Skip to content

Utilize CredScan suppressions file#3616

Merged
MichaelSimons merged 1 commit intodotnet:mainfrom
NikolaMilosavljevic:credscan.suppressions
Dec 2, 2025
Merged

Utilize CredScan suppressions file#3616
MichaelSimons merged 1 commit intodotnet:mainfrom
NikolaMilosavljevic:credscan.suppressions

Conversation

@NikolaMilosavljevic
Copy link
Member

@NikolaMilosavljevic NikolaMilosavljevic commented Dec 1, 2025

CredScan suppressions file was checked in, but wasn't referenced in YML. This should fix issues in source-build-reference-packages, aspnetcore and msbuild

@wtgodbe @rainersigwald

@NikolaMilosavljevic NikolaMilosavljevic requested review from a team as code owners December 1, 2025 23:47
Copilot AI review requested due to automatic review settings December 1, 2025 23:47
Copilot AI reviewed Dec 1, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enables the use of an existing CredScan suppressions file by adding a reference to it in the official build pipeline configuration. The suppressions file (.config/CredScanSuppressions.json) was previously checked in but not referenced, causing CredScan to flag false positives in test code and certificates across multiple repositories including source-build-reference-packages, aspnetcore, and msbuild.

Key Changes:

  • Added credscan configuration block to the SDL section of the official build pipeline
  • Configured suppressionsFile property to point to the existing .config/CredScanSuppressions.json file

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@MichaelSimons
Copy link
Member

MichaelSimons commented Dec 2, 2025

The change validation failure is unrelated, merging.

@MichaelSimons MichaelSimons merged commit 9cc4c5f into dotnet:main Dec 2, 2025
15 of 17 checks passed
@akoeplinger
Copy link
Member

akoeplinger commented Dec 3, 2025
edited
Loading

credscan is not enabled by default anymore (it was replaced with 1ES Secret Scanning), before that credscan automatically respected the .config/CredScanSuppression.json so this should be a no-op now.

@NikolaMilosavljevic can you link the place where you saw errors?

@NikolaMilosavljevic
Copy link
Member Author

NikolaMilosavljevic commented Dec 3, 2025

credscan is not enabled by default anymore (it was replaced with 1ES Secret Scanning), before that credscan automatically respected the .config/CredScanSuppression.json so this should be a no-op now.

@NikolaMilosavljevic can you link the place where you saw errors?

This suppression method works in individual repos, i.e. source-build-reference-packages, but did not work in VMR due to the missing credscan parameter. At least that was the idea for this change.

This doesn't show in builds, only on s360 board.

@NikolaMilosavljevic
Copy link
Member Author

NikolaMilosavljevic commented Dec 3, 2025

Hmm, 1ES Secret Scanning (SPMI) tooling does not allow suppressions.

@NikolaMilosavljevic
Copy link
Member Author

NikolaMilosavljevic commented Dec 12, 2025

/backport to release/10.0.1xx

@github-actions
Copy link
Contributor

github-actions bot commented Dec 12, 2025

Started backporting to release/10.0.1xx (link to workflow run)

@github-actions github-actions bot mentioned this pull request Dec 12, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@rainersigwald rainersigwald rainersigwald approved these changes

@ViktorHofer ViktorHofer ViktorHofer approved these changes

@MichaelSimons MichaelSimons MichaelSimons approved these changes

@wtgodbe wtgodbe wtgodbe approved these changes

Assignees

No one assigned

Labels

None yet

Projects

.NET Unified Build
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@NikolaMilosavljevic @MichaelSimons @akoeplinger @rainersigwald @ViktorHofer @wtgodbe