diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml index d9dc639da094..5b842b4b1ae7 100644 --- a/.azure-pipelines.yml +++ b/.azure-pipelines.yml @@ -55,3 +55,23 @@ jobs: parameters: perf_or_release: ${{ variables['perf_or_release'] }} perf_tests: ${{ variables['perf_tests'] }} + + - job: CredScan + variables: + Codeql.SkipTaskAutoInjection: true + skipComponentGovernanceDetection: true + pool: + vmImage: "ubuntu-20.04" + steps: + # Scan for credentials in the repo + - task: CredScan@3 + inputs: + suppressionsFile: .gdn/CredScanSuppressions.json + # To suppress folders, rather than individual files, we require both of the following options + debugMode: true + folderSuppression: true + + # Break the build if any credentials (or other Guardian scans) find issues + - task: PostAnalysis@2 + inputs: + GdnBreakAllTools: true diff --git a/.gdn/CredScanSuppressions.json b/.gdn/CredScanSuppressions.json new file mode 100644 index 000000000000..2edaf59cd5fd --- /dev/null +++ b/.gdn/CredScanSuppressions.json @@ -0,0 +1,13 @@ +{ + "tool": "Credential Scanner", + "suppressions": [ + { + "folder": ["3rdparty"], + "_justification": "Ignore 3rdparty test credentials" + }, + { + "folder": ["tests/testdata"], + "_justification": "Ignore test credentials" + } + ] +}