From 2a2e64b171a80e0ce005f998aa4552762b8b8ec2 Mon Sep 17 00:00:00 2001
From: Peter Collins <pecolli@microsoft.com>
Date: Wed, 17 Jan 2024 10:17:56 -0800
Subject: [PATCH] [ci] Add API Scan job (#225)

Context: https://devdiv.visualstudio.com/DevDiv/_wiki/wikis/DevDiv.wiki/25351/APIScan-step-by-step-guide-to-setting-up-a-Pipeline

The ApiScan task has been added to pipeline runs against `main`.  This
task should help us identify related issues earlier, rather than having
to wait for a full scan of VS.
---
 azure-pipelines.yaml | 76 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 75 insertions(+), 1 deletion(-)

diff --git a/azure-pipelines.yaml b/azure-pipelines.yaml
index d0f314fb..8c2bcfcf 100644
--- a/azure-pipelines.yaml
+++ b/azure-pipelines.yaml
@@ -10,6 +10,10 @@ pr:
   - d16-*
   - d17-*
 
+parameters:
+- name: ApiScanSourceBranch
+  default: 'refs/heads/main'
+
 # Global variables
 variables:
   - name: DotNetCoreVersion
@@ -66,9 +70,79 @@ jobs:
     displayName: 'Build NuGet'
     condition: and(succeeded(), eq(variables['agent.os'], 'Windows_NT'))
 
+  - task: PublishPipelineArtifact@1
+    displayName: Upload Build Output
+    inputs:
+      path: bin/Debug
+      artifactName: Output - $(System.JobName)
+
   - task: PublishPipelineArtifact@1
     displayName: Upload Artifacts
     inputs:
       path: $(Build.ArtifactStagingDirectory)
-      artifactName: $(vmImage)
+      artifactName: Artifacts - $(System.JobName)
     condition: always()
+
+- job: api_scan
+  displayName: API Scan
+  dependsOn: build
+  condition: and(eq(dependencies.build.result, 'Succeeded'), eq(variables['Build.SourceBranch'], '${{ parameters.ApiScanSourceBranch }}'))
+  pool:
+    name: Azure Pipelines
+    vmImage: windows-2022
+  timeoutInMinutes: 480
+  workspace:
+    clean: all
+  steps:
+  - task: DownloadPipelineArtifact@2
+    displayName: Download build artifacts
+    inputs:
+      artifactName: Output - windows
+      downloadPath: $(Build.SourcesDirectory)
+
+  - task: CopyFiles@2
+    displayName: Collect Files for APIScan
+    inputs:
+      Contents: |
+        $(Build.SourcesDirectory)\**\?(*.dll|*.exe|*.pdb)
+        !$(Build.SourcesDirectory)\**\ls-jdks.*
+      TargetFolder: $(Build.StagingDirectory)\apiscan
+      OverWrite: true
+      flattenFolders: true
+
+  - powershell: Get-ChildItem -Path "$(Build.StagingDirectory)\apiscan" -Recurse
+    displayName: List Files for APIScan
+
+  - task: APIScan@2
+    displayName: Run APIScan
+    inputs:
+      softwareFolder: $(Build.StagingDirectory)\apiscan
+      symbolsFolder: 'SRV*http://symweb;$(Build.StagingDirectory)\apiscan'
+      softwareName: $(ApiScanName)
+      softwareVersionNum: $(Build.SourceBranchName)-$(Build.SourceVersion)$(System.JobAttempt)
+      isLargeApp: true
+      toolVersion: Latest
+    env:
+      AzureServicesAuthConnectionString: runAs=App;AppId=$(ApiScanClientId);TenantId=$(ApiScanTenant);AppKey=$(ApiScanSecret)
+
+  - task: SdtReport@2
+    displayName: Guardian Export - Security Report
+    inputs:
+      GdnExportAllTools: false
+      GdnExportGdnToolApiScan: true
+      GdnExportOutputSuppressionFile: source.gdnsuppress
+
+  - task: PublishSecurityAnalysisLogs@3
+    displayName: Publish Guardian Artifacts
+    inputs:
+      ArtifactName: APIScan Logs
+      ArtifactType: Container
+      AllTools: false
+      APIScan: true
+      ToolLogsNotFoundAction: Warning
+
+  - task: PostAnalysis@2
+    displayName: Fail Build on Guardian Issues
+    inputs:
+      GdnBreakAllTools: false
+      GdnBreakGdnToolApiScan: true