diff --git a/CredScanSuppressions.json b/CredScanSuppressions.json new file mode 100644 index 0000000000..64c64019b2 --- /dev/null +++ b/CredScanSuppressions.json @@ -0,0 +1,13 @@ +{ + "tool": "Credential Scanner", + "suppressions": [ + { + "placeholder": "d8147077-d907-4551-8f40-90c6e86f3f0e", + "_justification": "This is an example value and does not represent a real credential." + }, + { + "placeholder": "globalAdminServicePrincipal", + "_justification": "Service principal for local testing." + } + ] +} diff --git a/build/.vsts-ci.yml b/build/.vsts-ci.yml index 3ded23d17d..afc2342fd8 100644 --- a/build/.vsts-ci.yml +++ b/build/.vsts-ci.yml @@ -47,6 +47,7 @@ stages: - template: build.yml parameters: packageArtifacts: false + securityAnalysis: false - stage: UpdateTestEnvironment displayName: 'Update Test Environment' @@ -63,7 +64,7 @@ stages: downloadType: 'single' downloadPath: '$(System.ArtifactsDirectory)' artifactName: 'deploy' - - template: add-aad-test-environment.yml + - template: add-aad-test-environment.yml - task: AzureRmWebAppDeployment@3 displayName: 'Azure app service deployment' inputs: diff --git a/build/.vsts-pr.yml b/build/.vsts-pr.yml index 2b6903ad62..9dfa5284b0 100644 --- a/build/.vsts-pr.yml +++ b/build/.vsts-pr.yml @@ -16,10 +16,10 @@ stages: pool: vmImage: $(WindowsVmImage) steps: - - template: ./update-semver.yml + - template: ./update-semver.yml - powershell: | - $buildNumber = "$(GitVersion.semVer)" -replace "\.", "" - Write-Host "##vso[build.updatebuildnumber]$buildNumber" + $buildNumber = "$(GitVersion.semVer)" -replace "\.", "" + Write-Host "##vso[build.updatebuildnumber]$buildNumber" Write-Host "Updated build number to '$buildNumber" name: SetBuildVersion @@ -47,6 +47,7 @@ stages: - template: build.yml parameters: packageArtifacts: false + securityAnalysis: false - stage: DeployTestEnvironment displayName: 'Deploy Test Environment' diff --git a/build/analyze.yml b/build/analyze.yml new file mode 100644 index 0000000000..1fced75dfe --- /dev/null +++ b/build/analyze.yml @@ -0,0 +1,80 @@ +steps: +- task: ComponentGovernanceComponentDetection@0 + inputs: + scanType: 'Register' + verbosity: 'Verbose' + alertWarningLevel: 'High' + failOnAlert: true + ignoreDirectories: '$(Build.SourcesDirectory)\samples\Azurite' + +- task: AntiMalware@4 + inputs: + InputType: 'Basic' + ScanType: 'CustomScan' + FileDirPath: '$(Build.SourcesDirectory)' + EnableServices: true + TreatSignatureUpdateFailureAs: 'Standard' + SignatureFreshness: 'OneDay' + TreatStaleSignatureAs: 'Error' + +- task: Armory@2 + inputs: + targetDirectory: '$(Build.SourcesDirectory)\samples\templates' + targetFiles: 'f|*.json' + excludePassesFromLog: false + +- task: BinSkim@4 + inputs: + InputType: 'Basic' + Function: 'analyze' + AnalyzeTargetGlob: '+:file|$(Build.SourcesDirectory)\**\bin\**\Microsoft.Health.Dicom*.dll;+:file|$(Build.SourcesDirectory)\**\bin\**\Microsoft.Health.Dicom*.exe' + AnalyzeVerbose: true + +- task: CredScan@3 + inputs: + scanFolder: '$(Build.SourcesDirectory)' + outputFormat: 'sarif' + suppressionsFile: 'CredScanSuppressions.json' + verboseOutput: true + +- task: SdtReport@2 + inputs: + GdnExportAllTools: false + GdnExportGdnToolArmory: true + GdnExportGdnToolBinSkim: true + GdnExportGdnToolCredScan: true + +- task: PublishSecurityAnalysisLogs@3 + inputs: + ArtifactName: 'CodeAnalysisLogs' + ArtifactType: 'Container' + AllTools: false + AntiMalware: true + APIScan: false + Armory: true + Bandit: false + BinSkim: true + CodesignValidation: false + CredScan: true + CSRF: false + ESLint: false + Flawfinder: false + FortifySCA: false + FxCop: false + ModernCop: false + MSRD: false + PoliCheck: false + RoslynAnalyzers: false + SDLNativeRules: false + Semmle: false + SpotBugs: false + TSLint: false + WebScout: false + ToolLogsNotFoundAction: 'Error' + +- task: PostAnalysis@2 + inputs: + GdnBreakAllTools: false + GdnBreakGdnToolArmory: true + GdnBreakGdnToolBinSkim: true + GdnBreakGdnToolCredScan: true diff --git a/build/build.yml b/build/build.yml index 40648bd06b..c69090bb18 100644 --- a/build/build.yml +++ b/build/build.yml @@ -1,12 +1,13 @@ parameters: packageArtifacts: true + analyzeSecurity: true steps: - task: UseDotNet@2 displayName: 'Use .NET Core sdk (for sql generation)' inputs: version: '3.1.401' - + - task: UseDotNet@2 displayName: 'Use .NET Core sdk' inputs: @@ -28,3 +29,6 @@ steps: - ${{ if eq(parameters.packageArtifacts, 'true') }}: - template: package.yml + + - ${{ if eq(parameters.analyzeSecurity, 'true') }}: + - template: analyze.yml diff --git a/build/package.yml b/build/package.yml index ccee084754..31b32b7fc6 100644 --- a/build/package.yml +++ b/build/package.yml @@ -26,11 +26,11 @@ steps: inputs: command: pack configuration: '$(buildConfiguration)' + packagesToPack: '**/*.csproj;!test/**/*.csproj;!**/*.UnitTests.csproj' packDirectory: '$(build.artifactStagingDirectory)/nupkgs' versioningScheme: byEnvVar versionEnvVar: 'nuget_version' nobuild: true - zipAfterPublish: true env: nuget_version: $(nuGetVersion)