-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Enable TSA automatic bug filing for SDL compliance #15219
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable TSA automatic bug filing for SDL compliance #15219
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
This PR enables TSA (Team Services Automation) for automatic bug filing to satisfy SDL compliance requirements. The changes configure automated bug creation in Azure DevOps when security findings are detected by various compliance tools.
- Added TSA configuration to Guardian custom configuration
- Enabled TSA in the PostAnalysis task for general compliance tools
- Enabled TSA in the CodeQL3000Finalize task for CodeQL-specific findings
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
File | Description |
---|---|
GuardianCustomConfiguration.json | Added TSA options with area path, notification settings, and bug tagging configuration |
.ado/templates/run-compliance-prebuild.yml | Enabled TSA for PostAnalysis task with compliance-specific bug tags |
.ado/compliance.yml | Enabled TSA for CodeQL3000Finalize task with CodeQL-specific bug tags |
"iterationPath": "OS\\Future", | ||
"notificationAliases": ["[email protected]", "[email protected]"], | ||
"codebaseAdmins": ["[email protected]"], | ||
"bugTags": ["SDL", "Security", "Compliance"], |
Copilot
AI
Oct 13, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The bug tags are inconsistent across files. Consider using a consistent set of base tags like ['SDL', 'Security'] across all TSA configurations, with tool-specific tags added as needed.
"bugTags": ["SDL", "Security", "Compliance"], | |
"bugTags": ["SDL", "Security"], |
Copilot uses AI. Check for mistakes.
- Configure TSA in PostAnalysis task for pre-build compliance tools - Configure TSA in CodeQL3000Finalize for CodeQL security findings - Enable Guardian with TSA options in GuardianCustomConfiguration.json - Set Area Path: OS\Windows Client and Services\WinPD\SPICE\ReactNative - Configure notifications to [email protected] and [email protected] - Resolves work item #58386072 This enables automatic bug filing for all SDL findings from: - CodeQL (C++, C#, TypeScript, JavaScript) - CredScan (credential scanning) - PoliCheck (terminology scanning) - AntiMalware (malware detection) - BinSkim (binary analysis) - Component Governance (OSS detection)
- Replace hardcoded email addresses with environment variables - Use and variables - Standardize bug tags to ['SDL', 'Security'] across all TSA configs - Remove tool-specific tags (Guardian, Compliance, CodeQL) for consistency Addresses review comments from @sharath2727 and Copilot AI
4161326
to
0f322f0
Compare
Summary
Enables TSA (Team Services Automation) for automatic bug filing to satisfy SDL compliance requirement.
Changes
Configuration
Impact
Security findings will now automatically create work items in Azure DevOps:
Testing Plan
Verify bugs are auto-filed in ADO
Verify CodeQL uploads to CodeQL Central
Resolves
Microsoft Reviewers: Open in CodeFlow