Security Build Definition - Core-Setup

[ravimeda]

Similar to dotnet/corefx#20873

Introducing build definition that will run security tools required to comply with Security Development Lifecycle (SDL). The build definition puts together VSTS extensions that run the tools, analyze logs, and upload results to Trust Services Automation that creates workitems for identified security issues.
List of tools included in this definition are:

1. BinSkim - validates compiler/linker settings and other security-relevant binary characteristics. https://github.com/Microsoft/binskim
2. APIScan - determines whether or not the software complies with the API Usage Standard of the Interoperability Policy.
3. CredScan - index and scan for credentials or other sensitive content.
4. PoliCheck - scan code, code comments, and content for words that may be sensitive for legal, cultural, or geopolitical reasons.

Approach followed in this build is:

1. Get NuGet packages corresponding to the specified official build.
2. Extract packages to $(Build.SourcesDirectory)\security
3. Remove api-* and ucrtbase* assemblies from $(Build.SourcesDirectory)\security
4. Run BinSkim and APIScan
5. Get sources corresponding to the official build. This means checkout at the SHA listed version.txt
6. Run CredScan and PoliCheck on the sources.

@chcosta PTAL. Specifically, syncAzure.proj that is used to download package from Azure storage.

@morganbr List of issues found -
https://msazure.visualstudio.com/defaultcollection/One/_workitems?tempQueryId=0bd28b94-e8c7-4173-b26b-8c000cd37f5e

Edit: Enable CI.