Feature Request: Enable BinSkim for making sure our binaries are good #908
Labels
Area-Build
Issues pertaining to the build system, CI, infrastructure, meta
Issue-Task
It's a feature request, but it doesn't really need a major design.
Product-Meta
The product is the management of the products.
Resolution-Fix-Committed
Fix is checked in, but it might be 3-4 weeks until a release.
Milestone
Comments
DHowett-MSFT
added
Issue-Feature
ghost
added
the
Needs-Triage
DHowett-MSFT
added
Issue-Task
|
@miniksa Hmm, this sounds like something you just did... |
|
It is! |
4 tasks
ghost
pushed a commit
that referenced
this issue
Jan 5, 2022
Enables a series of tasks run against our release pipeline that validate the security and compliance status of our code in an automated fashion. These checks include: - Component Governance - (we had this one, it was moved to here) - Inventories open-source components used in our build - PREfast - C/C++ static analysis for common code errors and exploits - Policheck - Searches source code, comments, and text for words that could be sensitive legally, culturally, or geopolitically - Credscan - Looks for credentials left behind in the code/documents and build output files - BinSkim - Searches for common vulnerabilities in binaries - CheckCFlags - Validates that compile/link flags match the policies recommended by Windows engineering for inclusion into the OS product image - CFGCheck/XFGCheck - Validates that the CFG and/or XFG settings were enabled at compile and link time to guard against control flow attacks. We're also required to run the SBOM one, but that was done in a separate PR and we're still pending the detectors being updated. ## References - #11948 - Move from CFG to XFG once XFG task folks get back to me on it - #11949 - Enable bug filing for SecComp tasks - #11950 - Bulk process bugs filed by SecComp tasks - #11947 - Validate SBOM when checkers come online ## Checklist - [x] - Fixes #10735 - [x] - Fixes #908 - [x] - I work here - [x] - If it fits, it sits.
ghost
added
Resolution-Fix-Committed
miniksa
added a commit
that referenced
this issue
Jan 10, 2022
Enables a series of tasks run against our release pipeline that validate the security and compliance status of our code in an automated fashion. These checks include: - Component Governance - (we had this one, it was moved to here) - Inventories open-source components used in our build - PREfast - C/C++ static analysis for common code errors and exploits - Policheck - Searches source code, comments, and text for words that could be sensitive legally, culturally, or geopolitically - Credscan - Looks for credentials left behind in the code/documents and build output files - BinSkim - Searches for common vulnerabilities in binaries - CheckCFlags - Validates that compile/link flags match the policies recommended by Windows engineering for inclusion into the OS product image - CFGCheck/XFGCheck - Validates that the CFG and/or XFG settings were enabled at compile and link time to guard against control flow attacks. We're also required to run the SBOM one, but that was done in a separate PR and we're still pending the detectors being updated. - #11948 - Move from CFG to XFG once XFG task folks get back to me on it - #11949 - Enable bug filing for SecComp tasks - #11950 - Bulk process bugs filed by SecComp tasks - #11947 - Validate SBOM when checkers come online - [x] - Fixes #10735 - [x] - Fixes #908 - [x] - I work here - [x] - If it fits, it sits.
|
🎉This issue was addressed in #11849, which has now been successfully released as Handy links: |
This issue was closed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
BinSkim will warn us if we don't build right.
The text was updated successfully, but these errors were encountered: