question

JenniferOlsen-6637 avatar image
0 Votes"
JenniferOlsen-6637 asked azure-cxp-api edited

Signed ADO build Artifacts

Our InfoSec team has asked us to show them how we are able to verify that the build artifacts deployed to a server target are the same build artifacts that were generated in our ADO pipelines, sent to Veracode (our code scanning service), approved in the ADO release process, and deployed through the ADO deployment agents.

The InfoSec team explains that ideally there would be a SHA hash on those artifacts that we could trace back through our process. Is this feasible with Azure DevOps out of the box? I cannot seem to find any Microsoft documentation regarding signed build artifacts that are created from within ADO. I have found that we could create a feed from another build service to pull the artifacts into ADO; however, we are using ADO pipelines to build our releases.

not-supported
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

tbgangav-MSFT avatar image
0 Votes"
tbgangav-MSFT answered

Hi @JenniferOlsen-6637,

Azure DevOps is currently not supported in this Microsoft Q&A platform. You may ask Azure DevOps related questions in this developer community.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.