From 2b723b039099fe6958373276c0f79e265a61e737 Mon Sep 17 00:00:00 2001
From: Changming Sun <chasun@microsoft.com>
Date: Thu, 5 Aug 2021 18:32:45 -0700
Subject: [PATCH] Add a pipeline for compliance (#20)

---
 .gdn/.gdntsa                            |  1 +
 ci_build/azure_pipelines/compliance.yml | 50 +++++++++++++++++++++++++
 ci_build/policheck_exclusions.xml       |  4 ++
 3 files changed, 55 insertions(+)
 create mode 100644 .gdn/.gdntsa
 create mode 100644 ci_build/azure_pipelines/compliance.yml
 create mode 100644 ci_build/policheck_exclusions.xml

diff --git a/.gdn/.gdntsa b/.gdn/.gdntsa
new file mode 100644
index 0000000000000..b7e232e3c0cd2
--- /dev/null
+++ b/.gdn/.gdntsa
@@ -0,0 +1 @@
+{"codebaseName": "onnxruntime_inference_examples_main"}
diff --git a/ci_build/azure_pipelines/compliance.yml b/ci_build/azure_pipelines/compliance.yml
new file mode 100644
index 0000000000000..28ac3f4f79e0e
--- /dev/null
+++ b/ci_build/azure_pipelines/compliance.yml
@@ -0,0 +1,50 @@
+jobs:
+
+- job: compliance
+  pool:
+    vmImage: "windows-2019"
+  steps:
+  - task: UsePythonVersion@0
+    displayName: 'Use Python 3.8.x'
+    inputs:
+      versionSpec: 3.8.x
+
+  - powershell: |    
+     python -m pip --disable-pip-version-check install -r $(Build.SourcesDirectory)\mobile\examples\speech_recognition\model\requirements.txt
+
+    displayName: 'Install python packages'
+
+  - task: PoliCheck@2
+    displayName: 'Run Global Readiness Check tool'
+    inputs:
+      targetType: F
+      result: PoliCheck.xml
+      optionsUEPATH: '$(Build.SourcesDirectory)\ci_build\policheck_exclusions.xml'
+
+
+  - task: Semmle@1
+    displayName: 'Run CodeQL (Semmle) (python)'
+    inputs:
+      language: python
+
+  - task: SdtReport@2
+    displayName: 'Create Security Analysis Report'
+    inputs:
+      GdnExportAllTools: false
+      GdnExportGdnToolPoliCheck: true
+      GdnExportGdnToolSemmle: true
+
+  - task: PublishSecurityAnalysisLogs@3
+    displayName: 'Publish Guardian Artifacts'
+
+  - task: PostAnalysis@2
+    displayName: 'Guardian Break'
+    inputs:
+      GdnBreakGdnToolSDLNativeRulesSeverity: Warning
+
+  - task: TSAUpload@2
+    displayName: 'TSA upload'
+    condition: and (succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/master'))
+    inputs:
+      GdnPublishTsaOnboard: false
+      GdnPublishTsaConfigFile: '$(Build.SourcesDirectory)\.gdn\.gdntsa'
diff --git a/ci_build/policheck_exclusions.xml b/ci_build/policheck_exclusions.xml
new file mode 100644
index 0000000000000..1a1e05a15e803
--- /dev/null
+++ b/ci_build/policheck_exclusions.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<PoliCheckExclusions>
+  <Exclusion Type="FileName">LABEL.CS|SYNSET.TXT</Exclusion>
+</PoliCheckExclusions>