Merge pull request #8594 from dotnet/marcpopMSFT-binskimworkaround

Change binskim to filter and only run on build legs

Author: marcpopMSFT

azure-pipelines.yml

@@ -59,8 +59,6 @@ extends:
         enabled: true
       tsa:
         enabled: true
-      binskim:
-        analyzeTargetGlob: +:f|**\*.dll;+:f|**\*.exe;
     stages:
     - stage: build
       displayName: Build
@@ -89,6 +87,14 @@ extends:
             enableInternalSources: true
           enableTelemetry: true
           helixRepo: dotnet/templating
+          templateContext:
+            sdl:
+              binskim:
+                analyzeTargetGlob: +:f|artifacts\bin\**\*.dll;+:f|artifacts\bin\**\*.exe;
+          # WORKAROUND: BinSkim requires the folder exist prior to scanning.
+          preSteps:
+          - powershell: New-Item -ItemType Directory -Path $(Build.SourcesDirectory)/artifacts/bin -Force
+            displayName: Create artifacts/bin directory
           jobs:
           - ${{ each config in parameters.buildConfigurations }}:
             - job: Windows_NT_${{ config.buildConfig }}