From dda9eb96160ea95baf4c98aa0a3a33211f5a8513 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Fri, 29 Mar 2019 11:44:13 -0700 Subject: [PATCH 1/8] Add credscan to CI --- .vsts-ci/misc-analysis.yml | 18 +++++++++--------- .vsts-ci/templates/credscan.yml | 19 +++++++++++++++++++ 2 files changed, 28 insertions(+), 9 deletions(-) create mode 100644 .vsts-ci/templates/credscan.yml diff --git a/.vsts-ci/misc-analysis.yml b/.vsts-ci/misc-analysis.yml index 1f9859568bb..2329c04da5a 100644 --- a/.vsts-ci/misc-analysis.yml +++ b/.vsts-ci/misc-analysis.yml @@ -6,26 +6,26 @@ trigger: include: - master - release* - paths: - exclude: - - /src/* pr: branches: include: - master - release* - paths: - exclude: - - /src/* resources: - repo: self clean: true -phases: -- phase: Linux_CI +jobs: +- template: templates/install-ps-phase.yml + parameters: + scriptName: ./tools/install-powershell.sh + jobName: InstallPowerShellCentOS + pool: Hosted Ubuntu 1604 + container: mcr.microsoft.com/powershell:centos-7 +- jobs: Linux_CI - queue: + pool: name: Hosted Ubuntu 1604 steps: - powershell: | diff --git a/.vsts-ci/templates/credscan.yml b/.vsts-ci/templates/credscan.yml new file mode 100644 index 00000000000..d63dcef12a9 --- /dev/null +++ b/.vsts-ci/templates/credscan.yml @@ -0,0 +1,19 @@ +parameters: + pool: 'Hosted VS2017' + jobName: 'credscan' + displayName: Secret Scan + +jobs: +- job: ${{ parameters.jobName }} + pool: + name: ${{ parameters.pool }} + + displayName: ${{ parameters.displayName }} + + steps: + - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@2 + displayName: 'Scan for secrets' + inputs: + suppressionsFile: tools/credScan/suppress.json + debugMode: false + From 4da2790f6c335a18fd10a9dbe0ffa85a1db0bef8 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Fri, 29 Mar 2019 11:55:07 -0700 Subject: [PATCH 2/8] fix yaml --- .vsts-ci/misc-analysis.yml | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/.vsts-ci/misc-analysis.yml b/.vsts-ci/misc-analysis.yml index 2329c04da5a..36a3a38b3af 100644 --- a/.vsts-ci/misc-analysis.yml +++ b/.vsts-ci/misc-analysis.yml @@ -17,13 +17,9 @@ resources: - repo: self clean: true jobs: -- template: templates/install-ps-phase.yml - parameters: - scriptName: ./tools/install-powershell.sh - jobName: InstallPowerShellCentOS - pool: Hosted Ubuntu 1604 - container: mcr.microsoft.com/powershell:centos-7 -- jobs: Linux_CI +- template: templates/credscan.yml + +- job: Linux_CI pool: name: Hosted Ubuntu 1604 From a2cd1e3733c6e7b0766c7bad6f4b90911441ae98 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Fri, 29 Mar 2019 11:59:12 -0700 Subject: [PATCH 3/8] Fix job display name --- .vsts-ci/misc-analysis.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.vsts-ci/misc-analysis.yml b/.vsts-ci/misc-analysis.yml index 36a3a38b3af..4cf34cf7487 100644 --- a/.vsts-ci/misc-analysis.yml +++ b/.vsts-ci/misc-analysis.yml @@ -21,6 +21,8 @@ jobs: - job: Linux_CI + displayName: Markdown and Common Tests + pool: name: Hosted Ubuntu 1604 steps: From c34636cd698ee2dadc8ab65b169e287e9f073997 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Fri, 29 Mar 2019 12:01:05 -0700 Subject: [PATCH 4/8] upload logs --- .vsts-ci/templates/credscan.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.vsts-ci/templates/credscan.yml b/.vsts-ci/templates/credscan.yml index d63dcef12a9..a1930a7c593 100644 --- a/.vsts-ci/templates/credscan.yml +++ b/.vsts-ci/templates/credscan.yml @@ -17,3 +17,6 @@ jobs: suppressionsFile: tools/credScan/suppress.json debugMode: false + - task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@2 + displayName: 'Publish Security Analysis Logs to Build Artifacts' + continueOnError: true From 165e421ef4784d60b5e85101fc88bd6089b289c9 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Fri, 29 Mar 2019 12:14:28 -0700 Subject: [PATCH 5/8] Add fake secret to verify --- build.psm1 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/build.psm1 b/build.psm1 index c61750c9ec6..f19f8e217a5 100644 --- a/build.psm1 +++ b/build.psm1 @@ -3094,3 +3094,5 @@ function New-NugetConfigFile Set-Content -Path (Join-Path $Destination 'nuget.config') -Value $content -Force } + +$buildPaswword = (ConvertTo-SecureString "PlainTextPassword" -AsPlainText -Force) From ad0963446850cacc16e5285c85c410bf33485533 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Fri, 29 Mar 2019 12:07:37 -0700 Subject: [PATCH 6/8] fix publish task name --- .vsts-ci/templates/credscan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.vsts-ci/templates/credscan.yml b/.vsts-ci/templates/credscan.yml index a1930a7c593..e684bd196ba 100644 --- a/.vsts-ci/templates/credscan.yml +++ b/.vsts-ci/templates/credscan.yml @@ -18,5 +18,5 @@ jobs: debugMode: false - task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@2 - displayName: 'Publish Security Analysis Logs to Build Artifacts' + displayName: 'Publish Secret Scan Logs to Build Artifacts' continueOnError: true From f06b5ccd472dec220daecc5505709b11d81a8442 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Fri, 29 Mar 2019 12:22:08 -0700 Subject: [PATCH 7/8] Add step to check for failures --- .vsts-ci/templates/credscan.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.vsts-ci/templates/credscan.yml b/.vsts-ci/templates/credscan.yml index e684bd196ba..859500797fa 100644 --- a/.vsts-ci/templates/credscan.yml +++ b/.vsts-ci/templates/credscan.yml @@ -20,3 +20,9 @@ jobs: - task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@2 displayName: 'Publish Secret Scan Logs to Build Artifacts' continueOnError: true + + - task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@1 + displayName: 'Check for failures' + inputs: + CredScan: true + ToolLogsNotFoundAction: Error From a17009b2697250dc9ba66d032ca87998851ee860 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Fri, 29 Mar 2019 13:00:56 -0700 Subject: [PATCH 8/8] Revert "Add fake secret to verify" This reverts commit 165e421ef4784d60b5e85101fc88bd6089b289c9. --- build.psm1 | 2 -- 1 file changed, 2 deletions(-) diff --git a/build.psm1 b/build.psm1 index f19f8e217a5..c61750c9ec6 100644 --- a/build.psm1 +++ b/build.psm1 @@ -3094,5 +3094,3 @@ function New-NugetConfigFile Set-Content -Path (Join-Path $Destination 'nuget.config') -Value $content -Force } - -$buildPaswword = (ConvertTo-SecureString "PlainTextPassword" -AsPlainText -Force)