Context
The VMR is a projection of sources of all product repos and with it come all the problems such as making sure the repo is compliant. This issue is about investigating what is the final set of scans and validations we should run and when and how to run them. The scope should be ranging from CG through Secure Supply chain and SDL to 1ES PT scans such as CodeQL.
Problems
There are several problems we already know about:
- CodeQL runs too long on Windows for a repo of this size.
- Suppressed CG alerts coming from product repositories will re-surface in the VMR. The dismissal in t he AzDO UI won't transfer and the VMR will get flagged again.
- Alerts showing in the VMR need to be routed to some owners from their original repositories.
- Submodules of 3rd party repos can contain problems which will surface in the VMR as they are inlined in the repo.
- Many scans run in all builds of all platforms, no matter how different these are.
Business goal
We have a responsible and sustainable compliancy solution for the VMR.
Related docs
https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs
Related issues
Context
The VMR is a projection of sources of all product repos and with it come all the problems such as making sure the repo is compliant. This issue is about investigating what is the final set of scans and validations we should run and when and how to run them. The scope should be ranging from CG through Secure Supply chain and SDL to 1ES PT scans such as CodeQL.
Problems
There are several problems we already know about:
Business goal
We have a responsible and sustainable compliancy solution for the VMR.
Related docs
https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs
Related issues