diff --git a/jobs/ado_ghazdo_dependency_scanning_job.yml b/jobs/ado_ghazdo_dependency_scanning_job.yml new file mode 100644 index 0000000..8c1be07 --- /dev/null +++ b/jobs/ado_ghazdo_dependency_scanning_job.yml @@ -0,0 +1,16 @@ +parameters: +- name: directoryExclusionList + type: string + default: '' +- name: dependsOn + type: object + default: [] +- name: serviceName + type: string + +jobs: +- job: '${{ parameters.serviceName }}_ghazdo_dependency_scanning' + displayName: '${{ parameters.serviceName }} GHAzDO Dependency Scanning' + dependsOn: ${{ parameters.dependsOn }} + steps: + - template: ../tasks/ado_ghazdo_dependency_scanning_task.yml diff --git a/jobs/dotnetcore_build_publish_job.yml b/jobs/dotnetcore_build_publish_job.yml index 55a7c37..3582131 100644 --- a/jobs/dotnetcore_build_publish_job.yml +++ b/jobs/dotnetcore_build_publish_job.yml @@ -8,9 +8,11 @@ parameters: publishArguments: '' sdkVersion: '' startUpProjectName: '' + GHAzDOEnabled: true jobs: - job: build_publish_${{parameters.projectName}} + dependsOn: GHAzDOCheckJob variables: projectName: ${{replace(parameters.projectName,'_','.')}} srcFilePath: 'src' @@ -23,11 +25,16 @@ jobs: testProjectPath: '$(Build.SourcesDirectory)/${{ parameters.solutionName }}/${{ variables.srcFilePath }}/${{ variables.projectName }}' startUpProjectPath: '$(Build.SourcesDirectory)/${{ parameters.solutionName }}/${{ variables.srcFilePath }}/${{ parameters.startUpProjectName }}' dropLocation: 'drop/${{ parameters.projectName }}' + GHAzDOEnabled: $[ dependencies.GHAzDOCheckJob.outputs['GHAzDOCheck.GHAzDOEnabled'] ] steps: - template: ../tasks/dotnet_sdk_task.yml parameters: sdkVersion: ${{ parameters.sdkVersion }} - template: ../tasks/nuget_auth_task.yml + - ${{ if eq(parameters.GHAzDOEnabled, true) }}: + - template: ../tasks/ado_ghazdo_codeql_init_task.yml + parameters: + languages: 'csharp' - template: ../tasks/dotnetcore_cli_task.yml parameters: command: 'build' @@ -39,7 +46,9 @@ jobs: command: 'test' projectPath: '${{ variables.testProjectPath }}/**/*.csproj' arguments: '--configuration ${{ parameters.buildConfiguration }} --collect "Code coverage"' - + - ${{ if eq(parameters.GHAzDOEnabled, true) }}: + - template: ../tasks/ado_ghazdo_dependency_scanning_task.yml + - template: ../tasks/ado_ghazdo_codeql_analyze_task.yml - template: ../tasks/dotnetcore_cli_publish_task.yml parameters: zipAfterPublish: ${{ parameters.zipAfterPublish}} diff --git a/jobs/ghazdo_check_enabled_job.yml b/jobs/ghazdo_check_enabled_job.yml new file mode 100644 index 0000000..47050ae --- /dev/null +++ b/jobs/ghazdo_check_enabled_job.yml @@ -0,0 +1,13 @@ +parameters: +- name: displayName + type: string + default: 'GitHub Advanced Security Check if Enabled' +- name: dependsOn + type: object + default: [] + +jobs: +- job: GHAzDOCheckJob + displayName: ${{ parameters.displayName }} + steps: + - template: ../tasks/pwsh_ghazdo_enabled_check_task.yml diff --git a/stages/dotnet_build_stage.yml b/stages/dotnet_build_stage.yml index 757a80a..cb63fe4 100644 --- a/stages/dotnet_build_stage.yml +++ b/stages/dotnet_build_stage.yml @@ -18,6 +18,7 @@ stages: variables: solutionPath: '$(Build.SourcesDirectory)/${{ parameters.solutionName }}/' jobs: + - ${{ each artifactToPublish in parameters.artifactsToPublish }} : - template: ../jobs/artifact_publish_job.yml parameters: diff --git a/tasks/ado_ghazdo_codeql_analyze_task.yml b/tasks/ado_ghazdo_codeql_analyze_task.yml new file mode 100644 index 0000000..649ec8e --- /dev/null +++ b/tasks/ado_ghazdo_codeql_analyze_task.yml @@ -0,0 +1,27 @@ +parameters: +- name: displayName + type: string + default: 'GitHub Advanced