Enable SDL (PoliCheck, Credscan) in official builds

.vsts-dotnet.yml

@@ -40,6 +40,8 @@ variables:
     value: true
   - name: Codeql.Enabled
     value: true
+  - ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
+    - group: DotNet-MSBuild-SDLValidation-Params
 
 stages:
 - stage: build
@@ -294,3 +296,17 @@ stages:
       enableSymbolValidation: false
       enableSourceLinkValidation: false
       enableNugetValidation: false
+      SDLValidationParameters:
+        enable: true
+        continueOnError: false
+        params: ' -SourceToolsList @("policheck","credscan")
+        -TsaInstanceURL "$(_TsaInstanceURL)"
+        -TsaProjectName "$(_TsaProjectName)"
+        -TsaNotificationEmail "$(_TsaNotificationEmail)"
+        -TsaCodebaseAdmin "$(_TsaCodebaseAdmin)"
+        -TsaBugAreaPath "$(_TsaBugAreaPath)"
+        -TsaIterationPath "$(_TsaIterationPath)"
+        -TsaRepositoryName "dotnet-msbuild"
+        -TsaCodebaseName "dotnet-msbuild"
+        -TsaPublish $True
+        -PoliCheckAdditionalRunConfigParams @("UserExclusionPath < $(Build.SourcesDirectory)\eng\policheck_exclusions.xml")'

eng/policheck_exclusions.xml

@@ -0,0 +1,13 @@
+<PoliCheckExclusions>
+  <!-- All strings must be UPPER CASE -->
+  <!--Each of these exclusions is a folder name -if \[name]\exists in the file path, it will be skipped -->
+  <!--<Exclusion Type="FolderPathFull">ABC|XYZ</Exclusion>-->
+  <!--Each of these exclusions is a folder name -if any folder or file starts with "\[name]", it will be skipped -->
+  <!--<Exclusion Type="FolderPathStart">ABC|XYZ</Exclusion>-->
+  <!--Each of these file types will be completely skipped for the entire scan -->
+  <!--<Exclusion Type="FileType">.ABC|.XYZ</Exclusion>-->
+  <!--The specified file names will be skipped during the scan regardless which folder they are in -->
+  <!--<Exclusion Type="FileName">ABC.TXT|XYZ.CS</Exclusion>-->
+
+  <Exclusion Type="FolderPathFull">.DOTNET</Exclusion>
+</PoliCheckExclusions>