microsoft · wsugarman · Feb 26, 2021 · Feb 22, 2021 · Feb 23, 2021 · Feb 23, 2021
@@ -0,0 +1,13 @@
+{
+    "tool": "Credential Scanner",
+    "suppressions": [
+        {
+            "placeholder": "d8147077-d907-4551-8f40-90c6e86f3f0e",
+            "_justification": "This is an example value and does not represent a real credential."
+        },
+        {
+            "placeholder": "globalAdminServicePrincipal",
+            "_justification": "Service principal for local testing."
+        }
+    ]
+}
@@ -47,6 +47,7 @@ stages:
     - template: build.yml
       parameters:
         packageArtifacts: false
+        securityAnalysis: false
 
 - stage: UpdateTestEnvironment
   displayName: 'Update Test Environment'
@@ -63,7 +64,7 @@ stages:
         downloadType: 'single'
         downloadPath: '$(System.ArtifactsDirectory)'
         artifactName: 'deploy'
-    - template: add-aad-test-environment.yml     
+    - template: add-aad-test-environment.yml
     - task: AzureRmWebAppDeployment@3
       displayName: 'Azure app service deployment'
       inputs:

@@ -16,10 +16,10 @@ stages:
     pool:
       vmImage: $(WindowsVmImage)
     steps:
-    - template: ./update-semver.yml  
+    - template: ./update-semver.yml
     - powershell: |
-        $buildNumber = "$(GitVersion.semVer)" -replace "\.", "" 
-        Write-Host "##vso[build.updatebuildnumber]$buildNumber" 
+        $buildNumber = "$(GitVersion.semVer)" -replace "\.", ""
+        Write-Host "##vso[build.updatebuildnumber]$buildNumber"
         Write-Host "Updated  build number to '$buildNumber"
       name: SetBuildVersion
 
@@ -47,6 +47,7 @@ stages:
     - template: build.yml
       parameters:
         packageArtifacts: false
+        securityAnalysis: false
 
 - stage: DeployTestEnvironment
   displayName: 'Deploy Test Environment'

@@ -0,0 +1,80 @@
+steps:
+- task: ComponentGovernanceComponentDetection@0
+  inputs:
+    scanType: 'Register'
+    verbosity: 'Verbose'
+    alertWarningLevel: 'High'
+    failOnAlert: true
+    ignoreDirectories: '$(Build.SourcesDirectory)\samples\Azurite'
+
+- task: AntiMalware@4
+  inputs:
+    InputType: 'Basic'
+    ScanType: 'CustomScan'
+    FileDirPath: '$(Build.SourcesDirectory)'
+    EnableServices: true
+    TreatSignatureUpdateFailureAs: 'Standard'
+    SignatureFreshness: 'OneDay'
+    TreatStaleSignatureAs: 'Error'
+
+- task: Armory@2
+  inputs:
+    targetDirectory: '$(Build.SourcesDirectory)\samples\templates'
+    targetFiles: 'f|*.json'
+    excludePassesFromLog: false
+
+- task: BinSkim@4
+  inputs:
+    InputType: 'Basic'
+    Function: 'analyze'
+    AnalyzeTargetGlob: '+:file|$(Build.SourcesDirectory)\**\bin\**\Microsoft.Health.Dicom*.dll;+:file|$(Build.SourcesDirectory)\**\bin\**\Microsoft.Health.Dicom*.exe'
+    AnalyzeVerbose: true
+
+- task: CredScan@3
+  inputs:
+    scanFolder: '$(Build.SourcesDirectory)'
+    outputFormat: 'sarif'
+    suppressionsFile: 'CredScanSuppressions.json'
+    verboseOutput: true
+
+- task: SdtReport@2
+  inputs:
+    GdnExportAllTools: false
+    GdnExportGdnToolArmory: true
+    GdnExportGdnToolBinSkim: true
+    GdnExportGdnToolCredScan: true
+
+- task: PublishSecurityAnalysisLogs@3
+  inputs:
+    ArtifactName: 'CodeAnalysisLogs'
+    ArtifactType: 'Container'
+    AllTools: false
+    AntiMalware: true
+    APIScan: false
+    Armory: true
+    Bandit: false
+    BinSkim: true
+    CodesignValidation: false
+    CredScan: true
+    CSRF: false
+    ESLint: false
+    Flawfinder: false
+    FortifySCA: false
+    FxCop: false
+    ModernCop: false
+    MSRD: false
+    PoliCheck: false
+    RoslynAnalyzers: false
+    SDLNativeRules: false
+    Semmle: false
+    SpotBugs: false
+    TSLint: false
+    WebScout: false
+    ToolLogsNotFoundAction: 'Error'
+
+- task: PostAnalysis@2
+  inputs:
+    GdnBreakAllTools: false
+    GdnBreakGdnToolArmory: true
+    GdnBreakGdnToolBinSkim: true
+    GdnBreakGdnToolCredScan: true
@@ -1,12 +1,13 @@
 parameters:
   packageArtifacts: true
+  analyzeSecurity: true
 
 steps:
   - task: UseDotNet@2
     displayName: 'Use .NET Core sdk (for sql generation)'
     inputs:
       version: '3.1.401'
-      
+
   - task: UseDotNet@2
     displayName: 'Use .NET Core sdk'
     inputs:
@@ -17,14 +18,17 @@ steps:
     inputs:
       command: 'build'
       projects: '**/*.csproj'
-      arguments: '--configuration $(buildConfiguration) -p:AssemblyVersion="$(assemblySemVer)" -p:FileVersion="$(assemblySemFileVer)" -p:InformationalVersion="$(informationalVersion)" -p:ContinuousIntegrationBuild=true'
+      arguments: '-c $(buildConfiguration) -p:AssemblyVersion="$(assemblySemVer)" -p:FileVersion="$(assemblySemFileVer)" -p:InformationalVersion="$(informationalVersion)" -p:ContinuousIntegrationBuild=true'
 
   - task: DotNetCoreCLI@2
     displayName: 'dotnet test UnitTests'
     inputs:
       command: test
       projects: '**/*UnitTests/*.csproj'
-      arguments: '--configuration $(buildConfiguration) --no-build'
+      arguments: '-c $(buildConfiguration) --no-build'
 
   - ${{ if eq(parameters.packageArtifacts, 'true') }}:
     - template: package.yml
+
+  - ${{ if eq(parameters.analyzeSecurity, 'true') }}:
+    - template: analyze.yml
@@ -26,11 +26,11 @@ steps:
     inputs:
       command: pack
       configuration: '$(buildConfiguration)'
+      packagesToPack: '**/*.csproj;!test/**/*.csproj;!**/*.UnitTests.csproj'
       packDirectory: '$(build.artifactStagingDirectory)/nupkgs'
       versioningScheme: byEnvVar
       versionEnvVar: 'nuget_version'
       nobuild: true
-      zipAfterPublish: true
     env:
       nuget_version: $(nuGetVersion)