{CI} Enable CredScan task of Microsoft Security Code Analysis (Previe…

…w) (#12019)
Azure · Feb 3, 2020 · 78171d9 · 78171d9
1 parent f99cc5f
commit 78171d9
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 28 deletions.
diff --git a/azure-pipelines.yml b/azure-pipelines.yml
@@ -33,33 +33,25 @@ jobs:
         echo "Reject pull request directly to master branch"
         exit 1
 
-#- job: CredScan
-#  displayName: "Credential Scan"
-#
-#  pool:
-#    vmImage: "windows-2019"
-#  steps:
-#  - task: CredScan@2
-#    inputs:
-#      toolMajorVersion: 'V2'
-#      suppressionsFile: ./scripts/ci/credscan/CredScanSuppressions.json
-#
-#  - task: PostAnalysis@1
-#    inputs:
-#      AllTools: false
-#      APIScan: false
-#      BinSkim: false
-#      CodesignValidation: false
-#      CredScan: true
-#      FortifySCA: false
-#      FxCop: false
-#      ModernCop: false
-#      PoliCheck: false
-#      RoslynAnalyzers: false
-#      SDLNativeRules: false
-#      Semmle: false
-#      TSLint: false
-#      ToolLogsNotFoundAction: 'Standard'
+- job: CredScan
+  displayName: "Credential Scan"
+  pool:
+    vmImage: "windows-2019"
+  steps:
+    - task: ms-codeanalysis.vss-microsoft-security-code-analysis.build-task-credscan.CredScan@2
+      displayName: 'CredScan'
+      inputs:
+        toolVersion: 'Latest'
+        suppressionsFile: './scripts/ci/credscan/CredScanSuppressions.json'
+    - task: ms-codeanalysis.vss-microsoft-security-code-analysis.build-task-postanalysis.PostAnalysis@1
+      displayName: 'Post Analysis'
+      inputs:
+        AllTools: false
+        BinSkim: false
+        CredScan: true
+        RoslynAnalyzers: false
+        TSLint: false
+        ToolLogsNotFoundAction: 'Standard'
 
 - job: ExtractMetadata
   displayName: Extract Metadata

diff --git a/scripts/ci/credscan/CredScanSuppressions.json b/scripts/ci/credscan/CredScanSuppressions.json
@@ -81,6 +81,10 @@
       "placeholder": "+XLy+MVZ+aTeOnVzN2kLeB16O+kSxmz6g3rS6fAf6rw=",
       "_justification": "[IoT] hard code access key"
     },
+    {
+      "placeholder": "RTNrGy6n%2Fs2uLLZFuVHBIJtdxIJP1LuKfhKjHwwbu7A%3D",
+      "_justification": "[IoT] false alarm of signature in test_sas_token_auth.py"
+    },
     {
       "file": [
         "src\\azure-cli\\azure\\cli\\command_modules\\servicebus\\tests\\latest\\recordings\\test_sb_alias.yaml",
@@ -122,6 +126,10 @@
       "placeholder": "admin123",
       "_justification": "[VM] admin user name for test_vm_defaults.py"
     },
+    {
+      "placeholder": "verySecret!",
+      "_justification": "[VM] one-off password in test"
+    },
     {
       "placeholder": "testpassword",
       "_justification": "[DMS] one-off password in test"
@@ -142,6 +150,10 @@
       "placeholder": "SecretPassword123",
       "_justification": "[lab]/[rdbms] one-off password in test"
     },
+    {
+      "placeholder": "AZURE_CLIENT_SECRET",
+      "_justification": "[rdbms] false alarm about environment variable name"
+    },
     {
       "placeholder": "pass1234",
       "_justification": "[KeyVault] one-off password in test"
@@ -222,6 +234,14 @@
       ],
       "_justification": "[SQL] one-off password used for test"
     },
+    {
+      "placeholder": "SqlPassword",
+      "_justification": "[SQL] False alarm about ClientAuthenticationType"
+    },
+    {
+      "placeholder": "ADPassword",
+      "_justification": "[SQL] False alarm about ClientAuthenticationType"
+    },
     {
       "file": [
         "src\\azure-cli\\azure\\cli\\command_modules\\monitor\\tests\\latest\\recordings\\test_monitor_log_analytics_workspace_default.yaml"
@@ -270,7 +290,14 @@
         "src\\azure-cli\\azure\\cli\\command_modules\\keyvault\\tests\\latest\\mydomain.test.encrypted.pem",
         "src\\azure-cli\\azure\\cli\\command_modules\\keyvault\\tests\\latest\\import_pfx.pfx",
         "src\\azure-cli\\azure\\cli\\command_modules\\keyvault\\tests\\latest\\import_pem_plain.pem",
-        "src\\azure-cli\\azure\\cli\\command_modules\\keyvault\\tests\\latest\\ec521pw.pem"
+        "src\\azure-cli\\azure\\cli\\command_modules\\keyvault\\tests\\latest\\ec521pw.pem",
+        "src\\azure-cli\\azure\\cli\\command_modules\\keyvault\\tests\\latest\\keys\\ec-p256.pem",
+        "src\\azure-cli\\azure\\cli\\command_modules\\keyvault\\tests\\latest\\keys\\ec-p256k.pem",
+        "src\\azure-cli\\azure\\cli\\command_modules\\keyvault\\tests\\latest\\keys\\ec-p521.pem",
+        "src\\azure-cli\\azure\\cli\\command_modules\\keyvault\\tests\\latest\\keys\\ec-p384.pem",
+        "src\\azure-cli\\azure\\cli\\command_modules\\keyvault\\tests\\latest\\keys\\rsa-2048.pem",
+        "src\\azure-cli\\azure\\cli\\command_modules\\keyvault\\tests\\latest\\keys\\rsa-3072.pem",
+        "src\\azure-cli\\azure\\cli\\command_modules\\keyvault\\tests\\latest\\keys\\rsa-4096.pem"
       ],
       "_justification": "[KeyVault] Test certs"
     },
@@ -294,6 +321,10 @@
       "placeholder": "Docker!",
       "_justification": "[AppService] hard code password in custom.py of service which must be took down in the future"
     },
+    {
+      "placeholder": "myPwd",
+      "_justification": "[AppService] hard code MySQL password in _help.py"
+    },
     {
       "placeholder": "5+36OCtbIwfy8g5glC4bQQrFsfmMc3iD",
       "_justification": "[Container] hard code password in test_container_commands.py"
@@ -306,6 +337,10 @@
         "src\\azure-cli\\azure\\cli\\command_modules\\batch\\tests\\latest\\data\\batch-pool-create.json"
       ],
       "_justification": "unclear file contains password, need to remove in the future"
+    },
+    {
+      "placeholder": "f6Nx8en4sIJQryYFVVj%2B5BdU7bho96jAgOzLO40Twkg%3D",
+      "_justification": "[DeploymentManager] false alarm of signature in _help.py"
     }
   ]
 }