Skip to content

Enable binskim to extract packages #6989

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Nov 4, 2025
Merged

Enable binskim to extract packages #6989

merged 4 commits into from
Nov 4, 2025

Conversation

@ericstj
Copy link
Member

@ericstj ericstj commented Oct 30, 2025
edited by dotnet-policy-service bot
Loading

Official build test -- https://dev.azure.com/dnceng/internal/_build/results?buildId=2828070&view=results

Note the build will fail due to #6988 but should run enough for us to see binskim results.

Microsoft Reviewers: Open in CodeFlow

@ericstj ericstj requested a review from a team as a code owner October 30, 2025 22:06
Copilot AI reviewed Oct 30, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enhances security scanning capabilities in the Azure DevOps pipeline by configuring Guardian (GDN) extraction tools and enabling comprehensive BinSkim scanning.

Key changes:

  • Adds GDN extraction configuration for security analysis tools (BinSkim, Bandit, Roslyn Analyzers)
  • Configures file type filters for extracting artifacts from build outputs
  • Enables BinSkim scanning for all file extensions through feature flags

@ericstj ericstj marked this pull request as draft October 31, 2025 01:07
@ericstj
Don't publish all of artifacts
f9bd983 
Previously I set the pipeline to publish all artifacts, which was way too much, since that contained referenced binaries, tests, etc.  Instead we need to publish only what we build and ship from this repo.  That way we only run validation on those shipping packages.
@ericstj ericstj marked this pull request as ready for review October 31, 2025 15:47
@joperezr
Copy link
Member

joperezr commented Oct 31, 2025

Thanks a lot @ericstj!

@ericstj
Copy link
Member Author

ericstj commented Oct 31, 2025
edited
Loading

Not quite ready, I think I mistook the path

Path does not exist: D:\a_work\1\a\artifacts\packages

@ericstj
Copy link
Member Author

ericstj commented Nov 4, 2025

Should be better now - https://dev.azure.com/dnceng/internal/_build/results?buildId=2830669&view=results

@ericstj
Copy link
Member Author

ericstj commented Nov 4, 2025

This looks better. https://dev.azure.com/dnceng/internal/internal%20Team/_build/results?buildId=2830669&view=logs&j=0bc77094-9fcd-5c38-f6e4-27d2ae131589&t=691e2bcb-dc77-5e97-1ffc-3afd55b1a017&l=435

@ericstj ericstj merged commit a2d763f into dotnet:main Nov 4, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wtgodbe wtgodbe wtgodbe left review comments

Copilot code review Copilot Copilot left review comments

@joperezr joperezr joperezr approved these changes

@SamMonoRT SamMonoRT SamMonoRT approved these changes

@jeffhandley jeffhandley Awaiting requested review from jeffhandley

Assignees

@ericstj ericstj

Labels

area-infrastructure

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ericstj @joperezr @wtgodbe @SamMonoRT