Skip to content

secure supply chain analysis fixes#549

Open
prathikr wants to merge 7 commits intomainfrom
prathikrao/secure-supply-chain-analysis
Open

secure supply chain analysis fixes#549
prathikr wants to merge 7 commits intomainfrom
prathikrao/secure-supply-chain-analysis

Conversation

@prathikr
Copy link
Contributor

@prathikr prathikr commented Mar 24, 2026

Fixes the following errors I encountered when migrating our packaging/publishing pipelines to onnxruntime-release-pipelines

Starting: Secure Supply Chain Analysis (auto-injected by policy)
==============================================================================
Task         : Secure Supply Chain Analysis
Description  : A task to scan for vulnerabilities in your software supply chain. Formerly "NuGet Security Analysis".
Version      : 0.2.216
Author       : Microsoft Corporation
Help         : See https://aka.ms/sscatask for more information.
==============================================================================
Telemetry ID: 29518951-f4fb-4d5c-a56e-110cbb97c51b
For more information please visit: https://aka.ms/sscatask
Scanning repository contents at source path: E:\_work\1\s
> Starting Multifeed Nuget Security Analysis:
##[warning]samples/cs/GettingStarted/nuget.config - Multiple feeds declared. (https://aka.ms/cfs/nuget)
##[warning]sdk/cs/NuGet.config - Multiple feeds declared. (https://aka.ms/cfs/nuget)
> Starting Multifeed Corext Analysis:
> Starting Multifeed Python Security Analysis:
> Starting CFS NuGet Analysis:
##[warning]samples/cs/GettingStarted/nuget.config - CFS0013: Package source has value that is not an Azure Artifacts feed. (https://aka.ms/cfs/nuget)
##[warning]sdk/cs/NuGet.config - CFS0013: Package source has value that is not an Azure Artifacts feed. (https://aka.ms/cfs/nuget)
##[warning]sdk_legacy/cs/samples/TestApp/TestApp.csproj - CFS0011: Missing in scope NuGet.config file(s). (https://aka.ms/cfs/nuget)
##[warning]sdk_legacy/cs/src/Microsoft.AI.Foundry.Local.csproj - CFS0011: Missing in scope NuGet.config file(s). (https://aka.ms/cfs/nuget)
##[warning]sdk_legacy/cs/test/FoundryLocal.Tests/FoundryLocal.Tests.csproj - CFS0011: Missing in scope NuGet.config file(s). (https://aka.ms/cfs/nuget)
> Starting CFS NPM Analysis:
##[warning]www/.npmrc - CFS0002: Missing default registry. (https://aka.ms/cfs/npm)
##[warning]samples/js/chat-and-audio-foundry-local/package.json - CFS0001: Missing sibling .npmrc file. (https://aka.ms/cfs/npm)
##[warning]samples/js/copilot-sdk-foundry-local/package.json - CFS0001: Missing sibling .npmrc file. (https://aka.ms/cfs/npm)
##[warning]samples/js/electron-chat-application/package.json - CFS0001: Missing sibling .npmrc file. (https://aka.ms/cfs/npm)
##[warning]samples/js/tool-calling-foundry-local/package.json - CFS0001: Missing sibling .npmrc file. (https://aka.ms/cfs/npm)
##[warning]sdk/js/package.json - CFS0001: Missing sibling .npmrc file. (https://aka.ms/cfs/npm)
##[warning]sdk_legacy/js/package.json - CFS0001: Missing sibling .npmrc file. (https://aka.ms/cfs/npm)
> Starting CFS Maven Analysis:
> Starting CFS Cargo Analysis:
##[warning]samples/rust/Cargo.toml - CFS0041: Missing associated .cargo/config.toml file. (https://aka.ms/cfs/cargo)
##[warning]samples/rust/audio-transcription-example/Cargo.toml - CFS0041: Missing associated .cargo/config.toml file. (https://aka.ms/cfs/cargo)
##[warning]samples/rust/foundry-local-webserver/Cargo.toml - CFS0041: Missing associated .cargo/config.toml file. (https://aka.ms/cfs/cargo)
##[warning]samples/rust/native-chat-completions/Cargo.toml - CFS0041: Missing associated .cargo/config.toml file. (https://aka.ms/cfs/cargo)
##[warning]samples/rust/tool-calling-foundry-local/Cargo.toml - CFS0041: Missing associated .cargo/config.toml file. (https://aka.ms/cfs/cargo)
##[warning]sdk/rust/Cargo.toml - CFS0041: Missing associated .cargo/config.toml file. (https://aka.ms/cfs/cargo)
##[warning]sdk_legacy/rust/Cargo.toml - CFS0041: Missing associated .cargo/config.toml file. (https://aka.ms/cfs/cargo)
> Starting CFS CoreXT Analysis:
> Starting CFS CDPx Analysis:
> Starting DockerFile Analysis:
> Starting Kubernetes Deployment File Analysis:
> Starting Helm Charts Analysis:
> Starting Pipeline Configuration Security Analysis:
Azure Artifacts Configuration Analysis found 19 package configuration files in the repository which do not comply with Microsoft package feed security policies. The specific problems and links to their mitigations are listed above. If you need further assistance, please visit https://aka.ms/cfs/detectors .
##[error]NuGet Security Analysis found 2 NuGet package configuration files in the repository which do not comply with Microsoft package feed security policies. The specific problems are listed above. Please visit https://aka.ms/cfs/nuget for more details.

