├── .github ├── CODEOWNERS ├── ISSUE_TEMPLATE │ ├── 4-question-support.md │ ├── 3-feature-request.md │ ├── 2-docs-bug-report.md │ └── 1-bug-report.md ├── FUNDING.yml ├── PULL_REQUEST_TEMPLATE.md └── workflows │ ├── psrule-monitor.yml │ ├── wiki.yml │ ├── publish-on-release.yml │ └── module-ci.yml ├── src ├── PSRule.Rules.AzureDevOps │ ├── rules │ │ ├── Standards.Rule.ps1 │ │ ├── Baseline.Default.Rule.yaml │ │ ├── Baseline.NoExtraLicense.Rule.yaml │ │ ├── Selectors.Rule.yaml │ │ ├── Baseline.PublicProject.Rule.yaml │ │ ├── Config.Rule.yaml │ │ ├── AzureDevOps.RetentionSettings.Rule.ps1 │ │ ├── AzureDevOps.Pipelines.PipelineYaml.Rule.ps1 │ │ └── AzureDevOps.Groups.Rule.ps1 │ ├── en │ │ ├── Azure.DevOps.Pipelines.PipelineYaml.StepDisplayName.md │ │ ├── Azure.DevOps.Repos.Branch.CommitRecent.md │ │ ├── Azure.DevOps.Repos.Readme.md │ │ ├── Azure.DevOps.Repos.License.md │ │ ├── Azure.DevOps.Project.Visibility.md │ │ ├── Azure.DevOps.Pipelines.PipelineYaml.AgentPoolVersionNotLatest.md │ │ ├── Azure.DevOps.Pipelines.Releases.Definition.SelfApproval.md │ │ ├── Azure.DevOps.Pipelines.Environments.Description.md │ │ ├── Azure.DevOps.Repos.InheritedPermissions.md │ │ ├── Azure.DevOps.Pipelines.Core.InheritedPermissions.md │ │ ├── Azure.DevOps.Tasks.VariableGroup.Description.md │ │ ├── Azure.DevOps.Repos.ProjectValidUsers.md │ │ ├── Azure.DevOps.Pipelines.Environments.ProductionBranchLimit.md │ │ ├── Azure.DevOps.Pipelines.Core.ProjectValidUsers.md │ │ ├── Azure.DevOps.Pipelines.Settings.StatusBadgesPrivate.md │ │ ├── Azure.DevOps.ServiceConnections.Description.md │ │ ├── Azure.DevOps.Tasks.VariableGroup.InheritedPermissions.md │ │ ├── Azure.DevOps.Pipelines.Environments.InheritedPermissions.md │ │ ├── Azure.DevOps.Pipelines.Environments.ProjectValidUsers.md │ │ ├── Azure.DevOps.Pipelines.Releases.Definition.InheritedPermissions.md │ │ ├── Azure.DevOps.Tasks.VariableGroup.ProjectValidUsers.md │ │ ├── Azure.DevOps.ServiceConnections.ProductionBranchLimit.md │ │ ├── Azure.DevOps.ServiceConnections.InheritedPermissions.md │ │ ├── Azure.DevOps.Pipelines.Releases.Definition.ProjectValidUsers.md │ │ ├── Azure.DevOps.ServiceConnections.ProjectValidUsers.md │ │ ├── Azure.DevOps.Pipelines.Settings.LimitJobAuthorizationScope.md │ │ ├── Azure.DevOps.Groups.ProjectValidUsers.DoNotAssignMemberOfOtherGroups.md │ │ ├── Azure.DevOps.Repos.GitHubAdvancedSecurityBlockPushes.md │ │ ├── Azure.DevOps.Pipelines.Settings.RequireCommentForPullRequestFromFork.md │ │ ├── Azure.DevOps.Pipelines.Settings.SanitizeShellTaskArguments.md │ │ ├── Azure.DevOps.Tasks.VariableGroup.NoPlainTextSecrets.md │ │ ├── Azure.DevOps.Pipelines.Core.NoPlainTextSecrets.md │ │ ├── Azure.DevOps.Tasks.VariableGroup.NoKeyVaultNoSecrets.md │ │ ├── Azure.DevOps.Pipelines.Settings.LimitSetVariablesAtQueueTime.md │ │ ├── Azure.DevOps.Project.MainPipelineAcl.ProjectValidUsers.md │ │ ├── Azure.DevOps.Groups.ProjectAdmins.MaxMembers.md │ │ ├── Azure.DevOps.Pipelines.Releases.Definition.NoPlainTextSecrets.md │ │ ├── Azure.DevOps.Groups.ProjectAdmins.MinMembers.md │ │ ├── Azure.DevOps.Repos.GitHubAdvancedSecurityEnabled.md │ │ ├── Azure.DevOps.Project.MainRepositoryAcl.ProjectValidUsers.md │ │ ├── Azure.DevOps.Project.MainVariableGroupAcl.ProjectValidUsers.md │ │ ├── Azure.DevOps.Project.MainEnvironmentAcl.ProjectValidUsers.md │ │ ├── Azure.DevOps.ServiceConnections.ProductionCheckProtection.md │ │ ├── Azure.DevOps.Project.MainReleaseDefinitionAcl.ProjectValidUsers.md │ │ ├── Azure.DevOps.Pipelines.Core.UseYamlDefinition.md │ │ ├── Azure.DevOps.Project.MainServiceConnectionAcl.ProjectValidUsers.md │ │ ├── Azure.DevOps.ServiceConnections.ProductionHumanApproval.md │ │ ├── Azure.DevOps.Repos.Branch.BranchPolicyMergeStrategy.md │ │ ├── Azure.DevOps.Repos.DefaultBranchPolicyMergeStrategy.md │ │ ├── Azure.DevOps.Repos.Branch.BranchPolicyAllowSelfApproval.md │ │ ├── Azure.DevOps.Pipelines.Settings.LimitJobAuthorizationScopeForYamlPipelines.md │ │ ├── Azure.DevOps.Repos.Branch.BranchPolicyCommentResolution.md │ │ ├── Azure.DevOps.Pipelines.Settings.LimitJobAuthorizationScopeForReleasePipelines.md │ │ ├── Azure.DevOps.RetentionSettings.PullRequestRunsMinimumRetentionDays.md │ │ ├── Azure.DevOps.Pipelines.Environments.ProductionCheckProtection.md │ │ ├── Azure.DevOps.Repos.DefaultBranchPolicyAllowSelfApproval.md │ │ ├── Azure.DevOps.Repos.DefaultBranchPolicyCommentResolution.md │ │ ├── Azure.DevOps.Repos.Branch.BranchPolicyEnforceLinkedWorkItems.md │ │ ├── Azure.DevOps.Pipelines.Releases.Definition.ProductionApproval.md │ │ ├── Azure.DevOps.Repos.DefaultBranchPolicyEnforceLinkedWorkItems.md │ │ ├── Azure.DevOps.RetentionSettings.ArtifactMinimumRetentionDays.md │ │ ├── Azure.DevOps.ServiceConnections.WorkloadIdentityFederation.md │ │ ├── Azure.DevOps.Pipelines.Environments.ProductionHumanApproval.md │ │ ├── Azure.DevOps.Repos.Branch.HasBranchPolicy.md │ │ ├── Azure.DevOps.ServiceConnections.GitHubPAT.md │ │ ├── Azure.DevOps.Repos.HasDefaultBranchPolicy.md │ │ ├── Azure.DevOps.Repos.Branch.BranchPolicyResetVotes.md │ │ ├── Azure.DevOps.Repos.DefaultBranchPolicyResetVotes.md │ │ ├── Azure.DevOps.ServiceConnections.Scope.md │ │ ├── Azure.DevOps.Repos.Branch.BranchPolicyRequireBuild.md │ │ ├── Azure.DevOps.Repos.DefaultBranchPolicyRequireBuild.md │ │ ├── Azure.DevOps.Pipelines.Settings.RestrictSecretsForPullRequestFromFork.md │ │ ├── Azure.DevOps.ServiceConnections.ClassicAzure.md │ │ ├── Azure.DevOps.Repos.Branch.BranchPolicyIsEnabled.md │ │ ├── Azure.DevOps.Repos.DefaultBranchPolicyIsEnabled.md │ │ ├── Azure.DevOps.Repos.Branch.BranchPolicyMinimumReviewers.md │ │ └── Azure.DevOps.Repos.DefaultBranchPolicyMinimumReviewers.md │ ├── nl │ │ ├── Azure.DevOps.Pipelines.PipelineYaml.StepDisplayName.md │ │ ├── Azure.DevOps.Repos.License.md │ │ ├── Azure.DevOps.Repos.Readme.md │ │ ├── Azure.DevOps.Pipelines.Environments.Description.md │ │ ├── Azure.DevOps.Pipelines.Releases.Definition.SelfApproval.md │ │ ├── Azure.DevOps.Repos.InheritedPermissions.md │ │ ├── Azure.DevOps.Pipelines.Core.InheritedPermissions.md │ │ ├── Azure.DevOps.Pipelines.PipelineYaml.AgentPoolVersionNotLatest.md │ │ ├── Azure.DevOps.Pipelines.Environments.ProductionBranchLimit.md │ │ ├── Azure.DevOps.Tasks.VariableGroup.Description.md │ │ ├── Azure.DevOps.Pipelines.Releases.Definition.InheritedPermissions.md │ │ ├── Azure.DevOps.ServiceConnections.Description.md │ │ ├── Azure.DevOps.ServiceConnections.ProductionBranchLimit.md │ │ ├── Azure.DevOps.Repos.GitHubAdvancedSecurityBlockPushes.md │ │ ├── Azure.DevOps.Pipelines.Settings.RequireCommentForPullRequestFromFork.md │ │ ├── Azure.DevOps.Pipelines.Settings.LimitJobAuthorizationScope.md │ │ ├── Azure.DevOps.Pipelines.Core.NoPlainTextSecrets.md │ │ ├── Azure.DevOps.Pipelines.Settings.SanitizeShellTaskArguments.md │ │ ├── Azure.DevOps.Tasks.VariableGroup.NoPlainTextSecrets.md │ │ ├── Azure.DevOps.Pipelines.Releases.Definition.NoPlainTextSecrets.md │ │ ├── Azure.DevOps.Tasks.VariableGroup.NoKeyVaultNoSecrets.md │ │ ├── Azure.DevOps.Repos.GitHubAdvancedSecurityEnabled.md │ │ ├── Azure.DevOps.Pipelines.Settings.LimitSetVariablesAtQueueTime.md │ │ ├── Azure.DevOps.Pipelines.Core.UseYamlDefinition.md │ │ ├── Azure.DevOps.ServiceConnections.ProductionHumanApproval.md │ │ ├── Azure.DevOps.Repos.BranchPolicyAllowSelfApproval.md │ │ ├── Azure.DevOps.Repos.BranchPolicyCommentResolution.md │ │ ├── Azure.DevOps.Repos.BranchPolicyEnforceLinkedWorkItems.md │ │ ├── Azure.DevOps.Pipelines.Settings.LimitJobAuthorizationScopeForYamlPipelines.md │ │ ├── Azure.DevOps.Pipelines.Settings.LimitJobAuthorizationScopeForReleasePipelines.md │ │ ├── Azure.DevOps.Repos.BranchPolicyMergeStrategy.md │ │ ├── Azure.DevOps.ServiceConnections.WorkloadIdentityFederation.md │ │ ├── Azure.DevOps.Repos.HasBranchPolicy.md │ │ ├── Azure.DevOps.ServiceConnections.ProductionCheckProtection.md │ │ ├── Azure.DevOps.Pipelines.Releases.Definition.ProductionApproval.md │ │ ├── Azure.DevOps.ServiceConnections.GitHubPAT.md │ │ ├── Azure.DevOps.Pipelines.Environments.ProductionHumanApproval.md │ │ ├── Azure.DevOps.Repos.BranchPolicyRequireBuild.md │ │ ├── Azure.DevOps.Pipelines.Environments.ProductionCheckProtection.md │ │ ├── Azure.DevOps.Repos.BranchPolicyResetVotes.md │ │ ├── Azure.DevOps.ServiceConnections.Scope.md │ │ ├── Azure.DevOps.Repos.BranchPolicyMinimumReviewers.md │ │ ├── Azure.DevOps.ServiceConnections.ClassicAzure.md │ │ ├── Azure.DevOps.Pipelines.Settings.RestrictSecretsForPullRequestFromFork.md │ │ └── Azure.DevOps.Repos.BranchPolicyIsEnabled.md │ └── Functions │ │ ├── DevOps.Pipelines.Settings.ps1 │ │ └── DevOps.RetentionSettings.ps1 └── PSScriptAnalyzerSettings.psd1 ├── .gitignore ├── assets └── media │ ├── run-0.0.3.png │ ├── run-0.0.5.png │ ├── run-0.0.7.png │ ├── run-0.0.9.png │ ├── sarif-0.0.11.png │ ├── ado-create-new-repo.png │ ├── get-psrulehelp-0.0.9.png │ ├── ado-create-new-folder.png │ └── ado-user-settings-pat.png ├── sonar-project.properties ├── example └── best-practice │ ├── ps-rule.yaml │ └── SupressionGroups.Rule.yaml ├── LICENSE ├── pipelines ├── README.md └── azure-pipelines.yml ├── docs └── branch-strategy-suppression.md └── tests ├── Rules.Common.Tests.ps1 └── Rules.RetentionSettings.Tests.ps1 /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @webtonize -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/rules/Standards.Rule.ps1: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | tests/out* 2 | coverage.xml 3 | myenv.ps1 4 | .vscode/ -------------------------------------------------------------------------------- /src/PSScriptAnalyzerSettings.psd1: -------------------------------------------------------------------------------- 1 | @{ 2 | ExcludeRules = @( 3 | 'PSUseSingularNouns' 4 | ) 5 | } -------------------------------------------------------------------------------- /assets/media/run-0.0.3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cloudyspells/PSRule.Rules.AzureDevOps/HEAD/assets/media/run-0.0.3.png -------------------------------------------------------------------------------- /assets/media/run-0.0.5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cloudyspells/PSRule.Rules.AzureDevOps/HEAD/assets/media/run-0.0.5.png -------------------------------------------------------------------------------- /assets/media/run-0.0.7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cloudyspells/PSRule.Rules.AzureDevOps/HEAD/assets/media/run-0.0.7.png -------------------------------------------------------------------------------- /assets/media/run-0.0.9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cloudyspells/PSRule.Rules.AzureDevOps/HEAD/assets/media/run-0.0.9.png -------------------------------------------------------------------------------- /assets/media/sarif-0.0.11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cloudyspells/PSRule.Rules.AzureDevOps/HEAD/assets/media/sarif-0.0.11.png -------------------------------------------------------------------------------- /assets/media/ado-create-new-repo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cloudyspells/PSRule.Rules.AzureDevOps/HEAD/assets/media/ado-create-new-repo.png -------------------------------------------------------------------------------- /assets/media/get-psrulehelp-0.0.9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cloudyspells/PSRule.Rules.AzureDevOps/HEAD/assets/media/get-psrulehelp-0.0.9.png -------------------------------------------------------------------------------- /assets/media/ado-create-new-folder.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cloudyspells/PSRule.Rules.AzureDevOps/HEAD/assets/media/ado-create-new-folder.png -------------------------------------------------------------------------------- /assets/media/ado-user-settings-pat.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cloudyspells/PSRule.Rules.AzureDevOps/HEAD/assets/media/ado-user-settings-pat.png -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/4-question-support.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: "❓ Question or Support Request" 3 | about: "Questions and requests for support." 4 | title: "Support question:" 5 | labels: ["question"] 6 | assignees: webtonize 7 | 8 | --- 9 | 10 | # **❓ Question or Support Request** 11 | 12 | ## **Describe your question or ask for support.** 13 | 14 | 15 | * 16 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/rules/Baseline.Default.Rule.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: github.com/microsoft/PSRule/v1 2 | kind: Baseline 3 | metadata: 4 | name: Baseline.Default 5 | spec: 6 | rule: 7 | tag: 8 | release: GA 9 | configuration: 10 | ghasEnabled: true 11 | ghasBlockPushesEnabled: true 12 | branchMinimumApproverCount: 1 13 | releaseMinimumProductionApproverCount: 1 14 | lastCommitDays: 90 15 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/rules/Baseline.NoExtraLicense.Rule.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: github.com/microsoft/PSRule/v1 2 | kind: Baseline 3 | metadata: 4 | name: Baseline.NoExtraLicense 5 | spec: 6 | rule: 7 | tag: 8 | release: GA 9 | exclude: 10 | - Azure.DevOps.Repos.GitHubAdvancedSecurityEnabled 11 | - Azure.DevOps.Repos.GitHubAdvancedSecurityBlockPushes 12 | configuration: 13 | branchMinimumApproverCount: 1 14 | releaseMinimumProductionApproverCount: 1 15 | -------------------------------------------------------------------------------- /sonar-project.properties: -------------------------------------------------------------------------------- 1 | sonar.projectKey=cloudyspells_PSRule.Rules.AzureDevOps 2 | sonar.organization=cloudyspells 3 | 4 | # This is the name and version displayed in the SonarCloud UI. 5 | sonar.projectName=PSRule.Rules.AzureDevOps 6 | #sonar.projectVersion=1.0 7 | 8 | 9 | # Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows. 10 | sonar.sources=./src 11 | 12 | # Encoding of the source code. Default is default system encoding 13 | #sonar.sourceEncoding=UTF-8 -------------------------------------------------------------------------------- /example/best-practice/ps-rule.yaml: -------------------------------------------------------------------------------- 1 | execution: 2 | inconclusiveWarning: false 3 | notProcessedWarning: false 4 | suppressedRuleWarning: false 5 | suppressionGroupExpired: Error 6 | 7 | configuration: 8 | ArtifactMinimumRetentionDays: 7 9 | PullRequestRunsMinimumRetentionDays: 7 10 | ProjectAdminsMinMembers: 2 11 | ProjectAdminsMaxMembers: 4 12 | releaseMinimumProductionApproverCount: 1 13 | branchMinimumApproverCount: 1 14 | ghasEnabled: true 15 | ghasBlockPushesEnabled: true 16 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/rules/Selectors.Rule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: github.com/microsoft/PSRule/v1 3 | kind: Selector 4 | metadata: 5 | name: IsProduction 6 | spec: 7 | if: 8 | anyOf: 9 | - field: 'name' 10 | contains: 11 | - 'production' 12 | - 'prod' 13 | - 'prd' 14 | - 'live' 15 | - 'master' 16 | - 'main' 17 | caseSensitive: false 18 | - field: 'name' 19 | match: 'prod|prd|live|master|main' 20 | caseSensitive: false 21 | 22 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/rules/Baseline.PublicProject.Rule.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: github.com/microsoft/PSRule/v1 2 | kind: Baseline 3 | metadata: 4 | name: Baseline.PublicProject 5 | spec: 6 | rule: 7 | exclude: 8 | - 'Azure.DevOps.Project.Visibility' 9 | - 'Azure.DevOps.Pipelines.Settings.StatusBadgesPrivate' 10 | tag: 11 | release: GA 12 | configuration: 13 | ghasEnabled: true 14 | ghasBlockPushesEnabled: true 15 | branchMinimumApproverCount: 1 16 | releaseMinimumProductionApproverCount: 1 17 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/rules/Config.Rule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Synopsis: Example module configuration for Enterprise.Rules module. 3 | apiVersion: github.com/microsoft/PSRule/v1 4 | kind: ModuleConfig 5 | metadata: 6 | name: PSRule.Rules.AzureDevOps 7 | spec: 8 | binding: 9 | useQualifiedName: true 10 | targetName: 11 | - ObjectName 12 | - name 13 | - displayName 14 | - id 15 | targetType: 16 | - ObjectType 17 | field: 18 | id: [ 'id' ] 19 | name: [ 'name' ] 20 | # convention: 21 | # include: 22 | # - 'AzureDevOps.Objects' 23 | rule: 24 | baseline: Baseline.Default 25 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.PipelineYaml.StepDisplayName.