Use default credscan tool (#42431)

weshaggard · web-flow · commit b1b22a5acc67 · 2025-08-11T09:23:31.000-07:00
diff --git a/eng/pipelines/aggregate-reports.yml b/eng/pipelines/aggregate-reports.yml
@@ -99,14 +99,13 @@ stages:
     displayName: Compliance Tools
     dependsOn: []
 
+    variables:
+      Codeql.SkipTaskAutoInjection: false
+
     jobs:
       - job: ComplianceTools
         timeoutInMinutes: 120
         steps:
-          - template: /eng/common/pipelines/templates/steps/credscan.yml
-            parameters:
-              BaselineFilePath: $(Build.SourcesDirectory)\eng\python.gdnbaselines
-
           - template: /eng/common/pipelines/templates/steps/policheck.yml
             parameters:
               PublishAnalysisLogs: false
diff --git a/eng/pipelines/templates/jobs/ci.yml b/eng/pipelines/templates/jobs/ci.yml
@@ -71,6 +71,17 @@ jobs:
       image: $(LINUXVMIMAGE)
       os: linux
 
+    # Only run CG and codeql on internal build job
+    ${{ if eq(variables['System.TeamProject'], 'internal') }}:
+      templateContext:
+        sdl:
+          componentgovernance:
+            enabled: true
+          codeql:
+            binaryLanguages: python # Need to specify the language because we clone after the codeql initialize step
+            compiled:
+              enabled: true
+
     steps:
     - template: /eng/pipelines/templates/steps/build-package-artifacts.yml
       parameters:
diff --git a/eng/pipelines/templates/stages/1es-redirect.yml b/eng/pipelines/templates/stages/1es-redirect.yml
@@ -53,11 +53,12 @@ extends:
       codeql:
         compiled:
           enabled: false
-          justificationForDisabling: "CodeQL times our pipelines out by running for 2+ hours before being force canceled."
+          justificationForDisabling: "To reduce redundant CG runs across all our pipeline jobs we are disabling and only running in our main build job."
+      componentgovernance:
+        enabled: false
+        justificationForDisabling: "To reduce redundant CG runs across all our pipeline jobs we are disabling and only running in our main build job."
       credscan:
         suppressionsFile: '$(Build.SourcesDirectory)/eng/CredScanSuppression.json'
-        toolVersion: '2.3.12.23'
-        baselineFiles: $(Build.SourcesDirectory)/eng/python.gdnbaselines
       psscriptanalyzer:
         compiled: true
         break: true
diff --git a/eng/python.gdnbaselines b/eng/python.gdnbaselines
