1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
trigger: none
pr:
branches:
include:
- main
paths:
include:
- eng/pipelines/aggregate-reports.yml
pool:
name: azsdk-pool-mms-win-2022-general
vmImage: MMS2022
variables:
- template: ./templates/variables/globals.yml
stages:
- stage: ValidateDependencies
displayName: Validate Dependencies
jobs:
- job: ValidateDependencies
timeoutInMinutes: 120
steps:
- template: /eng/pipelines/templates/steps/analyze_dependency.yml
parameters:
ScanPath: $(Build.SourcesDirectory)
- task: AzureFileCopy@4
displayName: 'Upload Dependency Report'
condition: and(succeededOrFailed(), eq(variables['System.TeamProject'], 'internal'))
inputs:
sourcePath: '$(Build.ArtifactStagingDirectory)/reports/*'
azureSubscription: 'Azure SDK Artifacts'
destination: AzureBlob
storage: azuresdkartifacts
containerName: 'azure-sdk-for-python'
blobPrefix: dependencies
AdditionalArgumentsForBlobCopy: '--exclude-pattern=*data.js*'
- task: AzureFileCopy@4
displayName: 'Upload Dependency Graph'
condition: and(succeededOrFailed(), eq(variables['System.TeamProject'], 'internal'))
inputs:
sourcePath: '$(Build.ArtifactStagingDirectory)/reports/*'
azureSubscription: 'Azure SDK Artifacts'
destination: AzureBlob
storage: azuresdkartifacts
containerName: 'azure-sdk-for-python'
blobPrefix: dependencies/dependencyGraph
AdditionalArgumentsForBlobCopy: '--include-pattern=*data.js*'
- task: PowerShell@2
displayName: "Verify Repository Resource Refs"
inputs:
pwsh: true
workingDirectory: $(Build.SourcesDirectory)
filePath: eng/common/scripts/Verify-Resource-Ref.ps1
- template: ../common/pipelines/templates/steps/verify-links.yml
parameters:
Directory: ""
CheckLinkGuidance: $true
Condition: succeededOrFailed()
- stage: ComplianceTools
displayName: Compliance Tools
dependsOn: []
jobs:
- job: ComplianceTools
timeoutInMinutes: 120
steps:
- template: /eng/common/pipelines/templates/steps/credscan.yml
parameters:
BaselineFilePath: $(Build.SourcesDirectory)\eng\python.gdnbaselines
- pwsh: |
azcopy copy "https://azuresdkartifacts.blob.core.windows.net/policheck/PythonPoliCheckExclusion.mdb?$(azuresdk-policheck-blob-SAS)" `
"$(Build.BinariesDirectory)"
displayName: 'Download PoliCheck Exclusion Database'
condition: succeededOrFailed()
- task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2
displayName: 'Run PoliCheck'
inputs:
targetType: F
targetArgument: '$(Build.SourcesDirectory)'
result: PoliCheck.sarif
optionsFC: 0
optionsXS: 1
optionsPE: 1|2|3|4
optionsRulesDBPath: "$(Build.BinariesDirectory)/PythonPoliCheckExclusion.mdb"
optionsUEPATH: "$(Build.SourcesDirectory)/eng/guardian-tools/policheck/PolicheckExclusions.xml"
condition: succeededOrFailed()
- task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2
displayName: 'Post Analysis (PoliCheck)'
inputs:
GdnBreakAllTools: false
GdnBreakGdnToolPoliCheck: true
GdnBreakGdnToolPoliCheckSeverity: Warning
condition: succeededOrFailed()
continueOnError: true
- task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@3
displayName: 'Publish Security Analysis Logs'
continueOnError: true
condition: succeededOrFailed()
|