Security CodeQL Scan' +- name: waitForProcessing + type: boolean + default: false +- name: waitforProcessingInterval + type: string + default: '5' +- name: waitForProcessingTimeout + type: string + default: '120' +- name: GHAzDOEnabled + type: string + default: true + + + +steps: +- task: AdvancedSecurity-Codeql-Analyze@1 + #condition: ${{ eq(parameters.GHAzDOEnabled, 'True') }} + displayName: ${{ parameters.displayName }} + inputs: + WaitForProcessing: ${{ parameters.waitForProcessing }} + WaitForProcessingInterval: ${{ parameters.waitforProcessingInterval }} + WaitForProcessingTimeout: ${{ parameters.waitForProcessingTimeout }} diff --git a/tasks/ado_ghazdo_codeql_init_task.yml b/tasks/ado_ghazdo_codeql_init_task.yml new file mode 100644 index 0000000..31a6dd8 --- /dev/null +++ b/tasks/ado_ghazdo_codeql_init_task.yml @@ -0,0 +1,48 @@ +parameters: +- name: languages + type: string + default: '' +- name: querySuite + type: string + default: 'security-and-quality' +- name: ram + type: string + default: '' +- name: threads + type: string + default: '0' +- name: codeqlPathsToIgnore + type: string + default: '' +- name: codeqlPathsToInclude + type: string + default: '*' +- name: sourcesFolder + type: string + default: $(Build.SourcesDirectory) +- name: logLevel + type: string + default: '_' +- name: configFilepath + type: string + default: '' +- name: displayName + type: string + default: 'Init CodeQL' +- name: GHAzDOEnabled + type: string + default: true + +steps: +- task: AdvancedSecurity-Codeql-Init@1 + displayName: ${{ parameters.displayName }} + #condition: and(succeeded(), ${{ eq(parameters.GHAzDOEnabled, 'True')}}) + inputs: + languages: ${{ parameters.languages }} + ram: ${{ parameters.ram }} + threads: ${{ parameters.threads }} + codeqlpathstoignore: ${{ parameters.codeqlPathsToIgnore }} + codeqlpathstoinclude: ${{ parameters.codeqlPathsToInclude }} + sorucesFolder: ${{ parameters.sourcesFolder }} + loglevel: ${{ parameters.logLevel }} + configfilepath: ${{ parameters.configFilePath }} diff --git a/tasks/ado_ghazdo_dependency_scanning_task.yml b/tasks/ado_ghazdo_dependency_scanning_task.yml new file mode 100644 index 0000000..085d4cf --- /dev/null +++ b/tasks/ado_ghazdo_dependency_scanning_task.yml @@ -0,0 +1,13 @@ +parameters: +- name: directoryExclusionList + type: string + default: '' +- name: displayName + type: string + default: 'Advanced Security Dependency Scanning' + +steps: +- task: AdvancedSecurity-Dependency-Scanning@1 + displayName: ${{ parameters.displayName }} + inputs: + directoryExclusionList: ${{ parameters.directoryExclusionList }} diff --git a/tasks/pwsh_ghazdo_enabled_check_task.yml b/tasks/pwsh_ghazdo_enabled_check_task.yml new file mode 100644 index 0000000..1713962 --- /dev/null +++ b/tasks/pwsh_ghazdo_enabled_check_task.yml @@ -0,0 +1,18 @@ +parameters: +- name: displayName + type: string + default: 'Check if GitHub Advanced Security for ADO is enabled on the repository' +steps: +- task: PowerShell@2 + displayName: ${{ parameters.displayName }} + name: GHAzDOCheck + inputs: + failOnStderr: true + targetType: 'inline' + script: | + $contentType = "application/json"; + $headers = @{ Authorization = 'Bearer $(System.AccessToken)' }; + $uri = "https://advsec.dev.azure.com/JFGHAzDO/$(System.TeamProject)/_apis/management/repositories/$(Build.Repository.Name)/enablement?includeAllProperties=true&api-version=7.2-preview.1"; + $response = Invoke-RestMethod -uri $uri -method GET -Headers $headers -ContentType $contentType; + $GHAzDOEnabled = $response.advSecEnabled + Write-Host "##vso[task.setvariable variable=GHAzDOEnabled;isOutput=true]$GHAzDOEnabled"