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Repository 3 | severity: Informational 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.PipelineYaml.StepDisplayName.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.PipelineYaml.StepDisplayName 8 | 9 | ## SYNOPSIS 10 | 11 | Pipeline steps should have a display name. 12 | 13 | ## DESCRIPTION 14 | 15 | Pipeline steps should have a display name. This ensures that the pipeline is 16 | easier to read and understand. 17 | 18 | Mininum TokenType: `ReadOnly` 19 | 20 | ## RECOMMENDATION 21 | 22 | Consider adding a display name to all steps. 23 | 24 | ## LINKS 25 | 26 | - [Azure Pipelines YAML schema reference](https://docs.microsoft.com/en-us/azure/devops/pipelines/yaml-schema) 27 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.Branch.CommitRecent.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Informational 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.Branch.CommitRecent.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.Branch.CommitRecent 8 | 9 | ## SYNOPSIS 10 | 11 | The branch has not seen recent commits. 12 | 13 | ## DESCRIPTION 14 | 15 | The branch has not seen recent commits. This may indicate that the branch is not being 16 | actively maintained or that the team's Git workflow is not being followed. Consider if 17 | the branch is still needed and if not, remove it. 18 | 19 | Mininum TokenType: `ReadOnly` 20 | 21 | ## RECOMMENDATION 22 | 23 | Consider if the branch is still needed and if not, remove it. 24 | 25 | ## LINKS 26 | 27 | - 28 | -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: [cloudyspells] # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] 4 | # patreon: # Replace with a single Patreon username 5 | # open_collective: # Replace with a single Open Collective username 6 | # ko_fi: # Replace with a single Ko-fi username 7 | # tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel 8 | # community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry 9 | # liberapay: # Replace with a single Liberapay username 10 | # issuehunt: # Replace with a single IssueHunt username 11 | # otechie: # Replace with a single Otechie username 12 | # lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry 13 | # custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2'] 14 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.Readme.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Informational 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/AzureDevOps.Repos.Readme.md 5 | --- 6 | 7 | # AzureDevOps.Repos.Readme 8 | 9 | ## SYNOPSIS 10 | 11 | Use a README.md file in the default branch to explain the project and provide 12 | information. 13 | 14 | ## DESCRIPTION 15 | 16 | When someone visits the repository homepage the README.md in the default branch 17 | is automatically shown. 18 | 19 | Mininum TokenType: `ReadOnly` 20 | 21 | ## RECOMMENDATION 22 | 23 | Consider creating a README.md file in repository default branch to provide 24 | information about the project. 25 | 26 | ## LINKS 27 | 28 | - [Writing a README](https://opensource.guide/starting-a-project/#writing-a-readme) 29 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.PipelineYaml.StepDisplayName.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Repository 3 | severity: Informational 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.PipelineYaml.StepDisplayName.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.PipelineYaml.StepDisplayName 8 | 9 | ## SYNOPSIS 10 | 11 | Pipeline stappen moeten een weergavenaam hebben. 12 | 13 | ## DESCRIPTION 14 | 15 | Pipeline stappen moeten een weergavenaam hebben. Dit zorgt ervoor dat de pipeline 16 | makkelijker te lezen en te begrijpen is. 17 | 18 | Mininum TokenType: `ReadOnly` 19 | 20 | ## RECOMMENDATION 21 | 22 | Overweeg om een weergavenaam toe te voegen aan de stappen. 23 | 24 | ## LINKS 25 | 26 | - [Azure Pipelines YAML schema reference](https://docs.microsoft.com/nl-nl/azure/devops/pipelines/yaml-schema) 27 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.License.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Informational 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/AzureDevOps.Repos.License.md 5 | --- 6 | 7 | # AzureDevOps.Repos.License 8 | 9 | ## SYNOPSIS 10 | 11 | Use a LICENSE file in the default branch to communicate how your porject may be used. 12 | 13 | ## DESCRIPTION 14 | 15 | A software license tells others what they can and can't do with your source code. 16 | Public repositories on Azure DevOps are often used to share open source software. 17 | 18 | To license your project, create a LICENSE file in the repository root. 19 | 20 | Mininum TokenType: `ReadOnly` 21 | 22 | ## RECOMMENDATION 23 | 24 | Consider creating a LICENSE file in the default branch to communicate how your 25 | project may be used. 26 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Repos.License.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Informational 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/AzureDevOps.Repos.License.md 5 | --- 6 | 7 | # AzureDevOps.Repos.License 8 | 9 | ## SYNOPSIS 10 | 11 | Gebruik een LICENSE bestand in de standaard branch om te communiceren hoe je 12 | project mag worden gebruikt. 13 | 14 | ## DESCRIPTION 15 | 16 | Een software licentie vertelt anderen wat ze wel en niet mogen doen met je 17 | broncode. Openbare repositories op Azure DevOps worden vaak gebruikt om open 18 | source software te delen. 19 | 20 | Om je project te licenseren, maak je een LICENSE bestand in de repository 21 | root. 22 | 23 | Mininum TokenType: `ReadOnly` 24 | 25 | ## RECOMMENDATION 26 | 27 | Overweeg om een LICENSE bestand in de repository root te maken. -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/3-feature-request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: "🚀🆕 Feature Request" 3 | about: "Suggest an idea or possible new feature for this project." 4 | title: "Feature: " 5 | labels: ["enhancement"] 6 | assignees: webtonize 7 | 8 | --- 9 | 10 | # **🚀 Feature Request** 11 | 12 | ## **Is your feature request related to a problem? Please describe.** 13 | 14 | 15 | * 16 | 17 | --- 18 | 19 | ## **Describe the solution you'd like** 20 | 21 | 22 | * 23 | 24 | --- 25 | 26 | ## **Describe alternatives you've considered** 27 | 28 | 29 | * 30 | 31 | --- 32 | 33 | ### **Additional context** 34 | 35 | 36 | * 37 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Project.Visibility.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Projects 3 | severity: Critical 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Project.Visibility.md 5 | --- 6 | 7 | # Azure.DevOps.Project.Visibility 8 | 9 | ## SYNOPSIS 10 | 11 | Projects should not be publicly accessible. 12 | 13 | ## DESCRIPTION 14 | 15 | Projects can be configured to be publicly accessible. This means anyone with the URL can 16 | view the project. Consider restricting access to projects to prevent unauthorized access. 17 | 18 | Mininum TokenType: `ReadOnly` 19 | 20 | ## RECOMMENDATION 21 | 22 | Consider restricting access to projects to prevent unauthorized access. 23 | 24 | ## LINKS 25 | 26 | - [Azure DevOps Security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#tasks) 27 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Repos.Readme.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Informational 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/AzureDevOps.Repos.Readme.md 5 | --- 6 | 7 | # AzureDevOps.Repos.Readme 8 | 9 | ## SYNOPSIS 10 | 11 | Gebruik een README.md bestand in de standaard branch om het project uit te 12 | leggen en informatie te verstrekken. 13 | 14 | ## DESCRIPTION 15 | 16 | Als je een repository maakt, moet je een README.md bestand maken om het 17 | project uit te leggen en informatie te verstrekken. Het README.md bestand 18 | wordt automatisch weergegeven op de repository homepage. 19 | 20 | Mininum TokenType: `ReadOnly` 21 | 22 | ## RECOMMENDATION 23 | 24 | Overweeg om een README.md bestand in de repository root te maken. 25 | 26 | ## LINKS 27 | 28 | - [Writing a README](https://opensource.guide/starting-a-project/#writing-a-readme) 29 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.PipelineYaml.AgentPoolVersionNotLatest.