From f27dc36c48989d37fe7df6ff73fa8296e84f6179 Mon Sep 17 00:00:00 2001
From: Davis Goodin <dagood@users.noreply.github.com>
Date: Wed, 13 Nov 2019 18:38:25 -0600
Subject: [PATCH] Add automatic SDL validation (dotnet/core-setup#8846)

Commit migrated from https://github.com/dotnet/core-setup/commit/130c63e15de3227ddad89f8a9b4a24a249e678e8
---
 eng/pipelines/installer/azure-pipelines.yml |  2 ++
 eng/pipelines/installer/stages/publish.yml  | 17 +++++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/eng/pipelines/installer/azure-pipelines.yml b/eng/pipelines/installer/azure-pipelines.yml
index 9d6b705..566a88e 100644
--- a/eng/pipelines/installer/azure-pipelines.yml
+++ b/eng/pipelines/installer/azure-pipelines.yml
@@ -69,6 +69,8 @@ variables:
   - ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
     - name: SignType
       value: $[ coalesce(variables.OfficialSignType, 'real') ]
+    # Values for SDLValidationParameters
+    - group: core-setup-sdl-validation
 
   - ${{ if contains(variables['Build.DefinitionName'], 'runtime') }}:
     - name: pipelinesPath
diff --git a/eng/pipelines/installer/stages/publish.yml b/eng/pipelines/installer/stages/publish.yml
index 3752b24..29e12bf 100644
--- a/eng/pipelines/installer/stages/publish.yml
+++ b/eng/pipelines/installer/stages/publish.yml
@@ -30,6 +30,23 @@ stages:
     # Allow symbol publish to emit expected warnings without failing the build. Include single
     # quotes inside the string so that it passes through to MSBuild without script interference.
     symbolPublishingAdditionalParameters: "'-warnAsError:$false'"
+    # Enable SDL validation, passing through values from the 'core-setup-sdl-validation' group.
+    SDLValidationParameters:
+      enable: true
+      artifactNames:
+      - PackageArtifacts
+      - BlobArtifacts
+      params: >-
+        -SourceToolsList @("policheck","credscan")
+        -TsaInstanceURL "$(TsaInstanceURL)"
+        -TsaProjectName "$(TsaProjectName)"
+        -TsaNotificationEmail "$(TsaNotificationEmail)"
+        -TsaCodebaseAdmin "$(TsaCodebaseAdmin)"
+        -TsaBugAreaPath "$(TsaBugAreaPath)"
+        -TsaIterationPath "$(TsaIterationPath)"
+        -TsaRepositoryName "$(TsaRepositoryName)"
+        -TsaCodebaseName "$(TsaCodebaseName)"
+        -TsaPublish $True
 
 # Create extra stage per BAR channel that needs extra publish steps. These run after the Arcade
 # stages because they depend on Arcade's NuGet package publish being complete.
-- 
2.7.4