ci: add 1ES inventory metadata and TSA options for OS VPack#497
Merged
Conversation
- Add .config/tsaoptions.json matching the structure used by other Microsoft repos (e.g. microsoft/CsWinRT). Drives automated bug filing in the OS AzDO project; notificationAliases intentionally omitted. - Add es-metadata.yml from the 1ES Inventory-As-Code bootstrap PR (ADO PR 15670831) so repo inventory is sourced from code instead of Product Catalog. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Collaborator
Author
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
There was a problem hiding this comment.
Pull request overview
Adds required Microsoft policy metadata to enable 1ES inventory ownership/routing and TSA/Guardian scan filing for OS VPack pipelines.
Changes:
- Adds
es-metadata.ymlfor 1ES Inventory-As-Code ownership metadata and Azure DevOps area routing. - Adds
.config/tsaoptions.jsonto configure TSA so Guardian scan results file into the correct AzDO area path.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
es-metadata.yml |
Introduces 1ES Inventory-As-Code metadata (ownership + routing). |
.config/tsaoptions.json |
Adds TSA options to route Guardian scan findings to the intended AzDO project/area path. |
MGudgin
approved these changes
Jun 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
📖 Description
Adds two metadata files required by Microsoft policy for bug routing and
security-scan compliance:
es-metadata.yml— 1ES Inventory-As-Code repo ownership metadata..config/tsaoptions.json— TSA config so the daily OS VPack pipelinecan file Guardian scan results (code + binary scans) into the right AzDO
area path.
🔗 References
🔍 Validation
es-metadata.ymlschema validated server-side on merge.tsaoptions.jsonmirrors the structure used by other Microsoft repos(e.g.
microsoft/cppwinrt); will be exercised by the next OS VPack run.✅ Checklist
📋 Issue Type
Microsoft Reviewers: Open in CodeFlow