Add PreBuildCheck stage (PoliCheck + CredScan) to shared template, mirroring MSAL.NET

RyAuld · RyAuld · commit e17136250854 · 2026-03-23T11:22:32.000-07:00
diff --git a/.Pipelines/ADO-PUBLISH-SETUP.md b/.Pipelines/ADO-PUBLISH-SETUP.md
@@ -20,6 +20,7 @@ Every publish requires explicitly entering a version and selecting a destination
 
 | Stage | Trigger | Target |
 |-------|---------|--------|
+| **PreBuildCheck** (PoliCheck + CredScan) | always | SDL security scans |
 | **Validate** | release runs only (`runPublish: true`) | asserts `packageVersion` matches `msal/sku.py` |
 | **CI** (tests on Py 3.9–3.14) | after Validate (or immediately on PR/merge runs) | — |
 | **Build** (sdist + wheel) | after CI, release runs only | dist artifact |
@@ -189,12 +190,15 @@ This pipeline is **always manually queued**. Both fields are required — the Va
 
 ```
 Manual queue (publishTarget = test.pypi.org (Preview / RC))
-  └─►  Validate  ─►  CI  ─►  Build  ─►  PublishMSALPython
-                                              (test.pypi.org (Preview / RC), auto)
+  └─►  PreBuildCheck  ─►  Validate  ─►  CI  ─►  Build  ─►  PublishMSALPython
+                                                              (test.pypi.org (Preview / RC), auto)
 
 Manual queue (publishTarget = pypi.org (Production))
-  └─►  Validate  ─►  CI  ─►  Build  ─►  PublishPyPI
-                                              (pypi.org (Production), requires approval)
+  └─►  PreBuildCheck  ─►  Validate  ─►  CI  ─►  Build  ─►  PublishPyPI
+                                                              (pypi.org (Production), requires approval)
+
+PR / merge build (runPublish: false)
+  └─►  PreBuildCheck  ─►  CI
 ```
 
 ---
diff --git a/.Pipelines/template-pipeline-stages.yml b/.Pipelines/template-pipeline-stages.yml
@@ -17,9 +17,9 @@
 #
 # Stage flow:
 #
-#   runPublish: true  → Validate ─► CI ─► Build ─► PublishMSALPython
-#                                                └─► PublishPyPI
-#   runPublish: false → CI  (Validate / Build / Publish are skipped)
+#   runPublish: true  → PreBuildCheck ─► Validate ─► CI ─► Build ─► PublishMSALPython
+#                                                                   └─► PublishPyPI
+#   runPublish: false → PreBuildCheck ─► CI  (Validate / Build / Publish are skipped)
 
 parameters:
 - name: packageVersion
@@ -34,13 +34,52 @@ parameters:
 
 stages:
 
+# ══════════════════════════════════════════════════════════════════════════════
+# Stage 0 · PreBuildCheck — SDL security scans (PoliCheck + CredScan)
+#           Always runs, mirrors MSAL.NET pre-build analysis.
+# ══════════════════════════════════════════════════════════════════════════════
+- stage: PreBuildCheck
+  displayName: 'Pre-build security checks'
+  jobs:
+  - job: SecurityScan
+    displayName: 'PoliCheck + CredScan'
+    pool:
+      vmImage: windows-latest
+    variables:
+      Codeql.SkipTaskAutoInjection: true
+    steps:
+    - task: NodeTool@0
+      displayName: 'Install NPM'
+      inputs:
+        versionSpec: '16.x'
+
+    - task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2
+      displayName: 'Run PoliCheck'
+      inputs:
+        targetType: F
+        optionsUEPATH: '$(Build.SourcesDirectory)/build/policheck_exclusion.xml'
+      continueOnError: true
+
+    - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3
+      displayName: 'Run CredScan'
+      inputs:
+        toolMajorVersion: V2
+        debugMode: false
+
+    - task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2
+      displayName: 'Post Analysis'
+      inputs:
+        GdnBreakGdnToolCredScan: true
+        GdnBreakGdnToolPoliCheck: true
+
 # ══════════════════════════════════════════════════════════════════════════════
 # Stage 1 · Validate — verify packageVersion matches msal/sku.py __version__
 #           Skipped when runPublish is false (PR / merge builds).
 # ══════════════════════════════════════════════════════════════════════════════
 - stage: Validate
   displayName: 'Validate version'
-  condition: ${{ parameters.runPublish }}
+  dependsOn: PreBuildCheck
+  condition: and(${{ parameters.runPublish }}, eq(dependencies.PreBuildCheck.result, 'Succeeded'))
   jobs:
   - job: ValidateVersion
     displayName: 'Check version matches source'
@@ -75,8 +114,14 @@ stages:
 # ══════════════════════════════════════════════════════════════════════════════
 - stage: CI
   displayName: 'Run tests'
-  dependsOn: Validate
-  condition: in(dependencies.Validate.result, 'Succeeded', 'Skipped')
+  dependsOn:
+  - PreBuildCheck
+  - Validate
+  condition: |
+    and(
+      eq(dependencies.PreBuildCheck.result, 'Succeeded'),
+      in(dependencies.Validate.result, 'Succeeded', 'Skipped')
+    )
   jobs:
   - job: Test
     displayName: 'Run unit tests'