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Repository 3 | severity: Important 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.PipelineYaml.AgentPoolVersionNotLatest.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.PipelineYaml.AgentPoolVersionNotLatest 8 | 9 | ## SYNOPSIS 10 | 11 | Microsoft Hosted agent pools should be pinned to a version. 12 | 13 | ## DESCRIPTION 14 | 15 | Microsoft Hosted agent pools should be pinned to a version. This ensures that 16 | the pipeline will not be impacted by changes to the agent pool and its 17 | operating system. 18 | 19 | Mininum TokenType: `ReadOnly` 20 | 21 | ## RECOMMENDATION 22 | 23 | Consider pinning the agent pool to a specific version. 24 | 25 | ## LINKS 26 | 27 | - [Azure Pipelines YAML schema reference](https://docs.microsoft.com/en-us/azure/devops/pipelines/yaml-schema) 28 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Releases.Definition.SelfApproval.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Releases.Definition.SelfApproval.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Releases.Definition.SelfApproval 8 | 9 | ## SYNOPSIS 10 | 11 | An environment scoped to production should not allow self approval. 12 | 13 | ## DESCRIPTION 14 | 15 | An environment scoped to production should not allow self approval. This 16 | rule checks if a release stage environment scoped to production has 17 | self approval enabled. 18 | 19 | Mininum TokenType: `ReadOnly` 20 | 21 | ## RECOMMENDATION 22 | 23 | Consider disabling self approval for the environment. 24 | 25 | ## LINKS 26 | 27 | - [Release Pipelines](https://docs.microsoft.com/en-us/azure/devops/pipelines/release/?view=azure-devops) 28 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Environments.Description.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Repository 3 | severity: Informational 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Environments.Description.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Environments.Description 8 | 9 | ## SYNOPSIS 10 | 11 | Een Azure DevOps Pipelines environment zou een beschrijving moeten hebben. 12 | 13 | ## DESCRIPTION 14 | 15 | Het toevoegen van een beschrijving aan een Azure DevOps Pipelines 16 | environment kan helpen bij het begrijpen van de context van de environment. 17 | 18 | Mininum TokenType: `FineGrained` 19 | 20 | ## RECOMMENDATION 21 | 22 | Overweeg om een beschrijving toe te voegen aan de Azure DevOps Pipelines 23 | environment. 24 | 25 | ## LINKS 26 | 27 | - [Create an environment](https://docs.microsoft.com/nl-nl/azure/devops/pipelines/process/environments?view=azure-devops&tabs=yaml#create-an-environment) 28 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Environments.Description.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Repository 3 | severity: Informational 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Environments.Description.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Environments.Description 8 | 9 | ## SYNOPSIS 10 | 11 | An environment should have a description to help users understand the purpose 12 | of the environment. 13 | 14 | ## DESCRIPTION 15 | 16 | Adding a description to an environment will help users understand the purpose 17 | of the environment. This will help users understand how and when it should be 18 | used. 19 | 20 | Mininum TokenType: `FineGrained` 21 | 22 | ## RECOMMENDATION 23 | 24 | Consider adding a description to the environment. 25 | 26 | ## LINKS 27 | 28 | - [Create an environment](https://docs.microsoft.com/en-us/azure/devops/pipelines/process/environments?view=azure-devops&tabs=yaml#create-an-environment) 29 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.InheritedPermissions.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.InheritedPermissions.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.InheritedPermissions 8 | 9 | ## SYNOPSIS 10 | 11 | Repository permissions should not be inherited from the project. 12 | 13 | ## DESCRIPTION 14 | 15 | Repository permissions should not be inherited from the project. Inherited 16 | permissions can lead to unexpected access to repositories and branches. 17 | 18 | Mininum TokenType: `FineGrained` 19 | 20 | ## RECOMMENDATION 21 | 22 | Consider removing inherited permissions from the repository and setting 23 | permissions explicitly. 24 | 25 | ## LINKS 26 | 27 | - [Azure DevOps Security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#scoped-permissions) 28 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Core.InheritedPermissions.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Core.InheritedPermissions.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Core.InheritedPermissions 8 | 9 | ## SYNOPSIS 10 | 11 | Pipeline permissions should not be inherited from the project. 12 | 13 | ## DESCRIPTION 14 | 15 | Pipeline permissions should not be inherited from the project. Inherited 16 | permissions can lead to unexpected access to resources. 17 | 18 | Mininum TokenType: `FineGrained` 19 | 20 | ## RECOMMENDATION 21 | 22 | Consider removing inherited permissions from the pipeline and setting 23 | permissions explicitly. 24 | 25 | ## LINKS 26 | 27 | - [Azure DevOps Security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#scoped-permissions) 28 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Releases.Definition.SelfApproval.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Releases.Definition.SelfApproval.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Releases.Definition.SelfApproval 8 | 9 | ## SYNOPSIS 10 | 11 | Een release stage die is beperkt tot productie mag geen zelfgoedkeuring toestaan. 12 | 13 | ## DESCRIPTION 14 | 15 | Een release stage die is beperkt tot productie mag geen zelfgoedkeuring toestaan. Deze 16 | regel controleert of een release stage die is beperkt tot productie zelfgoedkeuring heeft ingeschakeld. 17 | 18 | Mininum TokenType: `ReadOnly` 19 | 20 | ## RECOMMENDATION 21 | 22 | Overweeg om zelfgoedkeuring voor de omgeving uit te schakelen. 23 | 24 | ## LINKS 25 | 26 | - [Release Pipelines](https://docs.microsoft.com/nl-nl/azure/devops/pipelines/release/?view=azure-devops) 27 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Tasks.VariableGroup.Description.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Distributed Task 3 | severity: Informational 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Tasks.VariableGroup.Description.md 5 | --- 6 | 7 | # Azure.DevOps.Tasks.VariableGroup.Description 8 | 9 | ## SYNOPSIS 10 | 11 | A variable group should have a description to help users understand the 12 | purpose of the variable group. 13 | 14 | ## DESCRIPTION 15 | 16 | Adding a description to a variable group will help users understand the 17 | purpose of the variable group. This will help users understand how and when 18 | it should be used. 19 | 20 | Mininum TokenType: `ReadOnly` 21 | 22 | ## RECOMMENDATION 23 | 24 | Consider adding a description to the variable group. 25 | 26 | ## LINKS 27 | 28 | - [Variable groups](https://learn.microsoft.com/en-us/azure/devops/pipelines/library/variable-groups?view=azure-devops&tabs=yaml) 29 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Repos.InheritedPermissions.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Repos.InheritedPermissions.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.InheritedPermissions 8 | 9 | ## SYNOPSIS 10 | 11 | Repository permissies mogen niet worden geërfd van het project. 12 | 13 | ## DESCRIPTION 14 | 15 | Repository permissies mogen niet worden geërfd van het project. Geërfde 16 | permissies kunnen leiden tot onverwachte toegang tot repositories en branches. 17 | 18 | Mininum TokenType: `FineGrained` 19 | 20 | ## RECOMMENDATION 21 | 22 | Overweeg om geërfde permissies uit de repository te verwijderen en expliciet 23 | permissies in te stellen. 24 | 25 | ## LINKS 26 | 27 | - [Azure DevOps Security best practices](https://learn.microsoft.com/nl-nl/azure/devops/organizations/security/security-best-practices?view=azure-devops#scoped-permissions) 28 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.ProjectValidUsers.