-
Notifications
You must be signed in to change notification settings - Fork 677
/
azure-pipelines-compliance.yml
247 lines (212 loc) · 9.4 KB
/
azure-pipelines-compliance.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
# This pipeline is used to perform policy and compliance tasks on the PTVS codebase.
# For more information about the suite of tools used, see https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/secure-development-tools-extension-for-azure-devops
parameters:
- name: pylanceVersion
displayName: Pylance Version
type: string
default: latest
- name: debugpyVersion
displayName: Debugpy Version
type: string
default: latest
# Build number format
name: $(date:yy)$(DayOfYear)$(rev:.r)
# Don't trigger ci or pr builds
trigger: none
pr: none
# Trigger builds on a nightly schedule, as long as there are changes
# Ignore the azure-pipelines.yml, since that's a different pipeline
# All times are in UTC, so 8AM = Midnight PST
schedules:
- cron: "0 8 * * *"
displayName: Nightly build
branches:
include:
- main
jobs:
- job: Compliance
timeoutInMinutes: 0 # maximum timeout, some compliance tasks take a long time to run
# The agent pool the build will run on
pool:
name: VSEngSS-MicroBuild2022-1ES
demands:
- msbuild
- VisualStudio_17.0
# Job variables
variables:
- name: CopyTestData
value: false
# PTVS variable group
# This contains variables shared between various PTVS pipelines
- group: PTVS-Dev17
steps:
# Check out code clean from source control
- checkout: self
clean: true
# Install plugins needed for swixproj/vsmanproj and signing
# We don't use Build/templates/install_microbuild_plugins.yml here because this project doesn't need to real sign
- task: MicroBuildSwixPlugin@3
displayName: 'Install microbuild swix plugin'
# Restore packages and install dependencies (pylance, debugpy)
- template: Build/templates/restore_packages.yml
parameters:
pylanceVersion: ${{ parameters.pylanceVersion }}
debugpyVersion: ${{ parameters.debugpyVersion }}
# Clean the Guardian temp files
- powershell: Get-ChildItem -Path $env:TEMP -Filter 'MpCmdRun.*' -Recurse -ErrorAction SilentlyContinue | Remove-Item -Recurse -Force
displayName: Clean guardian temp files
continueOnError: true
- powershell: npm i -g npm@8
displayName: downgrade npm
# Update node
# See https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/tool/node-js?view=azure-devops
- task: NodeTool@0
displayName: Update node
inputs:
versionSpec: '14.x'
- task: UsePythonVersion@0
displayName: 'Use Python 3.x'
# Initialize CodeQL before the build
# See https://devdiv.visualstudio.com/DevDiv/_wiki/wikis/DevDiv.wiki/1761/Static-Analysis and
# https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/codeql/configuring-codeql3000-ado-pipelines
- task: CodeQL3000Init@0
displayName: Initialize CodeQL
inputs:
Enabled: true
Language: python,csharp,cpp
TSAEnabled: true
TSAOptionsPath: $(Build.SourcesDirectory)\TsaConfig.json
condition: succeededOrFailed()
continueOnError: True
# Build and publish logs
- template: Build/templates/build.yml
# Finalize CodeQL after the build
- task: CodeQL3000Finalize@0
displayName: Finalize CodeQL
condition: succeededOrFailed()
continueOnError: True
# Anti-Malware Scan of build sources and/or artifacts
# See https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/antimalware-scan-build-task
- task: AntiMalware@4
displayName: 'Run Antivirus on Source'
inputs:
FileDirPath: $(Build.SourcesDirectory)
condition: succeededOrFailed()
continueOnError: True
- task: AntiMalware@4
displayName: Run Antivirus on Binaries
inputs:
FileDirPath: $(Build.BinariesDirectory)
condition: succeededOrFailed()
continueOnError: True
# Copy files for Scanning
- task: CopyFiles@2
displayName: 'Copy Files for Scanning'
inputs:
SourceFolder: $(Build.BinariesDirectory)
Contents: |
layout\Microsoft.CookiecutterTools\Microsoft.CookiecutterTools.*
