Use new LinuxContainerImage and enable binskim globally

daxian-dbw · daxian-dbw · commit 80f17687e8f6 · 2025-08-29T12:31:30.000-07:00
diff --git a/.pipelines/Build-Official.yml b/.pipelines/Build-Official.yml
@@ -28,7 +28,7 @@ variables:
   - name: BUILDSECMON_OPT_IN
     value: true
   - name: LinuxContainerImage
-    value: mcr.microsoft.com/onebranch/cbl-mariner/build:2.0
+    value: mcr.microsoft.com/onebranch/azurelinux/build:3.0
   - name: WindowsContainerImage
     value: onebranch.azurecr.io/windows/ltsc2022/vse2022:latest
   - name: CDP_DEFINITION_BUILD_COUNT
@@ -68,7 +68,8 @@ extends:
           enabled: true
           scanFolder: $(Build.SourcesDirectory)
         binskim:
-          enabled: false
+          enabled: true
+          exactToolVersion: 4.4.2
         apiscan:
           enabled: false
         tsaOptionsFile: .config\tsaoptions.json
diff --git a/.pipelines/Package-Official.yml b/.pipelines/Package-Official.yml
@@ -18,7 +18,7 @@ variables:
   - name: WindowsContainerImage
     value: 'onebranch.azurecr.io/windows/ltsc2022/vse2022:latest' # Docker image which is used to build the project
   - name: LinuxContainerImage
-    value: mcr.microsoft.com/onebranch/cbl-mariner/build:2.0
+    value: mcr.microsoft.com/onebranch/azurelinux/build:3.0
   - group: mscodehub-feed-read-general
   - group: mscodehub-feed-read-akv
   - name: branchCounterKey
@@ -71,7 +71,8 @@ extends:
           enabled: true
           scanFolder:  $(Build.SourcesDirectory)
         binskim:
-          enabled: false
+          enabled: true
+          exactToolVersion: 4.4.2
         apiscan:
           enabled: false
         tsaOptionsFile: .config\tsaoptions.json
diff --git a/.pipelines/Release-Official.yml b/.pipelines/Release-Official.yml
@@ -20,7 +20,7 @@ variables:
   - name: WindowsContainerImage
     value: 'onebranch.azurecr.io/windows/ltsc2022/vse2022:latest'
   - name: LinuxContainerImage
-    value: mcr.microsoft.com/onebranch/cbl-mariner/build:2.0
+    value: mcr.microsoft.com/onebranch/azurelinux/build:3.0
 
 resources:
   repositories:
diff --git a/.pipelines/templates/linux-build.yml b/.pipelines/templates/linux-build.yml
@@ -21,8 +21,6 @@ jobs:
     value: false
   - name: ob_sdl_codeSignValidation_enabled
     value: false
-  - name: ob_sdl_binskim_enabled
-    value: true
   - name: ob_sdl_tsa_configFile
     value: $(repoRoot)\.config\tsaoptions.json
   - name: Architecture
diff --git a/.pipelines/templates/linux-package.yml b/.pipelines/templates/linux-package.yml
@@ -26,8 +26,6 @@ jobs:
       value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT'
     - name: repoRoot
       value: $(Build.SourcesDirectory)/AIShell
-    - name: ob_sdl_binskim_enabled
-      value: true
     - name: ob_sdl_tsa_configFile
       value: $(repoRoot)/.config/tsaoptions.json
     - name: Architecture
diff --git a/.pipelines/templates/mac-package.yml b/.pipelines/templates/mac-package.yml
@@ -29,8 +29,6 @@ jobs:
       value: false
     - name: ob_outputDirectory
       value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT'
-    - name: ob_sdl_binskim_enabled
-      value: true
     - name: repoRoot
       value: $(Build.SourcesDirectory)
     - name: Architecture
diff --git a/.pipelines/templates/module-build.yml b/.pipelines/templates/module-build.yml
@@ -18,8 +18,6 @@ jobs:
     value: false
   - name: ob_sdl_codeSignValidation_enabled
     value: false
-  - name: ob_sdl_binskim_enabled
-    value: true
   - name: ob_sdl_tsa_configFile
     value: $(repoRoot)\.config\tsaoptions.json
   #CodeQL tasks added manually to workaround signing failures
diff --git a/.pipelines/templates/module-package.yml b/.pipelines/templates/module-package.yml
@@ -22,8 +22,6 @@ jobs:
       value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT'
     - name: repoRoot
       value: $(Build.SourcesDirectory)/AIShell
-    - name: ob_sdl_binskim_enabled
-      value: true
     - name: ob_sdl_tsa_configFile
       value: $(repoRoot)/.config/tsaoptions.json
     - name: ob_signing_setup_enabled
diff --git a/.pipelines/templates/nupkg-package.yml b/.pipelines/templates/nupkg-package.yml
@@ -18,8 +18,6 @@ jobs:
       value: '$(Build.ArtifactStagingDirectory)\ONEBRANCH_ARTIFACT'
     - name: repoRoot
       value: $(Build.SourcesDirectory)\AIShell
-    - name: ob_sdl_binskim_enabled
-      value: true
     - name: ob_sdl_tsa_configFile
       value: $(repoRoot)\.config\tsaoptions.json
     - group: mscodehub-feed-read-general
diff --git a/.pipelines/templates/windows-build.yml b/.pipelines/templates/windows-build.yml
@@ -20,8 +20,6 @@ jobs:
     value: $(Build.SourcesDirectory)\AIShell
   - name: ob_sdl_codeSignValidation_enabled
     value: false
-  - name: ob_sdl_binskim_enabled
-    value: true
   - name: ob_sdl_tsa_configFile
     value: $(repoRoot)\.config\tsaoptions.json
   - name: Architecture
diff --git a/.pipelines/templates/windows-package.yml b/.pipelines/templates/windows-package.yml
@@ -27,8 +27,6 @@ jobs:
       value: '$(Build.ArtifactStagingDirectory)\ONEBRANCH_ARTIFACT'
     - name: repoRoot
       value: $(Build.SourcesDirectory)\AIShell
-    - name: ob_sdl_binskim_enabled
-      value: true
     - name: ob_sdl_tsa_configFile
       value: $(repoRoot)\.config\tsaoptions.json
     - name: Architecture
