From 46e938df46d1bde785f081c301ec8091c0f3844c Mon Sep 17 00:00:00 2001 From: Gaurav Sharma <223556219+Copilot@users.noreply.github.com> Date: Fri, 10 Jul 2026 16:44:12 +0530 Subject: [PATCH] CHORE: add shift-left secret scanning to PR validation (test) adds a SecretScan job to the pr-validation pipeline that runs the 1ES Secret Scanning (SEC101/SPMI) engine on every PR, so credential leaks like SEC101/037 SqlLegacyCredentials are caught pre-merge instead of at the GitHub->ADO sync. includes a clearly-fake planted probe fixture to verify detection end-to-end; both the fixture and (pending decision) the job are test scaffolding. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- eng/pipelines/pr-validation-pipeline.yml | 20 ++++++++++++++++++++ tests/_secretscan_probe.txt | 9 +++++++++ 2 files changed, 29 insertions(+) create mode 100644 tests/_secretscan_probe.txt diff --git a/eng/pipelines/pr-validation-pipeline.yml b/eng/pipelines/pr-validation-pipeline.yml index 8cc7ea8e..a7b8ed93 100644 --- a/eng/pipelines/pr-validation-pipeline.yml +++ b/eng/pipelines/pr-validation-pipeline.yml @@ -7,6 +7,26 @@ trigger: - main jobs: +# Shift-left secret scanning: run the 1ES Secret Scanning (SEC101 / SPMI) engine +# on every PR so credential leaks (e.g. SEC101/037 SqlLegacyCredentials) are caught +# pre-merge, instead of surfacing later at the GitHub->ADO sync push-protection gate. +- job: SecretScan + displayName: 'Secret Scan (shift-left SEC101)' + pool: + vmImage: 'windows-latest' + steps: + - task: 1ESSecretScanning@1 + displayName: 'Run 1ES Secret Scanning' + inputs: + Action: 'analyze' + Target: '$(Build.SourcesDirectory)\*' + Rules: 'GetClean' + Recurse: true + - task: PostAnalysis@2 + displayName: 'Fail build if secrets detected' + inputs: + GdnBreakAllTools: true + - job: CodeQLAnalysis displayName: 'CodeQL Security Analysis' pool: diff --git a/tests/_secretscan_probe.txt b/tests/_secretscan_probe.txt new file mode 100644 index 00000000..62ac2db6 --- /dev/null +++ b/tests/_secretscan_probe.txt @@ -0,0 +1,9 @@ +SECRET-SCAN PROBE — NOT A REAL CREDENTIAL. DELETE BEFORE MERGE. + +This file exists only to verify that the shift-left secret-scanning stage in the +PR-validation pipeline catches the SEC101/037 "SqlLegacyCredentials" pattern +(realistic Azure SQL hostname + UID + PWD) at PR time, pre-sync. + +The value below is fabricated and points at a non-existent host: + +Server=tcp:contoso-probe-doesnotexist.database.windows.net,1433;Database=probe;UID=probeuser;PWD=Fake_NotARealSecret_2026;Encrypt=yes;TrustServerCertificate=no;