Merge pull request #8370 from dotnet/marcpopMSFT-enablesdl

Enable SDL using 1ES pipelines
dotnet · Sep 17, 2024 · 91382a2 · 91382a2
2 parents a23da1c + fdc98e7
commit 91382a2
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 63 deletions.
diff --git a/.config/tsaoptions.json b/.config/tsaoptions.json
@@ -0,0 +1,10 @@
+{
+    "instanceUrl": "https://devdiv.visualstudio.com/",
+    "template": "TFSDEVDIV",
+    "projectName": "DEVDIV",
+    "areaPath": "DevDiv\\NET Tools\\SDK",
+    "iterationPath": "DevDiv",
+    "notificationAliases": [ "dotnetdevexcli@microsoft.com" ],
+    "repositoryName": "templating",
+    "codebaseName": "templating"
+}
diff --git a/azure-pipelines-pr.yml b/azure-pipelines-pr.yml
@@ -27,8 +27,6 @@ variables:
     value: true
   - name: EnableReleaseOneLocBuild
     value: false
-  - ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
-    - group: Templating-SDLValidation-Params
   - template: /eng/common/templates/variables/pool-providers.yml
 
 stages:
@@ -149,32 +147,3 @@ stages:
             name: Build
             displayName: Build
             condition: succeeded()
-
-- ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
-  - template: eng\common\templates\post-build\post-build.yml
-    parameters:
-      publishingInfraVersion: 3
-      # Symbol validation isn't being very reliable lately. This should be enabled back
-      # once this issue is resolved: https://github.com/dotnet/arcade/issues/2871
-      enableSymbolValidation: false
-      # Sourcelink validation isn't passing for Arcade due to some regressions. This should be
-      # enabled back once this issue is resolved: https://github.com/dotnet/arcade/issues/2912
-      enableSourceLinkValidation: false
-      publishDependsOn:
-      - Validate
-      # This is to enable SDL runs part of Post-Build Validation Stage
-      SDLValidationParameters:
-        enable: true
-        continueOnError: false
-        params: ' -SourceToolsList @("policheck","credscan")
-        -ArtifactToolsList @("binskim")
-        -BinskimAdditionalRunConfigParams @("IgnorePdbLoadError < True","Recurse < True")
-        -TsaInstanceURL $(_TsaInstanceURL)
-        -TsaProjectName $(_TsaProjectName)
-        -TsaNotificationEmail $(_TsaNotificationEmail)
-        -TsaCodebaseAdmin $(_TsaCodebaseAdmin)
-        -TsaBugAreaPath $(_TsaBugAreaPath)
-        -TsaIterationPath $(_TsaIterationPath)
-        -TsaRepositoryName $(_TsaRepsitoryName)
-        -TsaCodebaseName $(_TsaCodebaseName)
-        -TsaPublish $True'
diff --git a/azure-pipelines.yml b/azure-pipelines.yml
@@ -27,8 +27,6 @@ variables:
     value: true
   - name: EnableReleaseOneLocBuild
     value: false
-  - ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
-    - group: Templating-SDLValidation-Params
   - template: /eng/common/templates-official/variables/pool-providers.yml
 
 resources:
@@ -57,6 +55,12 @@ extends:
         name: $(DncEngInternalBuildPool)
         image: 1es-windows-2022
         os: windows
+      policheck:
+        enabled: true
+      tsa:
+        enabled: true
+      binskim:
+        analyzeTargetGlob: $(Build.SourcesDirectory)/artifacts/bin/**.dll;$(Build.SourcesDirectory)/artifacts/bin/**.exe;
     stages:
     - stage: build
       displayName: Build
@@ -160,33 +164,3 @@ extends:
                   name: Build
                   displayName: Build
                   condition: succeeded()
-
-    - ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
-      - template: eng/common/templates-official/post-build/post-build.yml@self
-        parameters:
-          publishingInfraVersion: 3
-          # Symbol validation isn't being very reliable lately. This should be enabled back
-          # once this issue is resolved: https://github.com/dotnet/arcade/issues/2871
-          enableSymbolValidation: false
-          # Sourcelink validation isn't passing for Arcade due to some regressions. This should be
-          # enabled back once this issue is resolved: https://github.com/dotnet/arcade/issues/2912
-          enableSourceLinkValidation: false
-          publishDependsOn:
-          - Validate
-          # This is to enable SDL runs part of Post-Build Validation Stage
-          SDLValidationParameters:
-            enable: true
-            continueOnError: false
-            params: ' -SourceToolsList @("policheck","credscan")
-            -ArtifactToolsList @("binskim")
-            -BinskimAdditionalRunConfigParams @("IgnorePdbLoadError < True","Recurse < True")
-            -TsaInstanceURL $(_TsaInstanceURL)
-            -TsaProjectName $(_TsaProjectName)
-            -TsaNotificationEmail $(_TsaNotificationEmail)
-            -TsaCodebaseAdmin $(_TsaCodebaseAdmin)
-            -TsaBugAreaPath $(_TsaBugAreaPath)
-            -TsaIterationPath $(_TsaIterationPath)
-            -TsaRepositoryName $(_TsaRepsitoryName)
-            -TsaCodebaseName $(_TsaCodebaseName)
-            -TsaPublish $True'
-