Skip to content

{ADO} Pin version 2.1.17 for cred scan#21230

Merged
zhoxing-ms merged 1 commit intodevfrom
pin_version_for_credscan
Feb 9, 2022
Merged

{ADO} Pin version 2.1.17 for cred scan#21230
zhoxing-ms merged 1 commit intodevfrom
pin_version_for_credscan

Conversation

@zhoxing-ms
Copy link
Contributor

@zhoxing-ms zhoxing-ms commented Feb 9, 2022
edited
Loading

Because package Microsoft.Security.CredScan in task Run Credential Scanner was upgraded from version 2.1.17 to the new version 2.2.7.8, a large number of issues were scanned, resulting in CI blocking pipeline link

Therefore, pin the version of Microsoft.Security.CredScan to the last successfully version 2.1.17 to avoid blocking CI

@zhoxing-ms zhoxing-ms changed the title Update azure-pipelines.yml for Azure Pipelines {ADO} Pin version 2.1.17 for cred scan Feb 9, 2022
@zhoxing-ms
Copy link
Contributor Author

zhoxing-ms commented Feb 9, 2022

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Feb 9, 2022

Azure Pipelines successfully started running 2 pipeline(s).

@yonzhan
Copy link
Collaborator

yonzhan commented Feb 9, 2022

ADO

@yonzhan yonzhan added this to the Feb 2022 (2022-03-01) milestone Feb 9, 2022
jiasli
jiasli reviewed Feb 9, 2022
View reviewed changes
azure-pipelines.yml
inputs:
toolMajorVersion: V2
suppressionsFile: './scripts/ci/credscan/CredScanSuppressions.json'
toolVersionV2: '2.1.17'
Copy link
Member

@jiasli jiasli Feb 9, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

toolVersionV2 doc: https://www.1eswiki.com/wiki/CredScan_Azure_DevOps_Build_Task

CredScan doc: https://aka.ms/CredScan (https://strikecommunity.azurewebsites.net/articles/4114/credential-scanner-overview.html)

@zhoxing-ms zhoxing-ms mentioned this pull request Feb 9, 2022
Merged
3 tasks
@jiasli
Copy link
Member

jiasli commented Feb 9, 2022

Also, as an FYI:

https://docs.microsoft.com/en-us/azure/security/develop/security-code-analysis-overview

Effective July 1, 2022, the Microsoft Security Code Analysis (MSCA) extension will be retired. Existing MSCA customers will retain their access to MSCA through July 1, 2022. Please refer to the OWASP Source Code Analysis Tools for alternative options in Azure DevOps. For customers planning to migrate to GitHub, you can check out GitHub Advanced Security.

Not sure what will be the replacement of CredScan.

@zhoxing-ms zhoxing-ms merged commit 0faa0ea into dev Feb 9, 2022
@jiasli jiasli mentioned this pull request Feb 9, 2022
Merged
@zhoxing-ms zhoxing-ms mentioned this pull request Feb 9, 2022
Merged
3 tasks
@jiasli jiasli deleted the pin_version_for_credscan branch February 10, 2022 06:43
zhoxing-ms added a commit to zhoxing-ms/azure-cli that referenced this pull request Feb 14, 2022
@zhoxing-ms
Update azure-pipelines.yml for Azure Pipelines (Azure#21230)
7c142b7 
Pin version for cred scan
@zhoxing-ms zhoxing-ms mentioned this pull request Feb 14, 2022
Merged
3 tasks
zhoxing-ms added a commit that referenced this pull request Feb 14, 2022
@zhoxing-ms @jiasli
{Release} Fix CI issue for release branch (#21277)
e861f13 
* [Packaging] BREAKING CHANGE: Drop `jmespath-terminal` from docker image (#21206)

* {Packaging} Fix CI job "Test Yum Package" by using `centos7` (#21207)

* Update azure-pipelines.yml for Azure Pipelines (#21230)

Pin version for cred scan

Co-authored-by: Jiashuo Li <4003950+jiasli@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jiasli jiasli jiasli approved these changes

@evelyn-ys evelyn-ys evelyn-ys approved these changes

@wangzelin007 wangzelin007 wangzelin007 approved these changes

Assignees

@zhoxing-ms zhoxing-ms

Labels

None yet

Projects

None yet

Milestone

Feb 2022 (2022-03-01)

Development

Successfully merging this pull request may close these issues.

5 participants

@zhoxing-ms @yonzhan @jiasli @evelyn-ys @wangzelin007