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.ProjectValidUsers.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.ProjectValidUsers 8 | 9 | ## SYNOPSIS 10 | 11 | Repositories should not be assigned directly to the Project Valid Users 12 | group. 13 | 14 | ## DESCRIPTION 15 | 16 | Repositories should not be assigned directly to the Project Valid Users 17 | group. This group is inherited by all users in the project and will grant 18 | access to the repository to all users. 19 | 20 | Mininum TokenType: `FineGrained` 21 | 22 | ## RECOMMENDATION 23 | 24 | Remove the Project Valid Users group from the repository acl. 25 | 26 | ## LINKS 27 | 28 | - [Azure DevOps Security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#scoped-permissions) 29 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Core.InheritedPermissions.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Core.InheritedPermissions.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Core.InheritedPermissions 8 | 9 | ## SYNOPSIS 10 | 11 | Pipeline permissies mogen niet worden geërfd van het project. 12 | 13 | ## DESCRIPTION 14 | 15 | Pipeline permissies mogen niet worden geërfd van het project. Geërfde 16 | permissies kunnen leiden tot onverwachte toegang tot resources. 17 | 18 | Mininum TokenType: `FineGrained` 19 | 20 | ## RECOMMENDATION 21 | 22 | Overweeg om geërfde permissies uit de pipeline te verwijderen en expliciet 23 | permissies in te stellen. 24 | 25 | ## LINKS 26 | 27 | - [Azure DevOps Security best practices](https://learn.microsoft.com/nl-nl/azure/devops/organizations/security/security-best-practices?view=azure-devops#scoped-permissions) 28 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.PipelineYaml.AgentPoolVersionNotLatest.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Repository 3 | severity: Important 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.PipelineYaml.AgentPoolVersionNotLatest.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.PipelineYaml.AgentPoolVersionNotLatest 8 | 9 | ## SYNOPSIS 10 | 11 | Microsoft Hosted agent pools zouden vastgepind moeten worden op een versie. 12 | 13 | ## DESCRIPTION 14 | 15 | Microsoft Hosted agent pools zouden vastgepind moeten worden op een versie. Dit 16 | zorgt ervoor dat de pipeline niet beïnvloed wordt door wijzigingen aan de agent 17 | pool en het besturingssysteem. 18 | 19 | Mininum TokenType: `ReadOnly` 20 | 21 | ## RECOMMENDATION 22 | 23 | Overweeg om de agent pool vast te pinnen op een specifieke versie. 24 | 25 | ## LINKS 26 | 27 | - [Azure Pipelines YAML schema reference](https://docs.microsoft.com/nl-nl/azure/devops/pipelines/yaml-schema) 28 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Environments.ProductionBranchLimit.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Repository 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Environments.ProductionBranchLimit.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Environments.ProductionBranchLimit 8 | 9 | ## SYNOPSIS 10 | 11 | A production environment should be limited to the branches it can be used in. 12 | 13 | ## DESCRIPTION 14 | 15 | A production environment should be limited to the branches it can be used in. This ensures 16 | the environment is not used in a non-production branch. This rule checks if the 17 | environment is limited to a production branch. 18 | 19 | Mininum TokenType: `FineGrained` 20 | 21 | ## RECOMMENDATION 22 | 23 | Consider limiting the environment to a production branch. 24 | 25 | ## LINKS 26 | 27 | - [Azure DevOps Pipelines Environments](https://docs.microsoft.com/en-us/azure/devops/pipelines/process/environments) 28 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Core.ProjectValidUsers.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Core.ProjectValidUsers.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Core.ProjectValidUsers 8 | 9 | ## SYNOPSIS 10 | 11 | Pipelines should not be assigned directly to the Project Valid Users 12 | group. 13 | 14 | ## DESCRIPTION 15 | 16 | Pipelines should not be assigned directly to the Project Valid Users 17 | group. This group is inherited by all users in the project and will grant 18 | access to the pipeline to all users. 19 | 20 | Mininum TokenType: `FineGrained` 21 | 22 | ## RECOMMENDATION 23 | 24 | Remove the Project Valid Users group from the pipeline acl. 25 | 26 | ## LINKS 27 | 28 | - [Azure DevOps Security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#scoped-permissions) 29 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Settings.StatusBadgesPrivate.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Settings.StatusBadgesPrivate.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Settings.StatusBadgesPrivate 8 | 9 | ## SYNOPSIS 10 | 11 | Status badges should not be publicly accessible. 12 | 13 | ## DESCRIPTION 14 | 15 | Status badges are publicly accessible by default. This means anyone with the URL can view 16 | the status of a pipeline. Consider restricting access to status badges to prevent 17 | unauthorized access. 18 | 19 | Mininum TokenType: `ReadOnly` 20 | 21 | ## RECOMMENDATION 22 | 23 | Consider restricting access to status badges to prevent unauthorized access. 24 | 25 | ## LINKS 26 | 27 | - [Azure DevOps Security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#tasks) 28 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.ServiceConnections.Description.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Service Connections 3 | severity: Informational 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.ServiceConnections.Description.md 5 | --- 6 | 7 | # Azure.DevOps.ServiceConnections.Description 8 | 9 | ## SYNOPSIS 10 | 11 | A service connection should have a description to help users understand the 12 | purpose of the service connection. 13 | 14 | ## DESCRIPTION 15 | 16 | Adding a description to a service connection will help users understand the 17 | purpose of the service connection. This will help users understand how and when 18 | it should be used. 19 | 20 | Mininum TokenType: `ReadOnly` 21 | 22 | ## RECOMMENDATION 23 | 24 | Consider adding a description to the service connection. 25 | 26 | ## LINKS 27 | 28 | - [Create a service connection](https://docs.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=azure-devops&tabs=yaml) 29 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Tasks.VariableGroup.InheritedPermissions.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Variable Groups 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Tasks.VariableGroup.InheritedPermissions.md 5 | --- 6 | 7 | # Azure.DevOps.Tasks.VariableGroup.InheritedPermissions 8 | 9 | ## SYNOPSIS 10 | 11 | Variable group permissions should not be inherited from the project. 12 | 13 | ## DESCRIPTION 14 | 15 | Variable group permissions should not be inherited from the project. Inherited 16 | permissions can lead to unexpected access to sensitive information. 17 | 18 | Mininum TokenType: `FineGrained` 19 | 20 | ## RECOMMENDATION 21 | 22 | Consider removing inherited permissions from the variable group and setting 23 | permissions explicitly. 24 | 25 | ## LINKS 26 | 27 | - [Azure DevOps Security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#scoped-permissions) 28 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Environments.InheritedPermissions.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Environments 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Environments.InheritedPermissions.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Environments.InheritedPermissions 8 | 9 | ## SYNOPSIS 10 | 11 | Environment permissions should not be inherited from the project. 12 | 13 | ## DESCRIPTION 14 | 15 | Environment permissions should not be inherited from the project. 16 | Inherited permissions can lead to unexpected access to sensitive information 17 | and resources. 18 | 19 | Mininum TokenType: `FineGrained` 20 | 21 | ## RECOMMENDATION 22 | 23 | Consider removing inherited permissions from the environment and setting 24 | permissions explicitly. 