diff --git a/azure-pipelines.yml b/azure-pipelines.yml
index 5ee323f940..22f458582c 100644
--- a/azure-pipelines.yml
+++ b/azure-pipelines.yml
@@ -39,6 +39,8 @@ variables:
   - ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
     - name: SignType
       value: $[ coalesce(variables.OfficialSignType, 'real') ]
+    # Values for SDLValidationParameters
+    - group: core-setup-sdl-validation
 
 stages:
 - stage: Build
diff --git a/eng/stages/publish.yml b/eng/stages/publish.yml
index c3f4f8ded3..8e440c91f2 100644
--- a/eng/stages/publish.yml
+++ b/eng/stages/publish.yml
@@ -16,6 +16,23 @@ stages:
     # quotes inside the string so that it passes through to MSBuild without script interference.
     symbolPublishingAdditionalParameters: "'-warnAsError:$false'"
     publishInstallersAndChecksums: true
+    # Enable SDL validation, passing through values from the 'core-setup-sdl-validation' group.
+    SDLValidationParameters:
+      enable: true
+      artifactNames:
+      - PackageArtifacts
+      - BlobArtifacts
+      params: >-
+        -SourceToolsList @("policheck","credscan")
+        -TsaInstanceURL "$(TsaInstanceURL)"
+        -TsaProjectName "$(TsaProjectName)"
+        -TsaNotificationEmail "$(TsaNotificationEmail)"
+        -TsaCodebaseAdmin "$(TsaCodebaseAdmin)"
+        -TsaBugAreaPath "$(TsaBugAreaPath)"
+        -TsaIterationPath "$(TsaIterationPath)"
+        -TsaRepositoryName "$(TsaRepositoryName)"
+        -TsaCodebaseName "$(TsaCodebaseName)"
+        -TsaPublish $True
 
 # Create extra stage per BAR channel that needs extra publish steps. These run after the Arcade
 # stages because they depend on Arcade's NuGet package publish being complete.