Emit per-binary ASan telemetry (BinSkim BA2032) from runtime-sanitized#130500
Draft
davidmrdavid wants to merge 1 commit into
Draft
Emit per-binary ASan telemetry (BinSkim BA2032) from runtime-sanitized#130500davidmrdavid wants to merge 1 commit into
davidmrdavid wants to merge 1 commit into
Conversation
Contributor
|
Tagging subscribers to this area: @dotnet/area-infrastructure-libraries |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the runtime-sanitized Azure Pipelines definition to emit per-binary AddressSanitizer (ASan) usage telemetry on Windows by running BinSkim with the opt-in BA2032 rule and uploading results via Guardian.
Changes:
- Add a Windows-only
BinSkim@4step configured to run only ruleBA2032overartifacts/bin/**/*.exeandartifacts/bin/**/*.dll. - Add a follow-on
PostAnalysis@2step to upload the BinSkim results to Guardian. - Apply the same telemetry steps to both the CoreCLR runtime-tests job and the NativeAOT job in this pipeline.
Show a summary per file
| File | Description |
|---|---|
| eng/pipelines/runtime-sanitized.yml | Adds BinSkim BA2032 + PostAnalysis steps (Windows-only) to emit/upload ASan instrumentation telemetry for produced binaries. |
Copilot's findings
- Files reviewed: 1/1 changed files
- Comments generated: 2
Comment on lines
+52
to
+67
| - task: BinSkim@4 | ||
| displayName: 'Emit ASan usage telemetry (BinSkim BA2032)' | ||
| condition: and(succeededOrFailed(), eq(variables['Agent.OS'], 'Windows_NT')) | ||
| inputs: | ||
| TargetPattern: guardianGlob | ||
| AnalyzeTargetGlob: +:f|$(Build.SourcesDirectory)\artifacts\bin\**\*.exe;+:f|$(Build.SourcesDirectory)\artifacts\bin\**\*.dll | ||
| toolVersion: '4.4.9' | ||
| env: | ||
| GDN_BINSKIM_RUNONLYRULES: BA2032 | ||
| GDN_BINSKIM_KIND: Fail;Pass;Informational | ||
| - task: PostAnalysis@2 | ||
| displayName: 'Guardian: upload SDL results (BA2032)' | ||
| condition: and(succeededOrFailed(), eq(variables['Agent.OS'], 'Windows_NT')) | ||
| inputs: | ||
| GdnBreakAllTools: false | ||
| GdnBreakGdnToolBinSkim: false |
Comment on lines
+101
to
+116
| - task: BinSkim@4 | ||
| displayName: 'Emit ASan usage telemetry (BinSkim BA2032)' | ||
| condition: and(succeededOrFailed(), eq(variables['Agent.OS'], 'Windows_NT')) | ||
| inputs: | ||
| TargetPattern: guardianGlob | ||
| AnalyzeTargetGlob: +:f|$(Build.SourcesDirectory)\artifacts\bin\**\*.exe;+:f|$(Build.SourcesDirectory)\artifacts\bin\**\*.dll | ||
| toolVersion: '4.4.9' | ||
| env: | ||
| GDN_BINSKIM_RUNONLYRULES: BA2032 | ||
| GDN_BINSKIM_KIND: Fail;Pass;Informational | ||
| - task: PostAnalysis@2 | ||
| displayName: 'Guardian: upload SDL results (BA2032)' | ||
| condition: and(succeededOrFailed(), eq(variables['Agent.OS'], 'Windows_NT')) | ||
| inputs: | ||
| GdnBreakAllTools: false | ||
| GdnBreakGdnToolBinSkim: false |
Member
|
/azp run runtime-sanitized |
|
Azure Pipelines failed to run 1 pipeline(s). |
This was referenced Jul 10, 2026
Open
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context: The MSVC ASan team ( 👋 ) is interested in capturing ASan-usage telemetry listing what binaries got instrumented with ASan. As the .NET runtime is a flagship customer, we're very interested in seeing this repo be a part of that effort.
The way we capture this telemetry is through a new opt-in BinSkim rule: BA2032. That rule is a no-fail rule that simply writes to kusto (when the pipeline environment is set up for Guardian telemetry, as most internal pipelines are) when an asanized binary is detected.
This PR attempts to add that telemetry for this repo. We may need help queue'ing the pipeline a few times to confirm this is working as expected. Thanks!