Merge pull request #31 from microsoft/credscan

Credscan and CG
microsoft · Feb 24, 2022 · 0199b33 · 0199b33
2 parents 24b23c1 + 3e67b9b
commit 0199b33
Show file tree

Hide file tree

Showing 7 changed files with 1,876 additions and 93 deletions.
diff --git a/ado-task-test.yml → azure-devops/ado-task-test.yml b/ado-task-test.yml → azure-devops/ado-task-test.yml
@@ -1,5 +1,5 @@
 trigger:
-- master
+- main
 
 pool:
   vmImage: 'ubuntu-latest'

diff --git a/release.yml → azure-devops/release.yml b/release.yml → azure-devops/release.yml
@@ -4,7 +4,14 @@ trigger:
 - main
 
 pool:
-  vmImage: ubuntu-latest
+  vmImage: ubuntu-18.04
+  demands:
+  - msbuild
+  - npm
+
+variables:
+  GDN_VERSION: '0.110.0-linux'
+  GDNP_VERSION: '1.61.0-linux'
 
 steps:
 - task: NodeTool@0
@@ -45,6 +52,13 @@ steps:
     PackageName: 'Microsoft Android App Size Diff CI'
     PackageVersion: '$(PackageVersion)'
 
+- template: templates/credscan.yml
+  parameters:
+    isShipped: true
+    buildName: 'android-app-size-diff-release'
+
+- template: templates/component-governance.yml
+
 - publish: $(build.artifactstagingdirectory)
   artifact: app-size-diff
   displayName: 'Publish artifacts to pipeline'
diff --git a/azure-devops/security-checks.yml b/azure-devops/security-checks.yml
@@ -0,0 +1,20 @@
+# Checks for Component Governance and CredScan
+trigger:
+- main
+
+pool:
+  vmImage: ubuntu-18.04
+  demands:
+  - msbuild
+  - npm
+
+variables:
+  GDN_VERSION: '0.110.0-linux'
+  GDNP_VERSION: '1.61.0-linux'
+
+steps:
+- template: templates/credscan.yml
+  parameters:
+    buildName: 'android-app-size-diff-$(Build.SourceBranch)'
+
+- template: templates/component-governance.yml
diff --git a/azure-devops/templates/component-governance.yml b/azure-devops/templates/component-governance.yml
@@ -0,0 +1,5 @@
+steps:
+- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
+  displayName: 'Component Detection'
+  inputs:
+    failOnAlert: true
diff --git a/azure-devops/templates/credscan.yml b/azure-devops/templates/credscan.yml
@@ -0,0 +1,36 @@
+# Run the Credential Scanner check for security compliance. This then also
+# publishes the artifacts in a Microsoft compliant way.
+parameters:
+  isShipped: false
+  # This will be used for the Asset group name and should not have spaces as it may cause problems with ARROW processing.
+  buildName: 'android-app-size-diff'
+
+steps:
+- task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3
+  displayName: 'Run Credential Scanner'
+  inputs:
+    debugMode: false
+
+- task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@3
+  displayName: 'Publish Guardian Artifacts'
+  inputs:
+    ArtifactType: M365
+
+- task: dikalya.AssetRetention.asset-retention-task.AssetRetention@3
+  displayName: 'ARtifact Retention Orchestrator Workflow (ARROW)'
+  inputs:
+    ArrowServiceConnection: 'Arrow_msresearch_JAVTUN'
+    AssetGroupName: '$(System.TeamProject)_${{ parameters.buildName }}'
+    AssetNumber: '$(Build.BuildId)'
+    IsShipped: ${{ parameters.isShipped }}
+    DropsToRetain: 'CodeAnalysisLogs'
+  condition: and(succeeded(), startsWith(variables['Build.SourceBranch'], 'refs/heads/'))
+
+- task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2
+  displayName: 'Guardian Break'
+  inputs:
+    GdnBreakPolicyMinSev: Warning
+    GdnBreakAllTools: true
+    GdnBreakGdnToolCredScan: true
+    GdnBreakGdnToolCredScanSeverity: Warning
+    GdnBreakPolicy: M365