Getting started with the BinSkim build task

BinSkim is a Portable Executable (PE) light-weight scanner that validates compiler/linker settings and other security-relevant binary characteristics. BinSkim is an open source tool. (GitHub)

The BinSkim build task provides a command line wrapper around the BinSkim.exe application. This page has the steps needed to configure & run the build task as part of your build definition.

Prerequisites:

1. You are using the Azure DevOps Build system.
2. The Microsoft Security Code Analysis Extension installed in your account.
3. Your build produces binary artifacts from managed code or you have binary artifacts committed you would like to analyze with BinSkim.

Setup:

1. Open your team project from your Azure DevOps Account.
2. Navigate to the Build tab under Build and Release
3. Select the Build Definition into which you wish to add the BinSkim build task.
  • New - Click New and follow the steps detailed to create a new Build Definition.
  • Edit - Select the Build Definition. On the subsequent page, click Edit to begin editing the Build Definition.
4. Click + to navigate to the Add Tasks pane.
5. Find the BinSkim build task either from the list or using the search box and then click Add.
6. The BinSkim build task should now be a part of the Build Definition. Add it after the publishing steps for your build artifacts.

Customizing the BinSkim Build Task:

1. Click the BinSkim task to see the different options available within.

2. Set the build configuration to Debug to produce *.pdb debug files. They are used by BinSkim to map issues found in the output binary back to source code.
3. Choose Type = Basic & Function = Analyze to avoid researching and creating your own commandline.
4. Target - One or more specifiers to a file, directory, or filter pattern that resolves to one or more binaries to analyze.
  • Multiple targets should be separated by a semicolon(;).
  • Can be a single file or contain wildcards.
  • Directories should always end with \*
  • Examples:
    • *.dll;*.exe
    • $(BUILD_STAGINGDIRECTORY)\*
    • $(BUILD_STAGINGDIRECTORY)\*.dll;$(BUILD_STAGINGDIRECTORY)\*.exe;
5. If you select Type = Command Line,
  • Make sure the first argument to BinSkim.exe is the verb analyze using full paths, or paths relative to the source directory.
  • For Command Line input, multiple targets should be separated by a space.
  • You can omit the /o or /output file parameter; it will be added for you or replaced.
  • Standard Command Line Configuration
    • analyze $(Build.StagingDirectory)\* --recurse --verbose
    • analyze *.dll *.exe --recurse --verbose
    • Note that the trailing \* is very important when specifying a directory or directories for the target.

Resources

For more details on BinSkim whether command line arguments or rules by ID or exit codes, visit the BinSkim User Guide


Microsoft Corporation 2017