Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable SDL (PoliCheck, Credscan) in official builds #6021

Closed
benvillalobos opened this issue Jan 11, 2021 · 0 comments · Fixed by #9239
Closed

Enable SDL (PoliCheck, Credscan) in official builds #6021

benvillalobos opened this issue Jan 11, 2021 · 0 comments · Fixed by #9239
Assignees
@GangWang01
Labels
Area: Our Own Build Problems affecting the build or build infrastructure of the MSBuild repo itself. triaged

Comments

@benvillalobos
Copy link
Member

Issue Description

SDL = Secure Development Lifecycle toolset. It includes things like PoliCheck and Credscan.
PoliCheck: profanity / disallowed term checkup
Credscan: Checks for secrets that were merged into source

MSBuild has never run these checks on official builds. It's time we start doing that.
Here's some context from a teams thread.

How would I go about requesting that? I'm trying to run a new pipeline here: https://dev.azure.com/devdiv/DevDiv/_build?definitionId=9434&_a=summary and not seeing anything that stands out for those checks.

add-build-to-channel with --validate-SDL
but hte repo needs to have requested them I believe
in the call to post-build.yml
Something like this

  - ${​​​​​​​​{​​​​​​​​ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }​​​​​​​​}​​​​​​​​:
    - template: /eng/common/templates/post-build/post-build.yml
      parameters:
        # This is to enable SDL runs part of Post-Build Validation Stage.
        # as well as NuGet, SourceLink, and signing validation.
        # The variables get imported from group dotnet-diagnostics-sdl-params
        publishingInfraVersion: 3
        enableSourceLinkValidation: true
        enableSigningValidation: false
        enableSymbolValidation: false
        enableNugetValidation: true
        symbolPublishingAdditionalParameters: '/p:PublishSpecialClrFiles=false'
        publishInstallersAndChecksums: true
        SDLValidationParameters:
          enable: true
          continueOnError: true
          params: ' -SourceToolsList @("policheck","credscan")
          -TsaInstanceURL $(_TsaInstanceURL)
          -TsaProjectName $(_TsaProjectName)
          -TsaNotificationEmail $(_TsaNotificationEmail)
          -TsaCodebaseAdmin $(_TsaCodebaseAdmin)
          -TsaBugAreaPath $(_TsaBugAreaPath)
          -TsaIterationPath $(_TsaIterationPath)
          -TsaRepositoryName "diagnostics"
          -TsaCodebaseName "diagnostics"
          -TsaPublish $True'
          artifactNames:
          - 'Packages'

For points of contact, see the linked teams thread.
@benvillalobos benvillalobos added Area: Our Own Build Problems affecting the build or build infrastructure of the MSBuild repo itself. needs-triage Have yet to determine what bucket this goes in. labels Jan 11, 2021
@benvillalobos benvillalobos mentioned this issue Jan 11, 2021
Merged
13 tasks
@benvillalobos benvillalobos removed needs-triage Have yet to determine what bucket this goes in. under-investigation labels Jul 29, 2021
@GangWang01 GangWang01 self-assigned this Sep 15, 2023
@GangWang01 GangWang01 mentioned this issue Sep 20, 2023
Merged
@AR-May AR-May added the triaged label Feb 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@GangWang01 GangWang01

Labels
Area: Our Own Build Problems affecting the build or build infrastructure of the MSBuild repo itself. triaged
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Enable SDL (PoliCheck, Credscan) in official builds dotnet/msbuild
3 participants
@GangWang01 @benvillalobos @AR-May