Skip to content

Commit

Permalink
Merge pull request #49 from JFolberth/feature/ghazdo
Browse files Browse the repository at this point in the history 
Feature/ghazdo
  • Loading branch information
@JFolberth
JFolberth authored Mar 27, 2024
2 parents f1b84b6 + 354735e commit fd0b7bf
Show file tree
Hide file tree
Showing 8 changed files with 146 additions and 1 deletion.
16 changes: 16 additions & 0 deletions jobs/ado_ghazdo_dependency_scanning_job.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
parameters:
- name: directoryExclusionList
type: string
default: ''
- name: dependsOn
type: object
default: []
- name: serviceName
type: string

jobs:
- job: '${{ parameters.serviceName }}_ghazdo_dependency_scanning'
displayName: '${{ parameters.serviceName }} GHAzDO Dependency Scanning'
dependsOn: ${{ parameters.dependsOn }}
steps:
- template: ../tasks/ado_ghazdo_dependency_scanning_task.yml
11 changes: 10 additions & 1 deletion jobs/dotnetcore_build_publish_job.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,11 @@ parameters:
publishArguments: ''
sdkVersion: ''
startUpProjectName: ''
GHAzDOEnabled: true

jobs:
- job: build_publish_${{parameters.projectName}}
dependsOn: GHAzDOCheckJob
variables:
projectName: ${{replace(parameters.projectName,'_','.')}}
srcFilePath: 'src'
Expand All @@ -23,11 +25,16 @@ jobs:
testProjectPath: '$(Build.SourcesDirectory)/${{ parameters.solutionName }}/${{ variables.srcFilePath }}/${{ variables.projectName }}'
startUpProjectPath: '$(Build.SourcesDirectory)/${{ parameters.solutionName }}/${{ variables.srcFilePath }}/${{ parameters.startUpProjectName }}'
dropLocation: 'drop/${{ parameters.projectName }}'
GHAzDOEnabled: $[ dependencies.GHAzDOCheckJob.outputs['GHAzDOCheck.GHAzDOEnabled'] ]
steps:
- template: ../tasks/dotnet_sdk_task.yml
parameters:
sdkVersion: ${{ parameters.sdkVersion }}
- template: ../tasks/nuget_auth_task.yml
- ${{ if eq(parameters.GHAzDOEnabled, true) }}:
- template: ../tasks/ado_ghazdo_codeql_init_task.yml
parameters:
languages: 'csharp'
- template: ../tasks/dotnetcore_cli_task.yml
parameters:
command: 'build'
Expand All @@ -39,7 +46,9 @@ jobs:
command: 'test'
projectPath: '${{ variables.testProjectPath }}/**/*.csproj'
arguments: '--configuration ${{ parameters.buildConfiguration }} --collect "Code coverage"'

- ${{ if eq(parameters.GHAzDOEnabled, true) }}:
- template: ../tasks/ado_ghazdo_dependency_scanning_task.yml
- template: ../tasks/ado_ghazdo_codeql_analyze_task.yml
- template: ../tasks/dotnetcore_cli_publish_task.yml
parameters:
zipAfterPublish: ${{ parameters.zipAfterPublish}}
Expand Down
13 changes: 13 additions & 0 deletions jobs/ghazdo_check_enabled_job.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
parameters:
- name: displayName
type: string
default: 'GitHub Advanced Security Check if Enabled'
- name: dependsOn
type: object
default: []

jobs:
- job: GHAzDOCheckJob
displayName: ${{ parameters.displayName }}
steps:
- template: ../tasks/pwsh_ghazdo_enabled_check_task.yml
1 change: 1 addition & 0 deletions stages/dotnet_build_stage.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ stages:
variables:
solutionPath: '$(Build.SourcesDirectory)/${{ parameters.solutionName }}/'
jobs:

