Move CredScanSuppressions.json to root of repo #39780
Conversation
|
I would definitely run a test internal build to make sure this actually gets picked up as you expect. Guardian is... finicky at best. |
How can I tell if it gets picked up by the aspnetcore pipeline? I thought SDL/CredScan only ran in Validate-DotNet |
|
You should be able to enable SDL validation in post-build.yml with code like this https://github.com/dotnet/arcade/blob/fd38a2e8191a46ddd6a559dbb52c9624989b2cf4/azure-pipelines.yml#L324-L338 |
|
@adiaaida might also have suggestions on whether you can just try directly on the validation pipeline? |
|
You won't be able to validate this until the build is published to BAR. However, you could run an official build on your branch, run the promotion pipeline on that build (thus publishing to BAR) and then manually Validate-DotNet with that bar id (I normally find a recent run of the repo of interest, click "run new" from that run, and then update the bar id from the variables section) |
|
Got a test build going here that should run SDL, if it doesn't I'll try what you suggested @adiaaida. Thanks! https://dev.azure.com/dnceng/internal/_build/results?buildId=1573989&view=results |
|
Didn't work, following up w/ the Guardian team over email |
wtgodbe
added
the
blocked
Pilchie
added
the
area-infrastructure
This will probably also fail, because I think you need to take the /s out (/s is needed for the sdl-tsa-vars.config file because of where Validate-DotNet clones repos, but will be wrong here, I think) |
Thanks - https://dev.azure.com/dnceng/internal/_build/results?buildId=1582945&view=results |
eng/sdl-tsa-vars.config
Outdated
| -TsaOnboard $True | ||
| -TsaPublish $True | ||
| -PoliCheckAdditionalRunConfigParams @("UserExclusionPath < $(Build.SourcesDirectory)/s/eng/PoliCheckExclusions.xml") | ||
| -CrScanAdditionalRunConfigParams @("SuppressionsFile < $(Build.SourcesDirectory)/s/CredScanSuppressions.json") |
There was a problem hiding this comment.
Do we need to include this in dotnet/runtime as well?
There was a problem hiding this comment.
Yeah, and you don't need to move the file - just point this towards wherever the file lives (assuming this change is validated by https://dev.azure.com/dnceng/internal/_build/results?buildId=1582945&view=results)
There was a problem hiding this comment.
Yeah, that is why I was wondering, if it is needed to be specified in this config file we do we need to move it?
There was a problem hiding this comment.
@wtgodbe it's a nit but could we try to limit our root directory files to those that contributors normally care about❔ I'd rather we left the suppressions file in .config/ or eng/. (eng/ is probably better since .config/ means something special to Arcade's Tools.proj.)
wtgodbe
removed
the
blocked
|
Followed up with credcscan folks offline, we think this should work as-is. |
ghost
added this to the
7 participants
Guardian now looks for this file at the repo root instead of in
.configCC @safern @carlossanlop dotnet/runtime might need to move this file too to get CredScan to pick up your suppressions again