build: remove *tests* and all coverage/DIA DLLs from binskim (#41108)

This thing files about 900 bugs a month on us. Before: ``` Done. 11,036 files scanned. ``` After: ``` Done. 4,753 files scanned. ```
2025-12-15 03:07:56 +01:00 · 2025-08-18 06:00:13 -05:00
parent e8754e4cd6
commit efb48aa163
2 changed files with 7 additions and 0 deletions
--- a/.github/actions/spell-check/expect.txt
+++ b/.github/actions/spell-check/expect.txt
@@ -115,6 +115,7 @@ bigbar
 bigobj
 binlog
 binres
+binskim
 BITMAPFILEHEADER
 bitmapimage
 BITMAPINFO
@@ -255,6 +256,7 @@ Corpor
 cotaskmem
 COULDNOT
 countof
+covrun
 cpcontrols
 cph
 cplusplus
@@ -969,6 +971,7 @@ msc
 mscorlib
 msctls
 msdata
+msdia
 MSDL
 MSGFLT
 MSHCTX
--- a/.pipelines/v2/release.yml
+++ b/.pipelines/v2/release.yml
@@ -64,6 +64,10 @@ extends:
      tsa:
        enabled: true
        configFile: '$(Build.SourcesDirectory)\.pipelines\tsa.json'
+      binskim:
+        enabled: true
+        # Exclude every dll/exe in tests/*, as well as all msdia*, covrun* and vcruntime*
+        analyzeTargetGlob: +:file|$(Build.ArtifactStagingDirectory)/**/*.dll;+:file|$(Build.ArtifactStagingDirectory)/**/*.exe;-:file:regex|tests.*\.(dll|exe)$;-:file:regex|(covrun.*)\.dll$;-:file:regex|(msdia.*)\.dll$;-:file:regex|(vcruntime.*)\.dll$

    stages:
      - stage: Build