2 [string
] $GuardianPackageName, # Required: the name of guardian CLI package (not needed if GuardianCliLocation is specified)
3 [string
] $NugetPackageDirectory, # Required: directory where NuGet packages are installed (not needed if GuardianCliLocation is specified)
4 [string
] $GuardianCliLocation, # Optional: Direct location of Guardian CLI executable if GuardianPackageName & NugetPackageDirectory are not specified
5 [string
] $Repository=$env:BUILD_REPOSITORY_NAME
, # Required: the name of the repository (e.g. dotnet/arcade)
6 [string
] $BranchName=$env:BUILD_SOURCEBRANCH
, # Optional: name of branch or version of gdn settings; defaults to master
7 [string
] $SourceDirectory=$env:BUILD_SOURCESDIRECTORY
, # Required: the directory where source files are located
8 [string
] $ArtifactsDirectory = (Join-Path $env:BUILD_ARTIFACTSTAGINGDIRECTORY
("artifacts")), # Required: the directory where build artifacts are located
9 [string
] $AzureDevOpsAccessToken, # Required: access token for dnceng; should be provided via KeyVault
10 [string
[]] $SourceToolsList, # Optional: list of SDL tools to run on source code
11 [string
[]] $ArtifactToolsList, # Optional: list of SDL tools to run on built artifacts
12 [bool
] $TsaPublish=$False, # Optional: true will publish results to TSA; only set to true after onboarding to TSA; TSA is the automated framework used to upload test results as bugs.
13 [string
] $TsaBranchName=$env:BUILD_SOURCEBRANCH
, # Optional: required for TSA publish; defaults to $(Build.SourceBranchName); TSA is the automated framework used to upload test results as bugs.
14 [string
] $TsaRepositoryName=$env:BUILD_REPOSITORY_NAME
, # Optional: TSA repository name; will be generated automatically if not submitted; TSA is the automated framework used to upload test results as bugs.
15 [string
] $BuildNumber=$env:BUILD_BUILDNUMBER
, # Optional: required for TSA publish; defaults to $(Build.BuildNumber)
16 [bool
] $UpdateBaseline=$False, # Optional: if true, will update the baseline in the repository; should only be run after fixing any issues which need to be fixed
17 [bool
] $TsaOnboard=$False, # Optional: if true, will onboard the repository to TSA; should only be run once; TSA is the automated framework used to upload test results as bugs.
18 [string
] $TsaInstanceUrl, # Optional: only needed if TsaOnboard or TsaPublish is true; the instance-url registered with TSA; TSA is the automated framework used to upload test results as bugs.
19 [string
] $TsaCodebaseName, # Optional: only needed if TsaOnboard or TsaPublish is true; the name of the codebase registered with TSA; TSA is the automated framework used to upload test results as bugs.
20 [string
] $TsaProjectName, # Optional: only needed if TsaOnboard or TsaPublish is true; the name of the project registered with TSA; TSA is the automated framework used to upload test results as bugs.
21 [string
] $TsaNotificationEmail, # Optional: only needed if TsaOnboard is true; the email(s) which will receive notifications of TSA bug filings (e.g. alias@microsoft.com); TSA is the automated framework used to upload test results as bugs.
22 [string
] $TsaCodebaseAdmin, # Optional: only needed if TsaOnboard is true; the aliases which are admins of the TSA codebase (e.g. DOMAIN\alias); TSA is the automated framework used to upload test results as bugs.
23 [string
] $TsaBugAreaPath, # Optional: only needed if TsaOnboard is true; the area path where TSA will file bugs in AzDO; TSA is the automated framework used to upload test results as bugs.
24 [string
] $TsaIterationPath, # Optional: only needed if TsaOnboard is true; the iteration path where TSA will file bugs in AzDO; TSA is the automated framework used to upload test results as bugs.
25 [string
] $GuardianLoggerLevel="Standard", # Optional: the logger level for the Guardian CLI; options are Trace, Verbose, Standard, Warning, and Error
26 [string
[]] $CrScanAdditionalRunConfigParams, # Optional: Additional Params to custom build a CredScan run config in the format @("xyz:abc","sdf:1")
27 [string
[]] $PoliCheckAdditionalRunConfigParams # Optional: Additional Params to custom build a Policheck run config in the format @("xyz:abc","sdf:1")
30 $ErrorActionPreference = "Stop"
31 Set-StrictMode
-Version
2.0
34 #Replace repo names to the format of org/repo
35 if (!($Repository.contains
('/'))) {
36 $RepoName = $Repository -replace
'(.*?)-(.*)', '$1/$2';
39 $RepoName = $Repository;
42 if ($GuardianPackageName) {
43 $guardianCliLocation = Join-Path $NugetPackageDirectory (Join-Path $GuardianPackageName (Join-Path "tools" "guardian.cmd"))
45 $guardianCliLocation = $GuardianCliLocation
48 $workingDirectory = (Split-Path $SourceDirectory -Parent
)
49 $ValidPath = Test-Path $guardianCliLocation
51 if ($ValidPath -eq
$False)
