Are the validation functions for pipelines open source?

[Trenly]

I know that azure pipelines require some level of security to ensure that Application Secrets aren't leaked. However, I'd like to learn more about (and possibly contribute to) the actual functions which validate PR's and manifests. Is there any way to do this, or any plans in the future for this?

[denelon]

We do have plans for making more of the validation infrastructure open source. The challenges right now are with how they were built with Azure DevOps pipelines and Azure Functions. We need to do some hefty refactoring before we can safely make the validation infrastructure more open. Some of it will likely continue to be proprietary (mostly the calls to the endpoints we depend on for dynamic analysis, and the private infrastructure the actual dynamic analysis runs on). We have been looking at how we could more easily decouple different parts of the validation process as we see how third parties might also want to use something similar to what we have today in terms of a location for submission, and a validation process.

Another area we've been looking at is how we could extend the service to be better at detecting new version of packages via GitHub releases, RSS feeds, etc. I've also been starting the conversations with the team about leveraging the Windows Package Manager Manifest Creator in our own periodic scans to automatically generate new manifests when we detect a SHA256 change, or a URL for an installer is no longer available.

[Trenly]

Thank you! I figured it probably wasn't ready for community contribution just yet, but I'm happy to hear that it's on the roadmap