Update release build with compliance tasks (#1260)

Author: daxian-dbw

.vsts-ci/releaseBuild.yml

@@ -19,6 +19,9 @@ jobs:
 - job: build_windows
   pool: Package ES Lab A
 
+  # APIScan can take a long time
+  timeoutInMinutes: 200
+
   steps:
 
   - checkout: self
@@ -41,6 +44,14 @@ jobs:
   - pwsh: |
       $(Build.SourcesDirectory)\build.ps1 -Bootstrap
       $(Build.SourcesDirectory)\build.ps1 -Configuration Release -Framework net461
+      # Get module version
+      $psd1Data = Import-PowerShellDataFile -Path $(Build.SourcesDirectory)\bin\Release\PSReadLine\PSReadLine.psd1
+      $moduleVersion = $psd1Data.ModuleVersion
+      $prerelease = $psd1Data.PrivateData.PSData.Prerelease
+      if ($prerelease) { $moduleVersion = "$moduleVersion-$prerelease" }
+      $vstsCommandString = "vso[task.setvariable variable=ModuleVersion]$moduleVersion"
+      Write-Host "sending " + $vstsCommandString
+      Write-Host "##$vstsCommandString"
       # Set target folder paths
       $vstsCommandString = "vso[task.setvariable variable=PSReadLine]$(Build.SourcesDirectory)\bin\Release\PSReadLine"
       Write-Host "sending " + $vstsCommandString
@@ -124,3 +135,8 @@ jobs:
       Get-ChildItem -Path $(PSReadLine)
       Write-Host "##vso[artifact.upload containerfolder=PSReadLine;artifactname=PSReadLine]$(PSReadLine)"
     displayName: 'Upload module artifacts'
+
+  - template: templates/compliance.yml
+    parameters:
+      configuration: Release
+      framework: net461

.vsts-ci/templates/compliance.yml

@@ -0,0 +1,82 @@
+parameters:
+  configuration: ""
+  framework: ""
+
+steps:
+
+- task: securedevelopmentteam.vss-secure-development-tools.build-task-antimalware.AntiMalware@3
+  displayName: 'Run Defender Scan'
+
+- task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@2
+  displayName: 'Run CredScan'
+  inputs:
+    debugMode: false
+  continueOnError: true
+
+- task: securedevelopmentteam.vss-secure-development-tools.build-task-binskim.BinSkim@3
+  displayName: 'Run BinSkim '
+  inputs:
+    InputType: Basic
+    AnalyzeTarget: '$(Build.SourcesDirectory)\bin\${{ parameters.configuration }}\PSReadLine\*.dll'
+    AnalyzeSymPath: 'SRV*'
+    AnalyzeVerbose: true
+    AnalyzeHashes: true
+    AnalyzeStatistics: true
+  continueOnError: true
+
+- task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@1
+  displayName: 'Run PoliCheck'
+  inputs:
+    targetType: F
+    optionsFC: 0
+    optionsXS: 0
+    optionsPE: '1|2|3|4'
+    optionsHMENABLE: 0
+#      optionsRulesDBPath: '$(Build.SourcesDirectory)\tools\terms\PowerShell-Terms-Rules.mdb'
+#      optionsFTPATH: '$(Build.SourcesDirectory)\tools\terms\FileTypeSet.xml'
+    toolVersion: 5.8.2.1
+  continueOnError: true
+
+- task: securedevelopmentteam.vss-secure-development-tools.build-task-apiscan.APIScan@1
+  displayName: 'Run APIScan'
+  inputs:
+    softwareFolder: '$(Build.SourcesDirectory)'
+    softwareName: PSReadLine
+    softwareVersionNum: '$(ModuleVersion)'
+    isLargeApp: false
+    preserveTempFiles: true
+  continueOnError: true
+
+- task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@2
+  displayName: 'Publish Security Analysis Logs to Build Artifacts'
+  continueOnError: true
+
+- task: securedevelopmentteam.vss-secure-development-tools.build-task-uploadtotsa.TSAUpload@1
+  displayName: 'TSA upload to Codebase: PSReadLine_201912 Stamp: Azure'
+  inputs:
+    tsaStamp: Azure
+    codeBaseName: PSReadLine_201912
+    tsaVersion: TsaV2
+    uploadFortifySCA: false
+    uploadFxCop: false
+    uploadModernCop: false
+    uploadPREfast: false
+    uploadRoslyn: false
+    uploadTSLint: false
+    uploadAPIScan: true
+
+- task: securedevelopmentteam.vss-secure-development-tools.build-task-report.SdtReport@1
+  displayName: 'Create Security Analysis Report'
+  inputs:
+    TsvFile: false
+    APIScan: true
+    BinSkim: true
+    CredScan: true
+    PoliCheck: true
+    PoliCheckBreakOn: Severity2Above
+
+- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
+  displayName: 'Component Detection'
+  inputs:
+    sourceScanPath: '$(Build.SourcesDirectory)'
+    snapshotForceEnabled: true