Skip to content

Add LTCG flags to compile_windows.bat for BinSkim BA6006 compliance #1991

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rchiodo merged 2 commits into from
Jan 20, 2026
Merged

Add LTCG flags to compile_windows.bat for BinSkim BA6006 compliance #1991

rchiodo merged 2 commits into from
Jan 20, 2026
+6 −6

Conversation

Copy link
Contributor

Copilot AI commented Jan 20, 2026
edited
Loading

Summary

Windows DLL/EXE builds were failing BinSkim BA6006 checks and emitting MSVC linker warnings about /LTCG specified but no code generation required. Root cause: objects weren't compiled with /GL (whole-program optimization) before linking with /LTCG.

Changes

Added LTCG flags to all 6 build commands in compile_windows.bat:

  • Compiler: Added /GL flag to enable whole-program optimization
  • Linker: Added /LTCG flag to enable link-time code generation

Affected binaries:

  • attach_x86.dll / attach_amd64.dll
  • run_code_on_dllmain_x86.dll / run_code_on_dllmain_amd64.dll
  • inject_dll_x86.exe / inject_dll_amd64.exe

Before:

cl /EHsc /Zi /O1 /W3 /LD /MD /Qspectre attach.cpp /link /PROFILE /GUARD:CF /CETCOMPAT /out:attach_x86.dll

After:

cl /EHsc /Zi /O1 /W3 /LD /MD /GL /Qspectre attach.cpp /link /LTCG /PROFILE /GUARD:CF /CETCOMPAT /out:attach_x86.dll

This ensures each object passed to a /LTCG link step was compiled with /GL, satisfying both MSVC requirements and BinSkim security checks.

Original prompt

Update 'compile_windows.bat' so that all DLL and EXE build steps requiring Link-Time Code Generation (LTCG) pass BinSkim checks and do not emit the MSVC linker warning about '/LTCG specified but no code generation required'.

Specifically:

  • Add '/GL' to each 'cl' command that produces a DLL or EXE that is checked by BinSkim (such as attach_x86.dll, attach_amd64.dll, inject_dll_amd64.exe, run_code_on_dllmain_x86.dll, run_code_on_dllmain_amd64.dll).
  • Add '/LTCG' to the '/link' step for those same build products if not present.
  • Ensure that every object passed to a link step with '/LTCG' is built with '/GL'.
  • The result must both pass BinSkim BA6006 and suppress the 'LINK : /LTCG specified but no code generation required' warning from MSVC.
  • Do not modify other unrelated aspects of the script.

Tested by: Ensuring the changed commands match MSVC documentation for LTCG and previous user feedback, though script runtime or build output validation is out-of-scope for this change.

This pull request was created from Copilot chat.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@rchiodo
Add /GL and /LTCG flags for LTCG and BinSkim compliance
b45b7e3 
Co-authored-by: rchiodo <19672699+rchiodo@users.noreply.github.com>
Copilot AI changed the title [WIP] Update compile_windows.bat for LTCG and BinSkim compliance Add LTCG flags to compile_windows.bat for BinSkim BA6006 compliance Jan 20, 2026
Copilot AI requested a review from rchiodo January 20, 2026 18:35
@rchiodo
Copy link
Contributor

rchiodo commented Jan 20, 2026

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Jan 20, 2026

Azure Pipelines successfully started running 1 pipeline(s).

@rchiodo rchiodo marked this pull request as ready for review January 20, 2026 18:47
@rchiodo rchiodo requested a review from a team as a code owner January 20, 2026 18:47
@rchiodo rchiodo merged commit ea2746a into main Jan 20, 2026
6 of 28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@StellaHuang95 StellaHuang95 StellaHuang95 approved these changes

+1 more reviewer

@rchiodo rchiodo rchiodo approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@rchiodo rchiodo

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rchiodo @StellaHuang95