From 64f9db25854231fd0da079ec1c82a9b92542aa2e Mon Sep 17 00:00:00 2001
From: Yan Xu <yanxu1@microsoft.com>
Date: Tue, 10 Sep 2024 15:12:17 +0800
Subject: [PATCH] [CI] Run external CredScan in Security tools pipeline
 (#26054)

* Run external CredScan in Security tools pipeline

* remove auth part from external CredScan
---
 .azure-pipelines/security-tools.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/.azure-pipelines/security-tools.yml b/.azure-pipelines/security-tools.yml
index ccc03f01bbe2..d9d72ae2e6cb 100644
--- a/.azure-pipelines/security-tools.yml
+++ b/.azure-pipelines/security-tools.yml
@@ -52,6 +52,23 @@ jobs:
       outputFormat: sarif
       scanFolder: SecurityTmp
       suppressionsFile: tools/SecurityTools/CredScanSuppressions.json
+  - task: PowerShell@2
+    displayName: Run external CredScan
+    env:
+      GDN_CREDSCAN_OUTPUTTYPE: sarif
+      Scan_Folder: SecurityTmp
+      GDN_CREDSCAN_SUPPRESSIONSPATH: tools/SecurityTools/CredScanSuppressions.json
+      GDN_CREDSCAN_SUPPRESSASERROR: False
+    inputs:
+      targetType: inline
+      script: |
+        nuget.exe install Microsoft.Security.DevOps.Cli
+        $toolsPath = Join-Path ("Microsoft.Security.DevOps.Cli*" | Resolve-Path) tools
+        $env:Path = "$toolsPath;$env:Path"
+        $env:GDN_CREDSCAN_TARGETDIRECTORY = (Resolve-Path $env:Scan_Folder).Path
+        guardian init -f
+        guardian run -t CredScan
+
   - task: PowerShell@2
     displayName: Generate a response text file for BinSkim
     inputs: