Secure Supply Chain Analysis fails in Azure DevOps CI pipeline

[eoumenwa]

How can I skip the check to avoid this error?

Starting Pipeline Configuration Security Analysis:
2023-11-06T18:14:22.8005361Z Azure Artifacts Configuration Analysis found 837 package configuration files in the repository which do not comply with Microsoft package feed security policies. The specific problems are listed above. Please visit https://aka.ms/cfs for more details. If you need additional help, email (feedprotection@microsoft.com).
2023-11-06T18:14:22.8061421Z ##[warning]Container security analysis found 1 violations. This repo has one or more docker files having references to images from external registries. Please review https://aka.ms/containers-security-guidance to remove the reference of container images from external registries. Please reach out via teams (https://aka.ms/cssc-teams) or email (cssc@microsoft.com) for any questions or clarifications.

2023-11-06T18:14:22.8088975Z ##[error]NuGet Security Analysis found 1 NuGet package configuration file in the repository which do not comply with Microsoft package feed security policies. The specific problems are listed above. Please visit https://aka.ms/nugetmultifeed for more details. If you need additional help, email (feedprotection@microsoft.com).

2023-11-06T18:14:24.2599897Z ##[section]Finishing: Secure Supply Chain Analysis (auto-injected by policy)

[LarryOsterman]

QQ: Does the CI pipeline fail for you, or is it just a warning?

Also: Could you please include a link to the failing pipeline? The only failing pipeline in the public repo that I see is the keyvault pipeline and that is failing for an unrelated error.

[eoumenwa]

It fails. Here is the link https://dev.azure.com/eumenwa/DockerWebApp/_build/results?buildId=194&view=logs&j=fd490c07-0b22-5182-fac9-6d67fe1e939b&t=304a745d-52db-57c4-6ad1-5ecd8595ddc2&l=956 On Monday, November 6, 2023 at 03:07:08 PM EST, Larry Osterman ***@***.***> wrote: QQ: Does the CI pipeline fail for you, or is it just a warning? — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: ***@***.***>

[LarryOsterman]

I don't have access to that pipeline :(. But from the URL, it doesn't appear to be an Azure SDK for C++ pipeline.

Could you help us understand why you believe that this is an Azure SDK for C++ issue (note: There are at least one dockerfile in the azure sdk for C++ repo that might trigger this, but that dockerfile has been annotated to mute the error).