Add Code Checks (#1038)

- Component governance on all builds
- Static code analysis on a separate Windows job

scripts/azure-pipelines.yml

@@ -576,3 +576,76 @@ stages:
               inputs:
                 artifactName: samples
                 pathToPublish: 'output'
+
+  - ${{ if eq(variables['System.TeamProject'], 'devdiv') }}:
+    - stage: checks
+      displayName: Run Code Checks
+      dependsOn: prepare
+      jobs:
+        - template: azure-templates-bootstrapper.yml # Run Code Checks
+          parameters:
+            name: native_checks_windows
+            displayName: Run Code Checks
+            # condition: and(always(), eq('refs/heads/master', variables['Build.SourceBranch']))
+            vmImage: $(VM_IMAGE_WINDOWS)
+            target: externals-init
+            shouldPublish: false
+            postBuildSteps:
+              - task: CredScan@2
+                displayName: Analyze source for credentials
+                condition: always()
+                inputs:
+                  toolMajorVersion: 'V2'
+              - task: PoliCheck@1
+                displayName: Run PoliCheck
+                condition: always()
+                inputs:
+                  inputType: 'Basic'
+                  targetType: 'F'
+              - task: SdtReport@1
+                displayName: Create security analysis report
+                condition: always()
+                inputs:
+                  AllTools: false
+                  APIScan: false
+                  BinSkim: false
+                  CodesignValidation: false
+                  CredScan: true
+                  FortifySCA: false
+                  FxCop: false
+                  ModernCop: false
+                  MSRD: false
+                  PoliCheck: true
+                  RoslynAnalyzers: false
+                  SDLNativeRules: false
+                  Semmle: false
+                  TSLint: false
+                  ToolLogsNotFoundAction: 'Standard'
+              - task: PublishSecurityAnalysisLogs@3
+                displayName: Publish security analysis logs
+                condition: always()
+              - task: TSAUpload@1
+                displayName: Publish TSA logs
+                condition: always()
+                inputs:
+                  tsaVersion: 'TsaV2'
+                  codebase: 'NewOrUpdate'
+                  tsaEnvironment: 'PROD'
+                  codeBaseName: 'SkiaSharp_master'
+                  notificationAlias: 'xamacomd@microsoft.com'
+                  notifyAlwaysV2: false
+                  instanceUrlForTsaV2: 'DEVDIV'
+                  projectNameDEVDIV: 'DevDiv'
+                  areaPath: 'DevDiv\Xamarin Tools and SDKs\Components'
+                  iterationPath: 'DevDiv\OneVS'
+                  uploadAPIScan: false
+                  uploadBinSkim: false
+                  uploadCredScan: true
+                  uploadFortifySCA: false
+                  uploadFxCop: false
+                  uploadModernCop: false
+                  uploadPoliCheck: true
+                  uploadPREfast: false
+                  uploadRoslyn: false
+                  uploadTSLint: false
+                  uploadAsync: true

scripts/azure-templates-bootstrapper.yml

@@ -135,3 +135,11 @@ jobs:
         inputs:
           artifactName: ${{ parameters.name }}
           pathToPublish: 'output'
+      - ${{ if eq(variables['System.TeamProject'], 'devdiv') }}:
+        - task: ComponentGovernanceComponentDetection@0
+          displayName: Run component detection
+          condition: always()
+          inputs:
+            scanType: 'Register'
+            verbosity: 'Verbose'
+            alertWarningLevel: 'High'