mono · mattleibow · Mar 25, 2024 · Mar 22, 2024
diff --git a/scripts/azure-pipelines-complete-internal.yml b/scripts/azure-pipelines-complete-internal.yml
@@ -39,8 +39,12 @@ parameters:
         name: Azure Pipelines
         vmImage: ubuntu-20.04
         os: linux
+  - name: enableSigning
+    displayName: 'Enable package signing (Test signing)'
+    type: boolean
+    default: false
   - name: runCompliance
-    displayName: 'Run post-build compliance tasks (such as API Scan)'
+    displayName: 'Run post-build compliance tasks (such as API Scan and PoliCheck)'
     type: boolean
     default: false
   - name: use1ESPipelineTemplates
@@ -77,7 +81,27 @@ extends:
         parameters:
           buildPipelineType: 'both'
           buildExternals: ${{ parameters.buildExternals }}
-          runCompliance: ${{ parameters.runCompliance }}
+          enableSigning: ${{ parameters.enableSigning }}
+          ${{ if eq(parameters.runCompliance, 'true') }}:
+            sdl:
+              apiscan:
+                enabled: true
+              binskim:
+                break: false
+              codeInspector:
+                enabled: true
+              credscan:
+                suppressionsFile: $(Build.SourcesDirectory)\scripts\guardian\CredScanSuppressions.json
+              policheck:
+                enabled: true
+                exclusionsFile: $(Build.SourcesDirectory)\scripts\guardian\PoliCheckExclusions.xml
+              spotBugs:
+                enabled: false
+              suppression:
+                suppressionFile: $(Build.SourcesDirectory)\scripts\guardian\source.gdnsuppress
+              tsa:
+                enabled: true
+                configFile: $(Build.SourcesDirectory)\scripts\guardian\tsaoptions-v2.json
           use1ESPipelineTemplates: ${{ parameters.use1ESPipelineTemplates }}
           buildAgentHost: ${{ parameters.buildAgentHost }}
           buildAgentWindows: ${{ parameters.buildAgentWindows }}

diff --git a/scripts/azure-pipelines.yml b/scripts/azure-pipelines.yml
@@ -46,7 +46,7 @@ parameters:
         image: 1ESPT-Ubuntu20.04
         os: linux
   - name: runCompliance
-    displayName: 'Run post-build compliance tasks (such as API Scan)'
+    displayName: 'Run post-build compliance tasks (such as API Scan and PoliCheck)'
     type: boolean
     default: false
 
@@ -76,7 +76,30 @@ extends:
         parameters:
           buildPipelineType: 'build'
           buildExternals: ${{ parameters.buildExternals }}
-          runCompliance: ${{ parameters.runCompliance }}
+          ${{ if and(eq(variables['System.TeamProject'], 'devdiv'), ne(variables['System.PullRequest.IsFork'], 'true')) }}:
+            enableSigning: true
+            ${{ if or(parameters.runCompliance, and(eq(variables['Build.Reason'], 'Schedule'), or(eq(variables['Build.SourceBranch'], 'refs/heads/main'), startsWith(variables['Build.SourceBranch'], 'refs/heads/release/')))) }}:
+              sdl:
+                apiscan:
+                  enabled: true
+                binskim:
+                  enabled: true
+                  break: false
+                codeInspector:
+                  enabled: true
+                credscan:
+                  enabled: true
+                  # suppressionsFile: $(Build.SourcesDirectory)\scripts\guardian\CredScanSuppressions.json
+                policheck:
+                  enabled: true
+                  exclusionsFile: $(Build.SourcesDirectory)\scripts\guardian\PoliCheckExclusions.xml
+                spotBugs:
+                  enabled: false
+                suppression:
+                  suppressionFile: $(Build.SourcesDirectory)\scripts\guardian\source.gdnsuppress
+                tsa:
+                  enabled: true
+                  configFile: $(Build.SourcesDirectory)\scripts\guardian\tsaoptions-v2.json
           use1ESPipelineTemplates: true
           buildAgentHost: ${{ parameters.buildAgentHost }}
           buildAgentWindows: ${{ parameters.buildAgentWindows }}

diff --git a/scripts/azure-templates-bootstrapper.yml b/scripts/azure-templates-bootstrapper.yml
@@ -35,6 +35,7 @@ parameters:
   skipInstall: false                            # whether or not to install any tools
   skipSteps: false                              # whether or not to run any steps
   use1ESPipelineTemplates: false                # whether or not we are building using the internal 1ES Pipeline Templates
+  sdl: []                                       # the SDL properties to use for this job
 
 jobs:
   - job: ${{ parameters.name }}
@@ -49,11 +50,7 @@ jobs:
       ${{ if ne(length(parameters.variables), 0) }}:
         ${{ parameters.variables }}
     templateContext:
-      sdl:
-        spotBugs:
-          enabled: false
-        binskim:
-          break: false
+      sdl: ${{ parameters.sdl }}
       outputParentDirectory: 'output'
       outputs:
         - ${{ if eq(parameters.shouldPublish, 'true') }}:

diff --git a/scripts/azure-templates-linux-matrix.yml b/scripts/azure-templates-linux-matrix.yml
@@ -3,6 +3,7 @@ parameters:
   buildPipelineType: 'both'                     # the type of build pipeline setup
   buildAgent: ''                                # the configuration for the build agent
   use1ESPipelineTemplates: false                # whether or not we are building using the internal 1ES Pipeline Templates
+  sdl: []                                       # the SDL properties to use for this job
   builds:
     - name: ''
       desc: ''
@@ -24,6 +25,7 @@ jobs:
         parameters:
           name: ${{ replace(replace(format('native_linux_{0}_{1}_{2}_{3}_linux', item.arch, item.variant, build.name, item.alt), '__', '_'), '__', '_') }}
           displayName: Linux ${{ replace(replace(replace(replace(replace(format('({0}|{1}|{2}|{3})', item.arch, item.variant, build.name, item.alt), '||', '|'), '||', '|'), '(|', '('), '|)', ')'), '|', ', ') }}
+          sdl: ${{ parameters.sdl }}
           buildExternals: ${{ parameters.buildExternals }}
           buildPipelineType: ${{ parameters.buildPipelineType }}
           buildAgent: ${{ parameters.buildAgent }}

diff --git a/scripts/azure-templates-merger.yml b/scripts/azure-templates-merger.yml
@@ -5,12 +5,14 @@ parameters:
   buildPipelineType: 'both'                     # the type of build pipeline setup
   requiredArtifacts: []                         # the artifacts that this build needs to download
   matrixArtifacts: []                           # the artifacts that this build needs to download
+  sdl: []                                       # the SDL properties to use for this job
 
 jobs:
   - template: /scripts/azure-templates-bootstrapper.yml@self
     parameters:
       name: ${{ parameters.name }}
       displayName: ${{ parameters.displayName }}
+      sdl: ${{ parameters.sdl }}
       buildPipelineType: ${{ parameters.buildPipelineType }}
       buildAgent: ${{ parameters.buildAgent }}
       skipInstall: true