Enable SDL (PoliCheck, Credscan) in official builds #6021
Description
Issue Description
SDL = Secure Development Lifecycle toolset. It includes things like PoliCheck and Credscan.
PoliCheck: profanity / disallowed term checkup
Credscan: Checks for secrets that were merged into source
MSBuild has never run these checks on official builds. It's time we start doing that.
Here's some context from a teams thread.
How would I go about requesting that? I'm trying to run a new pipeline here: https://dev.azure.com/devdiv/DevDiv/_build?definitionId=9434&_a=summary and not seeing anything that stands out for those checks.
add-build-to-channel with --validate-SDL
but hte repo needs to have requested them I believe
in the call to post-build.yml
Something like this
- ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
- template: /eng/common/templates/post-build/post-build.yml
parameters:
# This is to enable SDL runs part of Post-Build Validation Stage.
# as well as NuGet, SourceLink, and signing validation.
# The variables get imported from group dotnet-diagnostics-sdl-params
publishingInfraVersion: 3
enableSourceLinkValidation: true
enableSigningValidation: false
enableSymbolValidation: false
enableNugetValidation: true
symbolPublishingAdditionalParameters: '/p:PublishSpecialClrFiles=false'
publishInstallersAndChecksums: true
SDLValidationParameters:
enable: true
continueOnError: true
params: ' -SourceToolsList @("policheck","credscan")
-TsaInstanceURL $(_TsaInstanceURL)
-TsaProjectName $(_TsaProjectName)
-TsaNotificationEmail $(_TsaNotificationEmail)
-TsaCodebaseAdmin $(_TsaCodebaseAdmin)
-TsaBugAreaPath $(_TsaBugAreaPath)
-TsaIterationPath $(_TsaIterationPath)
-TsaRepositoryName "diagnostics"
-TsaCodebaseName "diagnostics"
-TsaPublish $True'
artifactNames:
- 'Packages'
For points of contact, see the linked teams thread.