From 58b19709c7b7b1d7a616d38b4dfd8c7598971009 Mon Sep 17 00:00:00 2001
From: Azure SDK Bot <53356347+azure-sdk@users.noreply.github.com>
Date: Fri, 24 Sep 2021 16:39:08 -0700
Subject: [PATCH] Add common policheck steps (#2920)

Co-authored-by: Chidozie Ononiwu <chononiw@microsoft.com>
---
 .../pipelines/templates/steps/policheck.yml   | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 eng/common/pipelines/templates/steps/policheck.yml

diff --git a/eng/common/pipelines/templates/steps/policheck.yml b/eng/common/pipelines/templates/steps/policheck.yml
new file mode 100644
index 000000000..5ef30187e
--- /dev/null
+++ b/eng/common/pipelines/templates/steps/policheck.yml
@@ -0,0 +1,36 @@
+parameters:
+  ExclusionDataBaseFileName: ''
+  TargetDirectory: ''
+  PublishAnalysisLogs: false
+  PoliCheckBlobSAS: "$(azuresdk-policheck-blob-SAS)"
+  ExclusionFilePath: "$(Build.SourcesDirectory)/eng/guardian-tools/policheck/PolicheckExclusions.xml"
+
+steps:
+  - pwsh: |
+      azcopy copy "https://azuresdkartifacts.blob.core.windows.net/policheck/${{ parameters.ExclusionDataBaseFileName }}.mdb?${{ parameters.PoliCheckBlobSAS }}" `
+      "$(Build.BinariesDirectory)"
+    displayName: 'Download PoliCheck Exclusion Database'
+
+  - task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2
+    displayName: 'Run PoliCheck'
+    inputs:
+      targetType: F
+      targetArgument: "$(Build.SourcesDirectory)/${{ parameters.TargetDirectory }}"
+      result: PoliCheck.sarif
+      optionsFC: 0
+      optionsXS: 1
+      optionsPE: 1|2|3|4
+      optionsRulesDBPath: "$(Build.BinariesDirectory)/${{ parameters.ExclusionDataBaseFileName }}.mdb"
+      optionsUEPATH: ${{ parameters.ExclusionFilePath }}
+
+  - task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2
+    displayName: 'Post Analysis (PoliCheck)'
+    inputs:
+      GdnBreakAllTools: false
+      GdnBreakGdnToolPoliCheck: true
+      GdnBreakGdnToolPoliCheckSeverity: Warning
+    continueOnError: true
+
+  - ${{ if eq(parameters.PublishAnalysisLogs, 'true') }}:
+    - task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@3
+      displayName: 'Publish Security Analysis Logs'
\ No newline at end of file