Skip to content

Enable SDL (PoliCheck, Credscan) in official builds #6021

Closed
#9239
Closed
Enable SDL (PoliCheck, Credscan) in official builds#6021
#9239
Assignees
GangWang01
Labels
Area: Our Own BuildProblems affecting the build or build infrastructure of the MSBuild repo itself.triaged
@benvillalobos

Description

@benvillalobos
benvillalobos
opened on Jan 11, 2021

Issue Description

SDL = Secure Development Lifecycle toolset. It includes things like PoliCheck and Credscan.
PoliCheck: profanity / disallowed term checkup
Credscan: Checks for secrets that were merged into source

MSBuild has never run these checks on official builds. It's time we start doing that.
Here's some context from a teams thread.

How would I go about requesting that? I'm trying to run a new pipeline here: https://dev.azure.com/devdiv/DevDiv/_build?definitionId=9434&_a=summary and not seeing anything that stands out for those checks.

add-build-to-channel with --validate-SDL
but hte repo needs to have requested them I believe
in the call to post-build.yml
Something like this

  - ${​​​​​​​​{​​​​​​​​ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }​​​​​​​​}​​​​​​​​:
    - template: /eng/common/templates/post-build/post-build.yml
      parameters:
        # This is to enable SDL runs part of Post-Build Validation Stage.
        # as well as NuGet, SourceLink, and signing validation.
        # The variables get imported from group dotnet-diagnostics-sdl-params
        publishingInfraVersion: 3
        enableSourceLinkValidation: true
        enableSigningValidation: false
        enableSymbolValidation: false
        enableNugetValidation: true
        symbolPublishingAdditionalParameters: '/p:PublishSpecialClrFiles=false'
        publishInstallersAndChecksums: true
        SDLValidationParameters:
          enable: true
          continueOnError: true
          params: ' -SourceToolsList @("policheck","credscan")
          -TsaInstanceURL $(_TsaInstanceURL)
          -TsaProjectName $(_TsaProjectName)
          -TsaNotificationEmail $(_TsaNotificationEmail)
          -TsaCodebaseAdmin $(_TsaCodebaseAdmin)
          -TsaBugAreaPath $(_TsaBugAreaPath)
          -TsaIterationPath $(_TsaIterationPath)
          -TsaRepositoryName "diagnostics"
          -TsaCodebaseName "diagnostics"
          -TsaPublish $True'
          artifactNames:
          - 'Packages'

For points of contact, see the linked teams thread.

Metadata

Metadata

Assignees

Labels

Area: Our Own BuildProblems affecting the build or build infrastructure of the MSBuild repo itself.triaged

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions