_modules\\containerapp\\tests\\latest\\recordings\\test_containerappjob_create_with_environment_id.yaml",
+        "src\\azure-cli\\azure\\cli\\command_modules\\containerapp\\tests\\latest\\recordings\\test_containerappjob_create_with_yaml.yaml",
+        "src\\azure-cli\\azure\\cli\\command_modules\\containerapp\\tests\\latest\\recordings\\test_containerappjob_eventtriggered_create_with_yaml.yaml",
+        "src\\azure-cli\\azure\\cli\\command_modules\\containerapp\\tests\\latest\\recordings\\test_containerapp_compose_create_environment_to_target_location.yaml",
+        "src\\azure-cli\\azure\\cli\\command_modules\\containerapp\\tests\\latest\\recordings\\test_containerapp_create_with_vnet_yaml.yaml",
+        "src\\azure-cli\\azure\\cli\\command_modules\\containerapp\\tests\\latest\\recordings\\test_containerapp_env_logs_e2e.yaml",
+        "src\\azure-cli\\azure\\cli\\command_modules\\containerapp\\tests\\latest\\recordings\\test_containerapp_env_p2p_traffic_encryption.yaml",
+        "src\\azure-cli\\azure\\cli\\command_modules\\containerapp\\tests\\latest\\recordings\\test_containerapp_get_customdomainverificationid_e2e.yaml",
+        "src\\azure-cli\\azure\\cli\\command_modules\\containerapp\\tests\\latest\\recordings\\test_containerapp_tcp_ingress.yaml"
+      ],
+      "_justification": "[containerapp] request body contains sharedKey recognized as secret"
+    },
+    {
+      "file":[
+        "src\\azure-cli\\azure\\cli\\command_modules\\batchai\\tests\\latest\\recordings\\test_batchai_auto_scale_scenario.yaml",
+        "src\\azure-cli\\azure\\cli\\command_modules\\batchai\\tests\\latest\\recordings\\test_batchai_manual_scale_scenario.yaml"
+      ],
+      "_justification": "[BATCHAI] request body password for testing"
    }
  ]
 }