[ci] Add API Scan job

Context: https://devdiv.visualstudio.com/DevDiv/_wiki/wikis/DevDiv.wiki/25351/APIScan-step-by-step-guide-to-setting-up-a-Pipeline

The ApiScan task has been added to pipeline runs against `main`.  This
task should help us identify related issues earlier, rather than having
to wait for a full scan of VS.

Author: pjcollins

build-llvm.cmd

@@ -12,8 +12,9 @@ set PDBS=llvm-mc.pdb llvm-strip.pdb lld.pdb llc.pdb
 set HOST_BUILD_DIR=%BUILD_DIR%\%HOST%
 set HOST_BIN_DIR=%HOST_BUILD_DIR%\Release\bin
 set HOST_ARTIFACTS_DIR=%ARTIFACTS_DIR%\%HOST%
-set LLVM_VERSION_FILE=%HOST_ARTIFACTS_DIR%\llvm-version.txtt 
-set CXXFLAGS="/Qspectre /sdl"
+set LLVM_VERSION_FILE=%HOST_ARTIFACTS_DIR%\llvm-version.txt
+set CMAKE_EXE_LINKER_FLAGS_INIT="/PROFILE /DYNAMICBASE /CETCOMPAT"
+set CMAKE_CXXFLAGS="/Qspectre /sdl"
 
 if exist %HOST_BUILD_DIR% (rmdir /S /Q %HOST_BUILD_DIR%)
 mkdir %HOST_BUILD_DIR%

build-tools/automation/azure-pipelines.yml

@@ -19,6 +19,10 @@ resources:
     ref: refs/heads/main
     endpoint: xamarin
 
+parameters:
+- name: ApiScanSourceBranch
+  default: refs/heads/main
+
 variables:
 - name: TeamName
   value: XamarinAndroid
@@ -241,3 +245,66 @@ stages:
         TargetFolders: $(Build.SourcesDirectory)\artifacts
         ExcludeSNVerify: true
       condition: and(succeededOrFailed(), eq(variables['MicroBuildSignType'], 'Real'))
+
+- stage: compliance_scan
+  displayName: Compliance
+  dependsOn: build
+  condition: and(eq(dependencies.build.result, 'Succeeded'), eq(variables['Build.SourceBranch'], '${{ parameters.ApiScanSourceBranch }}'))
+  jobs:
+  - job: api_scan
+    displayName: API Scan
+    pool:
+      name: Azure Pipelines
+      vmImage: windows-2022
+    timeoutInMinutes: 480
+    workspace:
+      clean: all
+    steps:
+    - task: DownloadPipelineArtifact@2
+      inputs:
+        artifactName: artifacts-windows-unsigned
+        downloadPath: $(Build.SourcesDirectory)\artifacts
+
+    - task: CopyFiles@2
+      displayName: Collect Files for APIScan
+      inputs:
+        Contents: |
+          $(Build.SourcesDirectory)\artifacts\**\?(*.dll|*.exe|*.pdb)
+        TargetFolder: $(Build.StagingDirectory)\apiscan
+
+    - powershell: Get-ChildItem -Path "$(Build.StagingDirectory)\apiscan" -Recurse
+      displayName: List Files for APIScan
+
+    - task: APIScan@2
+      displayName: Run APIScan
+      inputs:
+        softwareFolder: $(Build.StagingDirectory)\apiscan
+        symbolsFolder: 'SRV*http://symweb;$(Build.StagingDirectory)\apiscan'
+        softwareName: $(ApiScanName)
+        softwareVersionNum: $(Build.SourceBranchName)-$(Build.SourceVersion)
+        isLargeApp: true
+        toolVersion: Latest
+      env:
+        AzureServicesAuthConnectionString: runAs=App;AppId=$(ApiScanClientId);TenantId=$(ApiScanTenant);AppKey=$(ApiScanSecret)
+
+    - task: SdtReport@2
+      displayName: Guardian Export - Security Report
+      inputs:
+        GdnExportAllTools: false
+        GdnExportGdnToolApiScan: true
+        GdnExportOutputSuppressionFile: source.gdnsuppress
+
+    - task: PublishSecurityAnalysisLogs@3
+      displayName: Publish Guardian Artifacts
+      inputs:
+        ArtifactName: APIScan Logs
+        ArtifactType: Container
+        AllTools: false
+        APIScan: true
+        ToolLogsNotFoundAction: Warning
+
+    - task: PostAnalysis@2
+      displayName: Fail Build on Guardian Issues
+      inputs:
+        GdnBreakAllTools: false
+        GdnBreakGdnToolApiScan: true