[build] Fix BinSkim failure in 'Convert NuGet to MSI' job (#10961)

jonathanpeppers · Copilot · web-flow · commit 0f6a01b64073 · 2026-03-17T22:26:10.000-05:00
The 'Convert NuGet to MSI' job fails with:

    Could not parse glob pattern D:\a\_work\1\s\bin\Build*\**
    BINSKIM : error ERR997.NoValidAnalysisTargets : No valid analysis targets were specified.

This happens because the 1ES template applies sdl.binskim config globally
to all jobs. The analyzeTargetGlob pattern 'bin\Build*\**' only matches
build/test job output directories, but the MSI conversion job has no
bin\Build*\ directory — it produces output under bin\msi-nupkgs\ instead.

Add bin\msi-nupkgs\** to the glob so the MSI conversion job has valid
scan targets.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/build-tools/automation/azure-pipelines.yaml b/build-tools/automation/azure-pipelines.yaml
@@ -60,8 +60,12 @@ extends:
         enableAllTools: false
       binskim:
         scanOutputDirectoryOnly: true
-        # Only scan actual build output, not test assemblies under bin/Test*
-        analyzeTargetGlob: bin\Build*\**
+        # Scan build output and MSI conversion output, but not test assemblies
+        # under bin/Test* which produce BA2021 false positives.
+        # Both patterns are needed because the 1ES template applies sdl config
+        # globally: build/test jobs produce bin\Build*\ output, while the
+        # "Convert NuGet to MSI" job only produces bin\msi-nupkgs\ output.
+        analyzeTargetGlob: bin\Build*\**;bin\msi-nupkgs\**
       codeql:
         compiled:
           enabled: false
