From 288959ed6b27b2929c3f49e50254400896ffa643 Mon Sep 17 00:00:00 2001 From: Matthew Leibowitz Date: Wed, 27 Nov 2019 18:47:17 +0200 Subject: [PATCH] Add Code Checks (#1038) - Component governance on all builds - Static code analysis on a separate Windows job --- scripts/azure-pipelines.yml | 73 ++++++++++++++++++++++++ scripts/azure-templates-bootstrapper.yml | 8 +++ 2 files changed, 81 insertions(+) diff --git a/scripts/azure-pipelines.yml b/scripts/azure-pipelines.yml index 6e2b721e0..ef42cebd4 100644 --- a/scripts/azure-pipelines.yml +++ b/scripts/azure-pipelines.yml @@ -576,3 +576,76 @@ stages: inputs: artifactName: samples pathToPublish: 'output' + + - ${{ if eq(variables['System.TeamProject'], 'devdiv') }}: + - stage: checks + displayName: Run Code Checks + dependsOn: prepare + jobs: + - template: azure-templates-bootstrapper.yml # Run Code Checks + parameters: + name: native_checks_windows + displayName: Run Code Checks + # condition: and(always(), eq('refs/heads/master', variables['Build.SourceBranch'])) + vmImage: $(VM_IMAGE_WINDOWS) + target: externals-init + shouldPublish: false + postBuildSteps: + - task: CredScan@2 + displayName: Analyze source for credentials + condition: always() + inputs: + toolMajorVersion: 'V2' + - task: PoliCheck@1 + displayName: Run PoliCheck + condition: always() + inputs: + inputType: 'Basic' + targetType: 'F' + - task: SdtReport@1 + displayName: Create security analysis report + condition: always() + inputs: + AllTools: false + APIScan: false + BinSkim: false + CodesignValidation: false + CredScan: true + FortifySCA: false + FxCop: false + ModernCop: false + MSRD: false + PoliCheck: true + RoslynAnalyzers: false + SDLNativeRules: false + Semmle: false + TSLint: false + ToolLogsNotFoundAction: 'Standard' + - task: PublishSecurityAnalysisLogs@3 + displayName: Publish security analysis logs + condition: always() + - task: TSAUpload@1 + displayName: Publish TSA logs + condition: always() + inputs: + tsaVersion: 'TsaV2' + codebase: 'NewOrUpdate' + tsaEnvironment: 'PROD' + codeBaseName: 'SkiaSharp_master' + notificationAlias: 'xamacomd@microsoft.com' + notifyAlwaysV2: false + instanceUrlForTsaV2: 'DEVDIV' + projectNameDEVDIV: 'DevDiv' + areaPath: 'DevDiv\Xamarin Tools and SDKs\Components' + iterationPath: 'DevDiv\OneVS' + uploadAPIScan: false + uploadBinSkim: false + uploadCredScan: true + uploadFortifySCA: false + uploadFxCop: false + uploadModernCop: false + uploadPoliCheck: true + uploadPREfast: false + uploadRoslyn: false + uploadTSLint: false + uploadAsync: true diff --git a/scripts/azure-templates-bootstrapper.yml b/scripts/azure-templates-bootstrapper.yml index 52e074ef9..276e34421 100644 --- a/scripts/azure-templates-bootstrapper.yml +++ b/scripts/azure-templates-bootstrapper.yml @@ -135,3 +135,11 @@ jobs: inputs: artifactName: ${{ parameters.name }} pathToPublish: 'output' + - ${{ if eq(variables['System.TeamProject'], 'devdiv') }}: + - task: ComponentGovernanceComponentDetection@0 + displayName: Run component detection + condition: always() + inputs: + scanType: 'Register' + verbosity: 'Verbose' + alertWarningLevel: 'High'