Skip to content

Conversation

Nitin-100
Copy link
Contributor

@Nitin-100 Nitin-100 commented Oct 9, 2025

Summary

Enables TSA (Team Services Automation) for automatic bug filing to satisfy SDL compliance requirement.

Changes

  • Added TSA configuration to PostAnalysis task in run-compliance-prebuild.yml
  • Added TSA configuration to CodeQL3000Finalize task in compliance.yml
  • Enabled Guardian and added TSA options in GuardianCustomConfiguration.json

Configuration

  • Area Path: OS\Windows Client and Services\WinPD\SPICE\ReactNative
  • Iteration: OS\Future
  • Bug Tags: SDL, Security, Compliance, CodeQL

Impact

Security findings will now automatically create work items in Azure DevOps:

  • CodeQL findings (C++, C#, TypeScript, JavaScript)
  • CredScan findings (credentials)
  • PoliCheck findings (terminology)
  • AntiMalware findings
  • BinSkim findings (binaries)
  • Component Governance findings (OSS)

Testing Plan

Verify bugs are auto-filed in ADO
Verify CodeQL uploads to CodeQL Central

Resolves

  • Work Item: #58386072
  • SDL Requirement: Run SDL code analysis tools and automatically file bugs
Microsoft Reviewers: Open in CodeFlow

@Nitin-100 Nitin-100 self-assigned this Oct 9, 2025
@Nitin-100 Nitin-100 requested review from a team as code owners October 9, 2025 08:21
@anupriya13 anupriya13 requested a review from Copilot October 13, 2025 05:57
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enables TSA (Team Services Automation) for automatic bug filing to satisfy SDL compliance requirements. The changes configure automated bug creation in Azure DevOps when security findings are detected by various compliance tools.

  • Added TSA configuration to Guardian custom configuration
  • Enabled TSA in the PostAnalysis task for general compliance tools
  • Enabled TSA in the CodeQL3000Finalize task for CodeQL-specific findings

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
GuardianCustomConfiguration.json Added TSA options with area path, notification settings, and bug tagging configuration
.ado/templates/run-compliance-prebuild.yml Enabled TSA for PostAnalysis task with compliance-specific bug tags
.ado/compliance.yml Enabled TSA for CodeQL3000Finalize task with CodeQL-specific bug tags

"iterationPath": "OS\\Future",
"notificationAliases": ["[email protected]", "[email protected]"],
"codebaseAdmins": ["[email protected]"],
"bugTags": ["SDL", "Security", "Compliance"],
Copy link

Copilot AI Oct 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The bug tags are inconsistent across files. Consider using a consistent set of base tags like ['SDL', 'Security'] across all TSA configurations, with tool-specific tags added as needed.

Suggested change
"bugTags": ["SDL", "Security", "Compliance"],
"bugTags": ["SDL", "Security"],

Copilot uses AI. Check for mistakes.

Nitin Chaudhary added 2 commits October 15, 2025 13:24
- Configure TSA in PostAnalysis task for pre-build compliance tools
- Configure TSA in CodeQL3000Finalize for CodeQL security findings
- Enable Guardian with TSA options in GuardianCustomConfiguration.json
- Set Area Path: OS\Windows Client and Services\WinPD\SPICE\ReactNative
- Configure notifications to [email protected] and [email protected]
- Resolves work item #58386072

This enables automatic bug filing for all SDL findings from:
- CodeQL (C++, C#, TypeScript, JavaScript)
- CredScan (credential scanning)
- PoliCheck (terminology scanning)
- AntiMalware (malware detection)
- BinSkim (binary analysis)
- Component Governance (OSS detection)
- Replace hardcoded email addresses with environment variables
- Use  and  variables
- Standardize bug tags to ['SDL', 'Security'] across all TSA configs
- Remove tool-specific tags (Guardian, Compliance, CodeQL) for consistency

Addresses review comments from @sharath2727 and Copilot AI
@Nitin-100 Nitin-100 force-pushed the nitinc/enable-tsa-bug-filing branch from 4161326 to 0f322f0 Compare October 15, 2025 07:54
@Nitin-100 Nitin-100 merged commit 52f129e into microsoft:main Oct 15, 2025
58 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants