Add SBoM generation and antimalware tasks (#66)

2021-12-02 13:29:59 -05:00 · 2021-12-02 13:29:59 -05:00 · 2a40297d04
--- a/.azure-pipelines/compliance/compliance.yml
+++ b/.azure-pipelines/compliance/compliance.yml
@ -1,11 +1,18 @@
 steps:
+  - task: securedevelopmentteam.vss-secure-development-tools.build-task-antimalware.AntiMalware@3
+    displayName: 'AntiMalware Scanner'
+    inputs:
+      FileDirPath: '$(Build.SourcesDirectory)'
+      EnableServices: true
+    condition: and(ne(variables['System.PullRequest.IsFork'], 'True'), eq(variables['Agent.OS'], 'Windows_NT'), in(variables['Build.Reason'], 'Manual', 'Schedule')) # Only on scheduled and manual builds because it is slow
+
  - task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@1
    displayName: 'Run PoliCheck'
    inputs:
      targetType: F # search files and folders
      optionsUEPATH: '$(Build.SourcesDirectory)/.azure-pipelines/compliance/PoliCheckExclusions.xml'
    continueOnError: true
-    condition: and(eq(variables['Agent.OS'], 'Windows_NT'), eq(variables['Build.Reason'], 'Schedule')) # Only on scheduled builds because it is slow
+    condition: and(ne(variables['System.PullRequest.IsFork'], 'True'), eq(variables['Agent.OS'], 'Windows_NT'), in(variables['Build.Reason'], 'Manual', 'Schedule')) # Only on scheduled and manual builds because it is slow

  - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@2
    displayName: 'Run CredScan'
@ -13,14 +20,29 @@ steps:
      toolMajorVersion: V2
      suppressionsFile: '$(Build.SourcesDirectory)/.azure-pipelines/compliance/CredScanSuppressions.json'
    continueOnError: true
-    condition: and(eq(variables['Agent.OS'], 'Windows_NT'), eq(variables['Build.Reason'], 'Schedule')) # Only on scheduled builds because it is slow
+    condition: and(ne(variables['System.PullRequest.IsFork'], 'True'), eq(variables['Agent.OS'], 'Windows_NT'), in(variables['Build.Reason'], 'Manual', 'Schedule')) # Only on scheduled and manual builds because it is slow

  - task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@2
    displayName: 'Publish Security Analysis Logs'
-    condition: and(eq(variables['Agent.OS'], 'Windows_NT'), eq(variables['Build.Reason'], 'Schedule'))
+    condition: and(ne(variables['System.PullRequest.IsFork'], 'True'), eq(variables['Agent.OS'], 'Windows_NT'), in(variables['Build.Reason'], 'Manual', 'Schedule'))

  - task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@1
    displayName: 'Post Analysis'
    inputs:
-      AllTools: true
-    condition: and(eq(variables['Agent.OS'], 'Windows_NT'), eq(variables['Build.Reason'], 'Schedule'))
+      AllTools: false
+      CredScan: true
+      PoliCheck: true
+    condition: and(ne(variables['System.PullRequest.IsFork'], 'True'), eq(variables['Agent.OS'], 'Windows_NT'), in(variables['Build.Reason'], 'Manual', 'Schedule'))
+
+  - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
+    displayName: 'SBoM Generation Task'
+    inputs:
+      BuildDropPath: '$(build.artifactstagingdirectory)'
+    condition: and(ne(variables['System.PullRequest.IsFork'], 'True'), eq(variables['Agent.OS'], 'Linux'), in(variables['Build.Reason'], 'Manual', 'Schedule')) # Only on scheduled and manual builds because it is slow
+
+  - task: PublishBuildArtifacts@1
+    displayName: 'Publish SBoM'
+    inputs:
+      PathtoPublish: '$(build.artifactstagingdirectory)/_manifest'
+      ArtifactName: '_manifest'
+    condition: and(ne(variables['System.PullRequest.IsFork'], 'True'), eq(variables['Agent.OS'], 'Linux'), in(variables['Build.Reason'], 'Manual', 'Schedule'))