Open premun opened 2 years ago
Another aspect to consider is Guardian suppression files. Those may be added in a product repos to handle suppression of certain errors from Guardian in their CI builds. But when the offending source flows into the VMR, the product repo's suppression file is not used by the VMR build and the error would be reported for the VMR but not the product repo.
This related issue also popped up yesterday: https://github.com/dotnet/source-build/issues/4294.
I'm seeing SDL issues at the product level but not in all the individual repos. It seems like many repos have fixed the SDL issue at the repo level by syncing with arcade, but those updated repos have not been syncing into the VMR.
Context
The VMR is a projection of sources of all product repos and with it come all the problems such as making sure the repo is compliant. This issue is about investigating what is the final set of scans and validations we should run and when and how to run them. The scope should be ranging from CG through Secure Supply chain and SDL to 1ES PT scans such as CodeQL.
Problems
There are several problems we already know about:
Business goal
We have a responsible and sustainable compliancy solution for the VMR.
Related docs
https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs
Related issues