-
Notifications
You must be signed in to change notification settings - Fork 102
/
azure-pipelines-component-scan.yml
84 lines (80 loc) · 2.4 KB
/
azure-pipelines-component-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# Docker
# Build and push an image to Azure Container Registry
# https://docs.microsoft.com/azure/devops/pipelines/languages/docker
trigger:
- none
resources:
- repo: self
variables:
# Container registry service connection established during pipeline creation
version: '$(Build.BuildId)'
# Agent VM image name
vmImageName: 'windows-latest'
Codeql.Enabled: true
stages:
- stage: Component_Scan
displayName: Component Scan for All Languages
jobs:
- job: Build
displayName: Build
pool:
vmImage: $(vmImageName)
steps:
- task: CodeQL3000Init@0
- task: NodeTool@0
inputs:
versionSpec: '14.x'
- task: Npm@1
inputs:
command: 'install'
workingDir: 'react'
- task: Npm@1
inputs:
command: 'custom'
workingDir: 'react'
customCommand: 'run pub'
- task: Gradle@2
inputs:
gradleWrapperFile: 'gradlew'
tasks: 'center:bootJar'
publishJUnitResults: false
javaHomeOption: 'JDKVersion'
jdkVersionOption: '1.11'
sonarQubeRunAnalysis: false
spotBugsAnalysis: false
- task: Gradle@2
inputs:
gradleWrapperFile: 'gradlew'
tasks: 'agent:bootJar'
publishJUnitResults: false
javaHomeOption: 'JDKVersion'
jdkVersionOption: '1.11'
sonarQubeRunAnalysis: false
spotBugsAnalysis: false
- task: DeleteFiles@1
inputs:
SourceFolder: react/node_modules
Contents: '*'
RemoveSourceFolder: true
- task: CodeQL3000Finalize@0
# Security Essential
# - task: CodeInspector@2
# displayName: Run code inspector
# inputs:
# ProductId: '606a5e0d-64b0-4237-9dca-eac200438452'
- task: CredScan@3
displayName: Run CredScan
- task: securedevelopmentteam.vss-secure-development-tools.build-task-report.SdtReport@2
# https://strikecommunity.azurewebsites.net/articles/8216/how-to-enable-build-break-on-credscan-detections.html
displayName: 'Create CredScan Security Analysis Report'
inputs:
GdnExportTsvFile: true
GdnExportHtmlFile: true
GdnExportAllTools: false
GdnExportGdnToolCredScan: true
- task: PublishPipelineArtifact@1
displayName: 'Publish CredScan Security Analysis Report'
inputs:
targetPath: '$(Agent.BuildDirectory)\.gdn\a'
artifact: 'SecurityReport'
publishLocation: 'pipeline'