[CI] Run external CredScan in Security tools pipeline (#26054)

YanaXu · web-flow · commit 64f9db258542 · 2024-09-10T15:12:17.000+08:00
* Run external CredScan in Security tools pipeline

* remove auth part from external CredScan
diff --git a/.azure-pipelines/security-tools.yml b/.azure-pipelines/security-tools.yml
@@ -52,6 +52,23 @@ jobs:
       outputFormat: sarif
       scanFolder: SecurityTmp
       suppressionsFile: tools/SecurityTools/CredScanSuppressions.json
+  - task: PowerShell@2
+    displayName: Run external CredScan
+    env:
+      GDN_CREDSCAN_OUTPUTTYPE: sarif
+      Scan_Folder: SecurityTmp
+      GDN_CREDSCAN_SUPPRESSIONSPATH: tools/SecurityTools/CredScanSuppressions.json
+      GDN_CREDSCAN_SUPPRESSASERROR: False
+    inputs:
+      targetType: inline
+      script: |
+        nuget.exe install Microsoft.Security.DevOps.Cli
+        $toolsPath = Join-Path ("Microsoft.Security.DevOps.Cli*" | Resolve-Path) tools
+        $env:Path = "$toolsPath;$env:Path"
+        $env:GDN_CREDSCAN_TARGETDIRECTORY = (Resolve-Path $env:Scan_Folder).Path
+        guardian init -f
+        guardian run -t CredScan
+
   - task: PowerShell@2
     displayName: Generate a response text file for BinSkim
     inputs:
