Getting started with the Post-Analysis (Build Break) build task

The Post-Analysis build task enables the customer to inject a build break and fail the build in case one ore more analysis tools reports findings or issues in the code. Individual build tasks will succeed, by design, as long as the tool completes successfully, whether there are findings or not. This is so that the build can run to completion allowing all tools to run.
To fail the build based on security issues found by one of the tools run in the build, then you can add and configure this build task.
The task can be configured to break the build for issues found by specific tools or for all tools, and also based on the severity of issues found (errors or errors and warnings).

Prerequisites:

1. You are using the Azure DevOps Build system.
2. The Microsoft Security Code Analysis Extension installed in your account.
3. At least one Security Development Tool build task has been added to the build definition prior to this build task.

Setup:

1. Open your team project from your Azure DevOps Account.
2. Navigate to the Build tab under Build and Release
3. Select the Build Definition into which you wish to add the BinSkim build task.
  • New - Click New and follow the steps detailed to create a new Build Definition.
  • Edit - Select the Build Definition. On the subsequent page, click Edit to begin editing the Build Definition.
4. Click + to navigate to the Add Tasks pane.
5. Find the Post-Analysis build task either from the list or using the search box and then click Add.
6. The Post-Analysis build task should now be a part of the Build Definition. Add it at the end of your pipeline after most, if not all, other tasks.

Customizing the Post-Analysis Build Task:

1. Click the Post-Analysis task to see the different options available.

2. Tools - Select the tools in your build definiton for which you would like to inject a build break based on its findings. For each tool selected, there may be an option to select whether you would like to break on Errors only or both Errors and Warnings.
3. Report - You can optionally write the results that are found and causign the build break to the Azure DevOps console window and log file.
4. Advanced Options. You can choose to log a warning or an error (and fail the task) in case there are no logs for one of the tools selected.

Microsoft Corporation 2017