Guidance to set up APIScan in a pipeline in dnceng

[Shyam-Gupta]

This request is for WinForms designer private Github repo: https://github.com/microsoft/winforms-designer. This repo produces a VSIX and an SDK NuGet package. The VSIX gets inserted into VS and the corresponding binaries are scanned automatically for APIScan centrally. However, the NuGet package is released externally to customers, and for that we have received guideline that we need to run APIScan on our own for the repo.

We already have a dnceng pipeline which runs APIScan: https://dev.azure.com/dnceng/internal/_build?definitionId=1259 This pipeline, however, does not use Managed Identity at present, which is a security issue. We need to resolve it by 5/31.

Since this pipeline is classified as Non-Production, we haven't moved it to 1ES yet. But the changes to move to 1ES are in one of my private branch and we can commit that if required.

I found this wiki which mentions that a shared Managed Identity (MI) was created and assigned to MicroBuild customers for use for their APIScan runs. Since the corresponding pool is in devdiv, we cannot access it from dnceng.

Thus, if Arcade could create a similar MI and assign it to one of the pools (say, NetCore1ESPool-Internal) that we can use for our pipeline, then it should resolve the issue.

cc: @merriemcgaw, @KlausLoeffelmann

Release Note Category

• [ ] Feature changes/additions
• [ ] Bug fixes
• [ ] Internal Infrastructure Improvements

  Release Note Description

[riarenas]

The microbuild guidance includes the usage of a pool-wide managed identity to get this working. We have some very recent guidance that pool-wide managed identities should not be used, so we should:

• Get clarity on whether that is true
• If that is true, figure out a better path forward for dnceng customers.

[KlausLoeffelmann]

@riarenas: If there are additional tasks on our end, we can do, to expedite this, please don't hesitate to contact me, so I can ramp-up in time and then take care of getting those things into gear!

[merriemcgaw]

@MiYanni was interested in the outcome of this as well. I think the sdk team could benefit from it as well.

[missymessa]

The only place that we're aware of that runs APIScan is in the Release pipeline. @tkapin do you have any insight on this? We also have no plans to expand APIScan support at this time.

[missymessa]

Additionally, here is a link to reach out to the APIScan team directly: https://aka.ms/apiscan. Let us know if there's anything we can do to help.

[merriemcgaw]

@missymessa we've reached out to the APIScan team already. This is the recommended approach, and how VSEng is supporting APIScan for the rest of DevDiv. The pipeline we're hoping to enable is one that allows us to ship update WinForms Designer Extensibility SDKs to our 3rd party control vendors. We've talked with the APIScan owners and they have directed us this way. @tkapin I'd be very interested to know how your team is using APIScan in your release pipeline. Perhaps there is something we can leverage there.

To the best of our knowledge, the only other option would be to migrate the entire pipeline to VSEng, which would be a huge lift for my team - and VSEng is still using a pool wise managed identity.

[KlausLoeffelmann]

We have reached out several times. @missymessa, it's primarily about the Managed Identities.

See Ricardo's comment above: https://github.com/dotnet/dnceng/issues/2965#issuecomment-2137910674

[arunchndr]

Roslyn, Razor, Compilers all have the same ask. cc: @jaredpar and @phil-allen-msft

[Shyam-Gupta]

@riarenas Any update? WinForms APIScan pipeline is currently blocked on this issue, and probably similar is the case for other teams.

[riarenas]

No update that I'm aware of. The guidance from the APIScan team still contradicts the guidance from the hosted pool team. @markwilkie FYI.

[riarenas]

I see some activity from @chcosta trying to get some more guidance. He is probably a better point of contact for updates than me.

[merriemcgaw]

@dougbu @mmitche - Has there been any progress in determining what teams are supposed to do here? I feel like quite a few teams are waiting on some form of guidance.

[dougbu]

I responded in email thread on this subject.

[mmitche]

@merriemcgaw We know that APIScan is still working on federated credential support. That's the main blocker right now. It's possible that federated creds + azure CLI + task may work in the meantime, but I'm not sure. I can try out the workaround if I can get someone on the winforms-designer team to work with me.

[missymessa]

@mmitche it sounds like guidance was written and the internal thread was wrapped up? Cool to close this?

[merriemcgaw]

Cool from our end.

[missymessa]

Guidance for future reference: https://dev.azure.com/devdiv/DevDiv/_wiki/wikis/DevDiv.wiki/25351/APIScan-step-by-step-guide-to-setting-up-a-Pipeline

[Shyam-Gupta]

@missymessa The guidance you shared uses a Managed Identity assigned to a shared pool. Dnceng does not prescribes it and hence it cannot be used. @mmitche suggested me to use Federated Credentials and it is working for us. I have documented it here.