- ${{ each artifactToPublish in parameters.artifactsToPublish }} :
- template: ../jobs/artifact_publish_job.yml
parameters:
Expand Down
27 changes: 27 additions & 0 deletions tasks/ado_ghazdo_codeql_analyze_task.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
parameters:
- name: displayName
type: string
default: 'GitHub Advanced Security CodeQL Scan'
- name: waitForProcessing
type: boolean
default: false
- name: waitforProcessingInterval
type: string
default: '5'
- name: waitForProcessingTimeout
type: string
default: '120'
- name: GHAzDOEnabled
type: string
default: true



steps:
- task: AdvancedSecurity-Codeql-Analyze@1
#condition: ${{ eq(parameters.GHAzDOEnabled, 'True') }}
displayName: ${{ parameters.displayName }}
inputs:
WaitForProcessing: ${{ parameters.waitForProcessing }}
WaitForProcessingInterval: ${{ parameters.waitforProcessingInterval }}
WaitForProcessingTimeout: ${{ parameters.waitForProcessingTimeout }}
48 changes: 48 additions & 0 deletions tasks/ado_ghazdo_codeql_init_task.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
parameters:
- name: languages
type: string
default: ''
- name: querySuite
type: string
default: 'security-and-quality'
- name: ram
type: string
default: ''
- name: threads
type: string
default: '0'
- name: codeqlPathsToIgnore
type: string
default: ''
- name: codeqlPathsToInclude
type: string
default: '*'
- name: sourcesFolder
type: string
default: $(Build.SourcesDirectory)
- name: logLevel
type: string
default: '_'
- name: configFilepath
type: string
default: ''
- name: displayName
type: string
default: 'Init CodeQL'
- name: GHAzDOEnabled
type: string
default: true

steps:
- task: AdvancedSecurity-Codeql-Init@1
displayName: ${{ parameters.displayName }}
#condition: and(succeeded(), ${{ eq(parameters.GHAzDOEnabled, 'True')}})
inputs:
languages: ${{ parameters.languages }}
ram: ${{ parameters.ram }}
threads: ${{ parameters.threads }}
codeqlpathstoignore: ${{ parameters.codeqlPathsToIgnore }}
codeqlpathstoinclude: ${{ parameters.codeqlPathsToInclude }}
sorucesFolder: ${{ parameters.sourcesFolder }}
loglevel: ${{ parameters.logLevel }}
configfilepath: ${{ parameters.configFilePath }}
13 changes: 13 additions & 0 deletions tasks/ado_ghazdo_dependency_scanning_task.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
parameters:
- name: directoryExclusionList
type: string
default: ''
- name: displayName
type: string
default: 'Advanced Security Dependency Scanning'

steps:
- task: AdvancedSecurity-Dependency-Scanning@1
displayName: ${{ parameters.displayName }}
inputs:
directoryExclusionList: ${{ parameters.directoryExclusionList }}
18 changes: 18 additions & 0 deletions tasks/pwsh_ghazdo_enabled_check_task.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
parameters:
- name: displayName
type: string
default: 'Check if GitHub Advanced Security for ADO is enabled on the repository'
steps:
- task: PowerShell@2
displayName: ${{ parameters.displayName }}
name: GHAzDOCheck
inputs:
failOnStderr: true
targetType: 'inline'
script: |
$contentType = "application/json";
$headers = @{ Authorization = 'Bearer $(System.AccessToken)' };
$uri = "https://advsec.dev.azure.com/JFGHAzDO/$(System.TeamProject)/_apis/management/repositories/$(Build.Repository.Name)/enablement?includeAllProperties=true&api-version=7.2-preview.1";
$response = Invoke-RestMethod -uri $uri -method GET -Headers $headers -ContentType $contentType;
$GHAzDOEnabled = $response.advSecEnabled
Write-Host "##vso[task.setvariable variable=GHAzDOEnabled;isOutput=true]$GHAzDOEnabled"

0 comments on commit fd0b7bf

Please sign in to comment.