53 Write-Host "Invalid Guardian CLI Location."
57 & $(Join-Path $PSScriptRoot "init-sdl.ps1")
-GuardianCliLocation
$guardianCliLocation -Repository
$RepoName -BranchName
$BranchName -WorkingDirectory
$workingDirectory -AzureDevOpsAccessToken
$AzureDevOpsAccessToken -GuardianLoggerLevel
$GuardianLoggerLevel
58 $gdnFolder = Join-Path $workingDirectory ".gdn"
61 if ($TsaCodebaseName -and
$TsaNotificationEmail -and
$TsaCodebaseAdmin -and
$TsaBugAreaPath) {
62 Write-Host "$guardianCliLocation tsa-onboard --codebase-name `"$TsaCodebaseName`
" --notification-alias `"$TsaNotificationEmail`
" --codebase-admin `"$TsaCodebaseAdmin`
" --instance-url `"$TsaInstanceUrl`
" --project-name `"$TsaProjectName`
" --area-path `"$TsaBugAreaPath`
" --iteration-path `"$TsaIterationPath`
" --working-directory $workingDirectory --logger-level $GuardianLoggerLevel"
63 & $guardianCliLocation tsa-onboard
--codebase-name
"$TsaCodebaseName" --notification-alias
"$TsaNotificationEmail" --codebase-admin
"$TsaCodebaseAdmin" --instance-url
"$TsaInstanceUrl" --project-name
"$TsaProjectName" --area-path
"$TsaBugAreaPath" --iteration-path
"$TsaIterationPath" --working-directory
$workingDirectory --logger-level
$GuardianLoggerLevel
64 if ($LASTEXITCODE -ne
0) {
65 Write-Host "Guardian tsa-onboard failed with exit code $LASTEXITCODE."
69 Write-Host "Could not onboard to TSA -- not all required values ($$TsaCodebaseName, $$TsaNotificationEmail, $$TsaCodebaseAdmin, $$TsaBugAreaPath) were specified."
74 if ($ArtifactToolsList -and
$ArtifactToolsList.Count
-gt
0) {
75 & $(Join-Path $PSScriptRoot "run-sdl.ps1")
-GuardianCliLocation
$guardianCliLocation -WorkingDirectory
$workingDirectory -TargetDirectory
$ArtifactsDirectory -GdnFolder
$gdnFolder -ToolsList
$ArtifactToolsList -AzureDevOpsAccessToken
$AzureDevOpsAccessToken -UpdateBaseline
$UpdateBaseline -GuardianLoggerLevel
$GuardianLoggerLevel -CrScanAdditionalRunConfigParams
$CrScanAdditionalRunConfigParams -PoliCheckAdditionalRunConfigParams
$PoliCheckAdditionalRunConfigParams
77 if ($SourceToolsList -and
$SourceToolsList.Count
-gt
0) {
78 & $(Join-Path $PSScriptRoot "run-sdl.ps1")
-GuardianCliLocation
$guardianCliLocation -WorkingDirectory
$workingDirectory -TargetDirectory
$SourceDirectory -GdnFolder
$gdnFolder -ToolsList
$SourceToolsList -AzureDevOpsAccessToken
$AzureDevOpsAccessToken -UpdateBaseline
$UpdateBaseline -GuardianLoggerLevel
$GuardianLoggerLevel -CrScanAdditionalRunConfigParams
$CrScanAdditionalRunConfigParams -PoliCheckAdditionalRunConfigParams
$PoliCheckAdditionalRunConfigParams
81 if ($UpdateBaseline) {
82 & (Join-Path $PSScriptRoot "push-gdn.ps1") -Repository
$RepoName -BranchName
$BranchName -GdnFolder
$GdnFolder -AzureDevOpsAccessToken
$AzureDevOpsAccessToken -PushReason
"Update baseline"
86 if ($TsaBranchName -and
$BuildNumber) {
87 if (-not
$TsaRepositoryName) {
88 $TsaRepositoryName = "$($Repository)-$($BranchName)"
90 Write-Host "$guardianCliLocation tsa-publish --all-tools --repository-name `"$TsaRepositoryName`
" --branch-name `"$TsaBranchName`
" --build-number `"$BuildNumber`
" --codebase-name `"$TsaCodebaseName`
" --notification-alias `"$TsaNotificationEmail`
" --codebase-admin `"$TsaCodebaseAdmin`
" --instance-url `"$TsaInstanceUrl`
" --project-name `"$TsaProjectName`
" --area-path `"$TsaBugAreaPath`
" --iteration-path `"$TsaIterationPath`
" --working-directory $workingDirectory --logger-level $GuardianLoggerLevel"
91 & $guardianCliLocation tsa-publish
--all-tools
--repository-name
"$TsaRepositoryName" --branch-name
"$TsaBranchName" --build-number
"$BuildNumber" --onboard
$True --codebase-name
"$TsaCodebaseName" --notification-alias
"$TsaNotificationEmail" --codebase-admin
"$TsaCodebaseAdmin" --instance-url
"$TsaInstanceUrl" --project-name
"$TsaProjectName" --area-path
"$TsaBugAreaPath" --iteration-path
"$TsaIterationPath" --working-directory
$workingDirectory --logger-level
$GuardianLoggerLevel
92 if ($LASTEXITCODE -ne
0) {
93 Write-Host "Guardian tsa-publish failed with exit code $LASTEXITCODE."
97 Write-Host "Could not publish to TSA -- not all required values ($$TsaBranchName, $$BuildNumber) were specified."