25 | 26 | ## LINKS 27 | 28 | - [Azure DevOps Security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#scoped-permissions) 29 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Environments.ProjectValidUsers.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Environments 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Environments.ProjectValidUsers.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Environments.ProjectValidUsers 8 | 9 | ## SYNOPSIS 10 | 11 | Environments should not be assigned directly to the Project Valid Users 12 | group. 13 | 14 | ## DESCRIPTION 15 | 16 | Environments should not be assigned directly to the Project Valid Users 17 | group. This group is inherited by all users in the project and will grant 18 | access to the environment to all users. 19 | 20 | Mininum TokenType: `FineGrained` 21 | 22 | ## RECOMMENDATION 23 | 24 | Remove the Project Valid Users group from the environment acl. 25 | 26 | ## LINKS 27 | 28 | - [Azure DevOps Security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#scoped-permissions) 29 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Releases.Definition.InheritedPermissions.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Releases.Definition.InheritedPermissions.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Releases.Definition.InheritedPermissions 8 | 9 | ## SYNOPSIS 10 | 11 | Release Pipeline permissions should not be inherited from the project. 12 | 13 | ## DESCRIPTION 14 | 15 | Release Pipeline permissions should not be inherited from the project. Inherited 16 | permissions can lead to unexpected access to resources. 17 | 18 | Mininum TokenType: `FineGrained` 19 | 20 | ## RECOMMENDATION 21 | 22 | Consider removing inherited permissions from the release pipeline and setting 23 | permissions explicitly. 24 | 25 | ## LINKS 26 | 27 | - [Azure DevOps Security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#scoped-permissions) 28 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Tasks.VariableGroup.ProjectValidUsers.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Variable Groups 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Tasks.VariableGroup.ProjectValidUsers.md 5 | --- 6 | 7 | # Azure.DevOps.Tasks.VariableGroup.ProjectValidUsers 8 | 9 | ## SYNOPSIS 10 | 11 | Variable groups should not be assigned directly to the Project Valid Users 12 | group. 13 | 14 | ## DESCRIPTION 15 | 16 | Variable groups should not be assigned directly to the Project Valid Users 17 | group. This group is inherited by all users in the project and will grant 18 | access to all variables in the group. 19 | 20 | Mininum TokenType: `FineGrained` 21 | 22 | ## RECOMMENDATION 23 | 24 | Remove the Project Valid Users group from the variable group acl. 25 | 26 | ## LINKS 27 | 28 | - [Azure DevOps Security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#scoped-permissions) 29 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Environments.ProductionBranchLimit.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Repository 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Environments.ProductionBranchLimit.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Environments.ProductionBranchLimit 8 | 9 | ## SYNOPSIS 10 | 11 | Een productie environment moet beperkt zijn in de branches waarin deze kan worden gebruikt. 12 | 13 | ## DESCRIPTION 14 | 15 | Een productie environment moet beperkt zijn in de branches waarin deze kan worden gebruikt. Dit zorgt ervoor dat de omgeving niet wordt gebruikt in een 16 | niet-productiebranch. Deze regel controleert of de environment is beperkt tot een 17 | productiebranch. 18 | 19 | Mininum TokenType: `FineGrained` 20 | 21 | ## RECOMMENDATION 22 | 23 | Overweeg om de environment te beperken tot een productiebranch. 24 | 25 | ## LINKS 26 | 27 | - [Azure DevOps Pipelines Environments](https://docs.microsoft.com/nl-nl/azure/devops/pipelines/process/environments) 28 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.ServiceConnections.ProductionBranchLimit.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Repository 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.ServiceConnections.ProductionBranchLimit.md 5 | --- 6 | 7 | # Azure.DevOps.ServiceConnections.ProductionBranchLimit 8 | 9 | ## SYNOPSIS 10 | 11 | A production service connection should be limited in the branches it can be used 12 | in. 13 | 14 | ## DESCRIPTION 15 | 16 | A production service connection should be limited in the branches it can be used 17 | in. This ensures that the service connection is not used in a non-production 18 | branch. This rule checks that the service connection is limited to a production 19 | branch. 20 | 21 | Mininum TokenType: `ReadOnly` 22 | 23 | ## RECOMMENDATION 24 | 25 | Consider limiting the service connection to a production branch. 26 | 27 | ## LINKS 28 | 29 | - [Azure DevOps Service connections](https://docs.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops) 30 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Tasks.VariableGroup.Description.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Distributed Task 3 | severity: Informational 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Tasks.VariableGroup.Description.md 5 | --- 6 | 7 | # Azure.DevOps.Tasks.VariableGroup.Description 8 | 9 | ## SYNOPSIS 10 | 11 | Een variabele groep zou een beschrijving moeten hebben om gebruikers te 12 | helpen het doel van de variabele groep te begrijpen. 13 | 14 | ## DESCRIPTION 15 | 16 | Het toevoegen van een beschrijving aan een variabele groep zal gebruikers 17 | helpen het doel van de variabele groep te begrijpen. Dit zal gebruikers 18 | helpen te begrijpen hoe en wanneer het moet worden gebruikt. 19 | 20 | Mininum TokenType: `ReadOnly` 21 | 22 | ## RECOMMENDATION 23 | 24 | Overweeg om een beschrijving toe te voegen aan de variabele groep. 25 | 26 | ## LINKS 27 | 28 | - [Variable groups](https://learn.microsoft.com/nl-nl/azure/devops/pipelines/library/variable-groups?view=azure-devops&tabs=yaml) 29 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.ServiceConnections.InheritedPermissions.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Service Connections 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.ServiceConnections.InheritedPermissions.md 5 | --- 6 | 7 | # Azure.DevOps.ServiceConnections.InheritedPermissions 8 | 9 | ## SYNOPSIS 10 | 11 | Service connection permissions should not be inherited from the project. 12 | 13 | ## DESCRIPTION 14 | 15 | Service connection permissions should not be inherited from the project. 16 | Inherited permissions can lead to unexpected access to sensitive information 17 | and resources. 18 | 19 | Mininum TokenType: `FineGrained` 20 | 21 | ## RECOMMENDATION 22 | 23 | Consider removing inherited permissions from the service connection and setting 24 | permissions explicitly. 25 | 26 | ## LINKS 27 | 28 | - [Azure DevOps Security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#scoped-permissions) 29 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Releases.Definition.InheritedPermissions.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Releases.Definition.InheritedPermissions.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Releases.Definition.InheritedPermissions 8 | 9 | ## SYNOPSIS 10 | 11 | Release Pipeline permissies mogen niet worden overgenomen van het project. 12 | 13 | ## DESCRIPTION 14 | 15 | Release Pipeline permissies mogen niet worden overgenomen van het project. Geërfde 16 | permissies kunnen leiden tot onverwachte toegang tot resources. 17 | 18 | Mininum TokenType: `FineGrained` 19 | 20 | ## RECOMMENDATION 21 | 22 | Overweeg om geërfde permissies uit de release pipeline te verwijderen en expliciete 23 | permissies in te stellen. 24 | 25 | ## LINKS 26 | 27 | - [Azure DevOps Security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#scoped-permissions) 28 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Releases.Definition.ProjectValidUsers.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Releases.ProjectValidUsers.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Releases.ProjectValidUsers 8 | 9 | ## SYNOPSIS 10 | 11 | Release definitions should not be assigned directly to the Project Valid Users 12 | group. 