-
Notifications
You must be signed in to change notification settings - Fork 2.9k
/
Copy pathpolicheck.yml
42 lines (38 loc) · 1.66 KB
/
policheck.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
parameters:
ExclusionDataBaseFileName: ''
TargetDirectory: ''
PublishAnalysisLogs: false
ExclusionFilePath: "$(Build.SourcesDirectory)/eng/guardian-tools/policheck/PolicheckExclusions.xml"
steps:
- task: AzurePowerShell@5
displayName: 'Download Policheck Exclusion Database'
inputs:
azureSubscription: 'Azure SDK Artifacts'
ScriptType: 'InlineScript'
azurePowerShellVersion: LatestVersion
pwsh: true
Inline: |
azcopy copy "https://azuresdkartifacts.blob.core.windows.net/policheck/${{ parameters.ExclusionDataBaseFileName }}.mdb" "$(Build.BinariesDirectory)"
env:
AZCOPY_AUTO_LOGIN_TYPE: 'PSCRED'
- task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2
displayName: 'Run PoliCheck'
inputs:
targetType: F
targetArgument: "$(Build.SourcesDirectory)/${{ parameters.TargetDirectory }}"
result: PoliCheck.sarif
optionsFC: 0
optionsXS: 1
optionsPE: 1|2|3|4
optionsRulesDBPath: "$(Build.BinariesDirectory)/${{ parameters.ExclusionDataBaseFileName }}.mdb"
optionsUEPATH: ${{ parameters.ExclusionFilePath }}
- task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2
displayName: 'Post Analysis (PoliCheck)'
inputs:
GdnBreakAllTools: false
GdnBreakGdnToolPoliCheck: true
GdnBreakGdnToolPoliCheckSeverity: Warning
continueOnError: true
- ${{ if eq(parameters.PublishAnalysisLogs, 'true') }}:
- task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@3
displayName: 'Publish Security Analysis Logs'