ci: add deep SAST via SecurityCodeScan Roslyn analyzer
- SecurityCodeScan.VS2019 5.6.7 injected into Directory.Build.props scans all C# source during every dotnet build - HIGH/CRITICAL findings fail the build because TreatWarningsAsErrors=true - No extra CI step needed: analyzer runs inside every build job automatically Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -39,13 +39,13 @@ jobs:
|
|||||||
- name: Restore dependencies
|
- name: Restore dependencies
|
||||||
run: dotnet restore
|
run: dotnet restore
|
||||||
|
|
||||||
- name: Build Shared
|
- name: Build Shared (includes SAST via SecurityCodeScan)
|
||||||
run: dotnet build src/GmRelay.Shared/GmRelay.Shared.csproj --no-restore
|
run: dotnet build src/GmRelay.Shared/GmRelay.Shared.csproj --no-restore
|
||||||
|
|
||||||
- name: Build Bot (compile check)
|
- name: Build Bot (compile check, includes SAST)
|
||||||
run: dotnet build src/GmRelay.Bot/GmRelay.Bot.csproj --no-restore
|
run: dotnet build src/GmRelay.Bot/GmRelay.Bot.csproj --no-restore
|
||||||
|
|
||||||
- name: Build Web (compile check)
|
- name: Build Web (compile check, includes SAST)
|
||||||
run: dotnet build src/GmRelay.Web/GmRelay.Web.csproj --no-restore
|
run: dotnet build src/GmRelay.Web/GmRelay.Web.csproj --no-restore
|
||||||
|
|
||||||
- name: Run tests
|
- name: Run tests
|
||||||
|
|||||||
@@ -7,4 +7,8 @@
|
|||||||
<ImplicitUsings>enable</ImplicitUsings>
|
<ImplicitUsings>enable</ImplicitUsings>
|
||||||
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
|
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
|
|
||||||
|
<ItemGroup>
|
||||||
|
<PackageReference Include="SecurityCodeScan.VS2019" Version="5.6.7" PrivateAssets="all" />
|
||||||
|
</ItemGroup>
|
||||||
</Project>
|
</Project>
|
||||||
|
|||||||
Reference in New Issue
Block a user