Merge branch 'main' into integrate3.0

Author: vineethkuttan

.ado/compliance.yml

@@ -98,6 +98,28 @@ jobs:
         parameters:
           complianceWarnOnly: ${{ parameters.complianceWarnOnly }}
 
+      # Attack Surface Analyzer (ASA) for SDL compliance
+      # This is integrated into the compliance pipeline but runs independently
+      # Note: ASA requires before/after snapshots, so we run a separate analysis
+      - task: PowerShell@2
+        displayName: '🛡️ Attack Surface Analyzer - Note'
+        inputs:
+          targetType: inline
+          script: |
+            Write-Host "=========================================="
+            Write-Host "Attack Surface Analyzer (ASA) Information"
+            Write-Host "=========================================="
+            Write-Host ""
+            Write-Host "ASA runs as a separate job in the PR pipeline (see stages.yml)."
+            Write-Host "It performs before/after snapshot analysis of the build process."
+            Write-Host ""
+            Write-Host "For manual ASA runs or to view results:"
+            Write-Host "1. Check PR pipeline artifacts for ASA_Results"
+            Write-Host "2. Review docs/attack-surface-analyzer.md for guidance"
+            Write-Host "3. Run ASA locally: dotnet tool install -g Microsoft.CST.AttackSurfaceAnalyzer.CLI"
+            Write-Host ""
+            Write-Host "✅ ASA integration is active in PR builds"
+
       # Finalize CodeQL 3000 Task (https://aka.ms/codeql3000)
       # Performs static code analysis.
       - task: CodeQL3000Finalize@0

.ado/jobs/attack-surface-analyzer.yml

@@ -41,6 +41,13 @@ stages:
           AgentPool: ${{ parameters.AgentPool }}
           buildNuGetOnly: true
 
+      # Attack Surface Analyzer for SDL compliance
+      - template: jobs/attack-surface-analyzer.yml
+        parameters:
+          buildEnvironment: ${{ parameters.buildEnvironment }}
+          AgentPool: ${{ parameters.AgentPool }}
+          complianceWarnOnly: true
+
   - stage: IntegrationTests
     displayName: Tests 🧪
     dependsOn: Setup

.ado/stages.yml

@@ -123,6 +123,16 @@ Build and see if your solution works. Consult [Building React-Native-Windows](ht
 
 Testing is a key component in the development workflow. If your changes affect existing test cases, or you're working on brand new features and also the accompanying test cases, see [End-to-End Testing](https://github.com/microsoft/react-native-windows/blob/main/docs/e2e-testing.md) for more information about how to validate your work locally.
 
+### 🛡️ Security & Compliance
+
+React Native Windows follows Microsoft's Secure Development Lifecycle (SDL) requirements. As part of this commitment:
+
+- **Attack Surface Analyzer (ASA)** runs automatically on every PR to detect security regressions during the build process. This ensures that builds don't inadvertently weaken the OS security configuration.
+- If ASA detects changes in your PR, review the artifacts in the PR build to understand the security implications.
+- For more information about ASA, see [Attack Surface Analyzer documentation](https://github.com/microsoft/react-native-windows/blob/main/docs/attack-surface-analyzer.md).
+
+Most changes won't trigger ASA findings, but if yours does, the documentation explains how to review and address the findings.
+
 ### ✅ Code Review
 
 When you'd like the team to review your PR, (even if the work is not yet fully-complete), open a PR so that the team can review your work and provide comments, suggestions, and request changes. It may take several cycles, but the end result will be solid, testable, conformant code that is safe for us to merge.

CONTRIBUTING.md

@@ -58,6 +58,10 @@ Search the [existing issues](https://github.com/microsoft/react-native-windows/i
 ## Documentation
 React Native has [great documentation](https://reactnative.dev/docs/getting-started). React Native for Windows adds its own separate [Windows and macOS documentation](https://microsoft.github.io/react-native-windows/) for desktop platform information like API docs and blog updates.
 
+### Security Documentation
+- **[Security Configuration Guide](https://github.com/microsoft/react-native-windows/blob/main/docs/security-configuration.md)** - Comprehensive guide for SDL-compliant security configurations
+- **[Security Best Practices](https://github.com/microsoft/react-native-windows/blob/main/docs/security-best-practices.md)** - Secure coding patterns and security API usage
+
 ### Examples
 - Using the CLI in the [Getting Started](https://microsoft.github.io/react-native-windows/docs/getting-started) guide will set you up with a sample React Native for Windows app that you can begin editing right away.
 - Check the [samples repo](https://github.com/microsoft/react-native-windows-samples) for more standalone samples.