{CI} Enable CredScan task of Microsoft Security Code Analysis (Previe…

…w) (Azure#1252)
ManuInNZ · Apr 11, 2020 · 39477c2 · 39477c2
1 parent 13ade97
commit 39477c2
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 26 deletions.
diff --git a/azure-pipelines.yml b/azure-pipelines.yml
@@ -8,32 +8,25 @@ trigger:
     - '*'
 
 jobs:
-#- job: CredScan
-#  displayName: "Credential Scan"
-#
-#  pool:
-#    vmImage: "windows-2019"
-#  steps:
-#  - task: CredScan@2
-#    inputs:
-#      toolMajorVersion: 'V2'
-#
-#  - task: PostAnalysis@1
-#    inputs:
-#      AllTools: false
-#      APIScan: false
-#      BinSkim: false
-#      CodesignValidation: false
-#      CredScan: true
-#      FortifySCA: false
-#      FxCop: false
-#      ModernCop: false
-#      PoliCheck: false
-#      RoslynAnalyzers: false
-#      SDLNativeRules: false
-#      Semmle: false
-#      TSLint: false
-#      ToolLogsNotFoundAction: 'Standard'
+- job: CredScan
+  displayName: "Credential Scan"
+  pool:
+    vmImage: "windows-2019"
+  steps:
+    - task: ms-codeanalysis.vss-microsoft-security-code-analysis.build-task-credscan.CredScan@2
+      displayName: 'CredScan'
+      inputs:
+        toolVersion: 'Latest'
+        suppressionsFile: './scripts/ci/credscan/CredScanSuppressions.json'
+    - task: ms-codeanalysis.vss-microsoft-security-code-analysis.build-task-postanalysis.PostAnalysis@1
+      displayName: 'Post Analysis'
+      inputs:
+        AllTools: false
+        BinSkim: false
+        CredScan: true
+        RoslynAnalyzers: false
+        TSLint: false
+        ToolLogsNotFoundAction: 'Standard'
 
 - job: StaticAnalysis
   displayName: "Static Analysis"

diff --git a/CredScanSuppressions.json → ...pts/ci/credscan/CredScanSuppressions.json b/CredScanSuppressions.json → ...pts/ci/credscan/CredScanSuppressions.json
@@ -21,6 +21,22 @@
     {
       "placeholder": "aduser",
       "_justification": "[NetAppFiles] Add suppression for false alarm in comments of _help.py"
+    },
+    {
+      "placeholder": "AZURE_CLIENT_SECRET",
+      "_justification": "[db_up] false alarm about environment variable name"
+    },
+    {
+      "placeholder": "ADPassword",
+      "_justification": "[SQL] false alarm about AuthenticationType enum value"
+    },
+    {
+      "placeholder": "ActiveDirectoryPassword",
+      "_justification": "[DataMigration] false alarm about AuthenticationType enum value"
+    },
+    {
+      "placeholder": "Ovg+o0K/0/2V8upg7AwlyAPCriEcOSXKuBu2Gv/PU70Y7aWDW3C2ZRmw6kYWqPWBaM1GosLkcSZkgsobAlT+Sw==",
+      "_justification": "[ADLS] false alarm on sign value"
     }
   ]
 }