layout\Microsoft.PythonTools.Core\Microsoft.PythonTools.*
layout\Microsoft.PythonTools.Core\PyDebugAttach*.*
layout\Microsoft.PythonTools.Debugger.VCLauncher\Microsoft.PythonTools.*
layout\Microsoft.PythonTools.Django\Microsoft.PythonTools.*
layout\Microsoft.PythonTools.Profiling\Microsoft.PythonTools.*
layout\Microsoft.PythonTools.Profiling\VsPyProf*.*
TargetFolder: $(Agent.TempDirectory)\FilesToScan
# Analyze python files for common vulnerabilities
# See https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/bandit-build-task
- task: Bandit@1
displayName: 'Run Bandit'
inputs:
targetsType: banditPattern
targetsBandit: '$(Build.SourcesDirectory)\Python\Product'
condition: succeededOrFailed()
continueOnError: True
# Analyze binaries for security vulnerabilities
# See https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/binskim-build-task
- task: BinSkim@4
displayName: Run BinSkim
inputs:
# Use the same files copied for ApiScan
TargetPattern: binskimPattern
AnalyzeTargetBinskim: |
$(Agent.TempDirectory)\FilesToScan\*.dll
$(Agent.TempDirectory)\FilesToScan\*.exe
condition: succeededOrFailed()
continueOnError: True
# Run component governance detection
# See http://aka.ms/cgdocs for more info
- task: ComponentGovernanceComponentDetection@0
displayName: Run Component Detection
inputs:
scanType: 'Register'
verbosity: 'Verbose'
alertWarningLevel: 'High'
condition: succeededOrFailed()
continueOnError: True
# Analyze source and build output text files for credentials
# See https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/credscan-azure-devops-build-task
- task: CredScan@2
displayName: Run CredScan
inputs:
toolMajorVersion: V2
condition: succeededOrFailed()
continueOnError: True
# Scan C/C++ for security vulnerabilities
# See https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/flawfinder-build-task
- task: Flawfinder@2
displayName: 'Run Flawfinder'
condition: succeededOrFailed()
continueOnError: True
# Scan text elements including code, code comments, and content/web pages, for sensitive terms based on legal, cultural, or geopolitical reasons
# See https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/policheck-build-task
- task: PoliCheck@2
displayName: Run PoliCheck
inputs:
optionsFC: 1 # Enables scanning of comments
optionsUEPATH: $(Build.SourcesDirectory)\Build\PoliCheckExclusions.xml
condition: succeededOrFailed()
continueOnError: True
# Analyze unmanaged C/C++ code for security vulnerabilities
# https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/prefast-build-task
- task: SDLNativeRules@2
displayName: Run PREfast SDL Native Rules for MSBuild
condition: succeededOrFailed()
continueOnError: True
- task: MicroBuildCleanup@1
displayName: MicroBuild cleanup
continueOnError: True
# Generate security analysis report
# See https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/security-analysis-report-build-task
- task: SdtReport@1
displayName: Create Security Analysis Report
inputs:
AllTools: true
BinSkimBreakOn: WarningAbove
PoliCheckBreakOn: Severity4Above
RoslynAnalyzersBreakOn: WarningAbove
condition: succeededOrFailed()
continueOnError: True
# Publish security analysis logs
- task: PublishSecurityAnalysisLogs@2
displayName: Publish Security Analysis Logs
condition: succeededOrFailed()
continueOnError: True
# Copy sdt logs for publishing
- task: CopyFiles@2
displayName: Save SDT logs to Staging Directory
inputs:
SourceFolder: $(Agent.BuildDirectory)\_sdt
TargetFolder: $(Build.StagingDirectory)
# Publish staging artifacts
- task: PublishBuildArtifacts@1
displayName: Publish Staging Directory
inputs:
PathtoPublish: $(Build.StagingDirectory)
# Upload results to TSA
# See https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/tsa-upload-build-task
- task: TSAUpload@2
displayName: TSA Upload
inputs:
GdnPublishTsaOnboard: True
GdnPublishTsaConfigFile: $(Build.SourcesDirectory)\TsaConfig.json