From efb48aa1634658b31db3ad980b135d3f0427c07b Mon Sep 17 00:00:00 2001
From: "Dustin L. Howett" <duhowett@microsoft.com>
Date: Mon, 18 Aug 2025 06:00:13 -0500
Subject: [PATCH] build: remove *tests* and all coverage/DIA DLLs from binskim
 (#41108)

This thing files about 900 bugs a month on us.

Before:

```
Done. 11,036 files scanned.
```

After:

```
Done. 4,753 files scanned.
```
---
 .github/actions/spell-check/expect.txt | 3 +++
 .pipelines/v2/release.yml              | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/.github/actions/spell-check/expect.txt b/.github/actions/spell-check/expect.txt
index 9c9ed952df..bc5ba04289 100644
--- a/.github/actions/spell-check/expect.txt
+++ b/.github/actions/spell-check/expect.txt
@@ -115,6 +115,7 @@ bigbar
 bigobj
 binlog
 binres
+binskim
 BITMAPFILEHEADER
 bitmapimage
 BITMAPINFO
@@ -255,6 +256,7 @@ Corpor
 cotaskmem
 COULDNOT
 countof
+covrun
 cpcontrols
 cph
 cplusplus
@@ -969,6 +971,7 @@ msc
 mscorlib
 msctls
 msdata
+msdia
 MSDL
 MSGFLT
 MSHCTX
diff --git a/.pipelines/v2/release.yml b/.pipelines/v2/release.yml
index 18163e899a..d6c2177720 100644
--- a/.pipelines/v2/release.yml
+++ b/.pipelines/v2/release.yml
@@ -64,6 +64,10 @@ extends:
       tsa:
         enabled: true
         configFile: '$(Build.SourcesDirectory)\.pipelines\tsa.json'
+      binskim:
+        enabled: true
+        # Exclude every dll/exe in tests/*, as well as all msdia*, covrun* and vcruntime*
+        analyzeTargetGlob: +:file|$(Build.ArtifactStagingDirectory)/**/*.dll;+:file|$(Build.ArtifactStagingDirectory)/**/*.exe;-:file:regex|tests.*\.(dll|exe)$;-:file:regex|(covrun.*)\.dll$;-:file:regex|(msdia.*)\.dll$;-:file:regex|(vcruntime.*)\.dll$
 
     stages:
       - stage: Build