13 | 14 | ## DESCRIPTION 15 | 16 | Release definitions should not be assigned directly to the Project Valid Users 17 | group. This group is inherited by all users in the project and will grant 18 | access to the release definition to all users. 19 | 20 | Mininum TokenType: `FineGrained` 21 | 22 | ## RECOMMENDATION 23 | 24 | Remove the Project Valid Users group from the release definition acl. 25 | 26 | ## LINKS 27 | 28 | - [Azure DevOps Security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#scoped-permissions) 29 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.ServiceConnections.ProjectValidUsers.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Service Connections 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.ServiceConnections.ProjectValidUsers.md 5 | --- 6 | 7 | # Azure.DevOps.ServiceConnections.ProjectValidUsers 8 | 9 | ## SYNOPSIS 10 | 11 | Service connections should not be assigned directly to the Project Valid Users 12 | group. 13 | 14 | ## DESCRIPTION 15 | 16 | Service connections should not be assigned directly to the Project Valid Users 17 | group. This group is inherited by all users in the project and will grant 18 | access to the service connection to all users. 19 | 20 | Mininum TokenType: `FineGrained` 21 | 22 | ## RECOMMENDATION 23 | 24 | Remove the Project Valid Users group from the service connection acl. 25 | 26 | ## LINKS 27 | 28 | - [Azure DevOps Security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#scoped-permissions) 29 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Settings.LimitJobAuthorizationScope.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Settings.LimitJobAuthorizationScope.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Settings.LimitJobAuthorizationScope 8 | 9 | ## SYNOPSIS 10 | 11 | Project settings should limit job authorization scope. 12 | 13 | ## DESCRIPTION 14 | 15 | Limiting the job authorization scope to the current project will prevent the job from 16 | being able to access resources in other projects. This can help prevent accidental 17 | access to resources in other projects. 18 | 19 | Mininum TokenType: `ReadOnly` 20 | 21 | ## RECOMMENDATION 22 | 23 | Consider limiting the job authorization scope to the current project in the project settings. 24 | 25 | ## LINKS 26 | 27 | - [Azure DevOps Security best practices - Tasks](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#tasks) 28 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.ServiceConnections.Description.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Service Connections 3 | severity: Informational 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.ServiceConnections.Description.md 5 | --- 6 | 7 | # Azure.DevOps.ServiceConnections.Description 8 | 9 | ## SYNOPSIS 10 | 11 | Een service connection zou een beschrijving moeten hebben om gebruikers te 12 | helpen het doel van de service connection te begrijpen. 13 | 14 | ## DESCRIPTION 15 | 16 | Het toevoegen van een beschrijving aan een service connection zal gebruikers 17 | helpen het doel van de service connection te begrijpen. Dit zal gebruikers 18 | helpen te begrijpen hoe en wanneer het moet worden gebruikt. 19 | 20 | Mininum TokenType: `ReadOnly` 21 | 22 | ## RECOMMENDATION 23 | 24 | Overweeg om een beschrijving toe te voegen aan de service connection. 25 | 26 | ## LINKS 27 | 28 | - [Create a service connection](https://docs.microsoft.com/nl-nl/azure/devops/pipelines/library/connect-to-azure?view=azure-devops&tabs=yaml) 29 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.ServiceConnections.ProductionBranchLimit.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Repository 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.ServiceConnections.ProductionBranchLimit.md 5 | --- 6 | 7 | # Azure.DevOps.ServiceConnections.ProductionBranchLimit 8 | 9 | ## SYNOPSIS 10 | 11 | Een productieserviceverbinding moet beperkt zijn in de branches waarin deze kan worden gebruikt. 12 | 13 | ## DESCRIPTION 14 | 15 | Een productieserviceverbinding moet beperkt zijn in de branches waarin deze kan worden gebruikt. Dit zorgt ervoor dat de serviceverbinding niet wordt gebruikt in een 16 | niet-productiebranch. Deze regel controleert of de serviceverbinding is beperkt tot een 17 | productiebranch. 18 | 19 | Mininum TokenType: `ReadOnly` 20 | 21 | ## RECOMMENDATION 22 | 23 | Overweeg om de serviceverbinding te beperken tot een productiebranch. 24 | 25 | ## LINKS 26 | 27 | - [Azure DevOps Service connections](https://docs.microsoft.com/nl-nl/azure/devops/pipelines/library/service-endpoints?view=azure-devops) 28 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Groups.ProjectValidUsers.DoNotAssignMemberOfOtherGroups.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Groups.ProjectValidUsers.DoNotAssignMemberOfOtherGroups.md 5 | --- 6 | 7 | # Azure.DevOps.Groups.ProjectValidUsers.DoNotAssignMemberOfOtherGroups 8 | 9 | ## SYNOPSIS 10 | 11 | The project valid users group should not be a member of any other group. 12 | 13 | ## DESCRIPTION 14 | 15 | The project valid users group is the minimum permissions level group for a 16 | project. This group should not be a member of any other group. This rule applies 17 | to the default project valid users group. 18 | 19 | Mininum TokenType: `ReadOnly` 20 | 21 | ## RECOMMENDATION 22 | 23 | Consider removing the project valid users group from any other groups. 24 | 25 | ## LINKS 26 | 27 | - [Azure DevOps Security best practices - Tasks](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#tasks) 28 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.GitHubAdvancedSecurityBlockPushes.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Important 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.GitHubAdvancedSecurityBlockPushes.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.GitHubAdvancedSecurityBlockPushes 8 | 9 | ## SYNOPSIS 10 | 11 | Configure GitHub Advanced Security to block pushes not meeting security requirements. 12 | 13 | ## DESCRIPTION 14 | 15 | GitHub Advanced Security provides a suite of security features for Azure DevOps 16 | repositories. This rule checks if GitHub Advanced Security is configured to block 17 | pushes not meeting security requirements. 18 | 19 | Mininum TokenType: `FullAccess` 20 | 21 | ## RECOMMENDATION 22 | 23 | Consider configuring GitHub Advanced Security to block pushes not meeting security 24 | requirements. 25 | 26 | ## LINKS 27 | 28 | - [Configure GitHub Advanced Security](https://learn.microsoft.com/en-us/azure/devops/repos/security/configure-github-advanced-security-features?view=azure-devops&tabs=yaml) 29 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 cloudyspells 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Settings.RequireCommentForPullRequestFromFork.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Important 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Settings.RequireCommentForPullRequestFromFork.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Settings.RequireCommentForPullRequestFromFork 8 | 9 | ## SYNOPSIS 10 | 11 | Project settings should require a comment for pull requests from a fork. 12 | 13 | ## DESCRIPTION 14 | 15 | Before building a fork, a member of the project should review the changes and approve the pull request. This can help prevent malicious code from being introduced into the project. 16 | 17 | Mininum TokenType: `ReadOnly` 18 | 19 | ## RECOMMENDATION 20 | 21 | Consider requiring a comment for pull requests from a fork in the project settings. 22 | 23 | ## LINKS 24 | 25 | - [Azure DevOps Security best practices - Repos and branches](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#repositories-and-branches) 26 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Settings.SanitizeShellTaskArguments.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Settings.SanitizeShellTaskArguments.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Settings.SanitizeShellTaskArguments 8 | 9 | ## SYNOPSIS 10 | 11 | Project settings should enforce sanitization of shell task arguments to prevent command injection. 