Merge pull request #2555 from MiYanni/AddBinskim

Author: MiYanni

.config/tsaoptions.json

@@ -0,0 +1,11 @@
+{
+    "instanceUrl": "https://devdiv.visualstudio.com/",
+    "template": "TFSDEVDIV",
+    "projectName": "DEVDIV",
+    "areaPath": "DevDiv\\NET Libraries",
+    "iterationPath": "DevDiv",
+    "notificationAliases": [ "[email protected]" ],
+    "repositoryName":"command-line-api",
+    "codebaseName": "command-line-api",
+    "serviceTreeId": "7a9b52f6-7805-416c-9390-343168c0cdb3"
+}

.vsts-ci-official.yml

@@ -5,13 +5,20 @@ variables:
     value: .NETCore
   - name: Codeql.Enabled
     value: true
+  # CodeQL3000 needs this plumbed along as a variable to enable TSA.
+  - name: Codeql.TSAEnabled
+    value: true
+  - name: Codeql.TSAOptionsPath
+    value: '$(Build.SourcesDirectory)/.config/tsaoptions.json'
 
 # CI and PR triggers
 trigger:
   batch: true
   branches:
     include:
     - main
+    - internal/release/*
+    - validation/*
 
 pr:
   autoCancel: false
@@ -35,6 +42,11 @@ extends:
       os: windows
     customBuildTags:
     - ES365AIMigrationTooling
+    sdl:
+      policheck:
+        enabled: true
+      tsa:
+        enabled: true
     stages:
     - stage: build
       displayName: Build and Test
@@ -91,8 +103,10 @@ extends:
                   ${{ if notin(variables['Build.Reason'], 'PullRequest') }}:
                     _SignType: real
                     _BuildArgs: $(_OfficialBuildArgs)
-
             templateContext:
+              sdl:
+                binskim:
+                  analyzeTargetGlob: +:f|artifacts\bin\**\*.dll;+:f|artifacts\bin\**\*.exe;-:f|artifacts\bin\**\xunit*.dll;-:f|artifacts\bin\**\verify*.dll;
               outputs:
               - output: pipelineArtifact
                 displayName: Upload package artifacts
@@ -104,7 +118,10 @@ extends:
                 condition: and(eq(variables['system.pullrequest.isfork'], false), eq(variables['_BuildConfig'], 'Release'))
                 targetPath: '$(Build.SourcesDirectory)\artifacts\SymStore\$(_BuildConfig)'
                 artifactName: 'NativeSymbols'
-
+            # WORKAROUND: BinSkim requires the folder exist prior to scanning.
+            preSteps:
+            - powershell: New-Item -ItemType Directory -Path $(Build.SourcesDirectory)/artifacts/bin -Force
+              displayName: Create artifacts/bin directory
             steps:
             - checkout: self
               clean: true