Copilot AI review requested due to automatic review settings March 24, 2026 20:51
@vercel
Copy link

vercel bot commented Mar 24, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
foundry-local Error Error Mar 24, 2026 9:59pm

Request Review

Copilot AI reviewed Mar 24, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates package manager configuration files across the repo to satisfy Secure Supply Chain Analysis / CFS detectors when migrating pipelines, primarily by standardizing on an Azure Artifacts feed (ORT-Nightly) and adding required “sibling” config files.

Changes:

  • Add missing .npmrc files for JS packages/samples (and set a default registry).
  • Add missing .cargo/config.toml files for Rust workspaces to route crates.io through ORT-Nightly.
  • Add/adjust NuGet.config files to use a single Azure Artifacts source (ORT-Nightly) and remove non-compliant feeds.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
www/.npmrc Sets default npm registry to ORT-Nightly (plus always-auth) to satisfy CFS npm checks for the website.
sdk_legacy/rust/.cargo/config.toml Adds Cargo source replacement to ORT-Nightly for the legacy Rust SDK.
sdk_legacy/js/.npmrc Adds sibling .npmrc pointing to ORT-Nightly for the legacy JS SDK.
sdk_legacy/cs/NuGet.config Adds missing in-scope NuGet config for legacy C# projects to satisfy CFS0011.
sdk/rust/.cargo/config.toml Adds Cargo source replacement to ORT-Nightly for the Rust SDK.
sdk/js/.npmrc Adds sibling .npmrc pointing to ORT-Nightly for the JS SDK.
sdk/cs/NuGet.config Removes nuget.org and keeps only ORT-Nightly Azure Artifacts feed to satisfy NuGet security analysis.
samples/rust/.cargo/config.toml Adds Cargo source replacement to ORT-Nightly for Rust samples (covers sub-crates via parent lookup).
samples/js/tool-calling-foundry-local/.npmrc Adds sibling .npmrc pointing to ORT-Nightly for this sample.
samples/js/electron-chat-application/.npmrc Adds sibling .npmrc pointing to ORT-Nightly for this sample.
samples/js/copilot-sdk-foundry-local/.npmrc Adds sibling .npmrc pointing to ORT-Nightly for this sample.
samples/js/chat-and-audio-foundry-local/.npmrc Adds sibling .npmrc pointing to ORT-Nightly for this sample.
samples/cs/GettingStarted/nuget.config Removes multiple sources/mapping and uses only ORT-Nightly Azure Artifacts feed.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@baijumeswani baijumeswani baijumeswani approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@prathikr @baijumeswani