12 | 13 | ## DESCRIPTION 14 | 15 | Shell tasks can be used to run arbitrary commands on the agent. If the arguments are not sanitized, it is possible for a malicious actor to inject additional commands into the arguments. This can lead to the execution of malicious code on the agent. 16 | 17 | Mininum TokenType: `ReadOnly` 18 | 19 | ## RECOMMENDATION 20 | 21 | Consider enforcing sanitization of shell task arguments in the project settings. 22 | 23 | ## LINKS 24 | 25 | - [Azure DevOps Security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#tasks) 26 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Tasks.VariableGroup.NoPlainTextSecrets.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Critical 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Tasks.VariableGroup.NoPlainTextSecrets.md 5 | --- 6 | 7 | # Azure.DevOps.Tasks.VariableGroup.NoPlainTextSecrets 8 | 9 | ## SYNOPSIS 10 | 11 | Variable groups should not contain secrets in plain text. 12 | 13 | ## DESCRIPTION 14 | 15 | Variable groups should not contain secrets in plain text. Secrets should be stored in 16 | Azure Key Vault and referenced in the variable group. This will prevent the secret from 17 | being exposed in the build logs. If the secret is stored in plain text, it will be 18 | exposed in the build logs. 19 | 20 | Mininum TokenType: `ReadOnly` 21 | 22 | ## RECOMMENDATION 23 | 24 | Consider storing secrets in Azure Key Vault and referencing them in the variable group. 25 | 26 | ## LINKS 27 | 28 | - [Azure DevOps Security best practices - Tasks](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#tasks) 29 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/2-docs-bug-report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: "📚 Documentation or README.md issue report" 3 | about: "Report an issue in the project's documentation or README.md file." 4 | title: "Docs issue: " 5 | labels: ["documentation","bug"] 6 | assignees: webtonize 7 | 8 | --- 9 | # **📚 Documentation Issue Report** 10 | 11 | ## **Describe the bug** 12 | 13 | 14 | * 15 | 16 | --- 17 | 18 | ### **To Reproduce** 19 | 20 | 26 | 27 | 28 | 29 | 1. 30 | 2. 31 | 3. 32 | 4. 33 | 34 | --- 35 | 36 | ### **Media prove** 37 | 38 | 39 | --- 40 | 41 | ## **Describe the solution you'd like** 42 | 43 | 44 | * 45 | 46 | --- 47 | 48 | ### **Additional context** 49 | 50 | 51 | * 52 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Core.NoPlainTextSecrets.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Critical 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Core.NoPlainTextSecrets.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Core.NoPlainTextSecrets 8 | 9 | ## SYNOPSIS 10 | 11 | Build pipeline variables should not contain secrets in plain text. 12 | 13 | ## DESCRIPTION 14 | 15 | Build pipeline variables should not contain secrets in plain text. Secrets should be 16 | stored in Azure Key Vault and referenced in the variable group. This will prevent the 17 | secret from being exposed in the build logs. If the secret is stored in plain text, it 18 | will be exposed in the build logs. 19 | 20 | Mininum TokenType: `ReadOnly` 21 | 22 | ## RECOMMENDATION 23 | 24 | Consider storing secrets in Azure Key Vault and referencing them in the variable group. 25 | 26 | ## LINKS 27 | 28 | - [Azure DevOps Security best practices - Tasks](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#tasks) 29 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Tasks.VariableGroup.NoKeyVaultNoSecrets.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Distributed Task 3 | severity: Critical 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Tasks.VariableGroup.NoKeyVaultNoSecrets.md 5 | --- 6 | 7 | # Azure.DevOps.Tasks.VariableGroup.NoKeyVaultNoSecrets 8 | 9 | ## SYNOPSIS 10 | 11 | A variable group should not contain any secrets when it is not linked to a key vault. 12 | 13 | ## DESCRIPTION 14 | 15 | A variable group should not contain any secrets when it is not linked to a key vault. This is because the secrets will be stored in plain text in the variable group and can be viewed by anyone with access to the variable group. 16 | 17 | Mininum TokenType: `ReadOnly` 18 | 19 | ## RECOMMENDATION 20 | 21 | Consider removing any secrets from the variable group or replacing them with variables that are linked to a key vault. 22 | 23 | ## LINKS 24 | 25 | - [Create a variable group with key vault](https://learn.microsoft.com/en-us/azure/devops/pipelines/library/variable-groups?view=azure-devops&tabs=yaml#link-secrets-from-an-azure-key-vault) 26 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Settings.LimitSetVariablesAtQueueTime.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Settings.LimitSetVariablesAtQueueTime.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Settings.LimitSetVariablesAtQueueTime 8 | 9 | ## SYNOPSIS 10 | 11 | Project settings should limit setting variables at queue time. 12 | 13 | ## DESCRIPTION 14 | 15 | Setting variables at queue time can be used to override variables defined in the 16 | pipeline. This can be useful for testing or debugging. However, this can also be 17 | used to override variables that are used to control the behavior of the pipeline 18 | and may result in unexpected behavior. 19 | 20 | Mininum TokenType: `ReadOnly` 21 | 22 | ## RECOMMENDATION 23 | 24 | Consider disabling the ability to set variables at queue time in the project settings. 25 | 26 | ## LINKS 27 | 28 | - [Azure DevOps Security best practices - Policies](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#policies) 29 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Project.MainPipelineAcl.ProjectValidUsers.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Projects 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Project.MainPipelineAcl.ProjectValidUsers.md 5 | --- 6 | 7 | # Azure.DevOps.Project.MainPipelineAcl.ProjectValidUsers 8 | 9 | ## SYNOPSIS 10 | 11 | Project level pipeline acl should not have custom permissions for Project Valid Users 12 | 13 | ## DESCRIPTION 14 | 15 | Azure DevOps allows you to set custom permissions for Project Valid Users on the project level pipeline acl. This is not recommended as it can lead to unintended access to pipelines. It is recommended to use the default permissions for Project Valid Users and use custom permissions for specific users or custom groups. 16 | 17 | Mininum TokenType: `FineGrained` 18 | 19 | ## RECOMMENDATION 20 | 21 | Remove the Project Valid Users group from the pipeline acl. 22 | 23 | ## LINKS 24 | 25 | - [Azure DevOps Security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#scoped-permissions) 26 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Repos.GitHubAdvancedSecurityBlockPushes.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Important 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Repos.GitHubAdvancedSecurityBlockPushes.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.GitHubAdvancedSecurityBlockPushes 8 | 9 | ## SYNOPSIS 10 | 11 | Configureer GitHub Advanced Security om pushes te blokkeren die niet voldoen aan de 12 | Sbeveiligingseisen. 13 | 14 | ## DESCRIPTION 15 | 16 | GitHub Advanced Security biedt een reeks beveiligingsfuncties voor Azure DevOps 17 | repositories. Deze regel controleert of GitHub Advanced Security is geconfigureerd om 18 | pushes te blokkeren die niet voldoen aan de beveiligingseisen. 19 | 20 | Mininum TokenType: `FullAccess` 21 | 22 | ## RECOMMENDATION 23 | 24 | Overweeg om GitHub Advanced Security te configureren om pushes te blokkeren die niet 25 | voldoen aan de beveiligingseisen. 26 | 27 | ## LINKS 28 | 29 | - [Configureer GitHub Advanced Security](https://learn.microsoft.com/nl-nl/azure/devops/repos/security/configure-github-advanced-security-features?view=azure-devops&tabs=yaml) 30 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Groups.ProjectAdmins.MaxMembers.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Groups.ProjectAdmins.MaxMembers.md 5 | --- 6 | 7 | # Azure.DevOps.Groups.ProjectAdmins.MinMembers 8 | 9 | ## SYNOPSIS 10 | 11 | The project administrators group should have at most 4 members. 12 | 13 | ## DESCRIPTION 14 | 15 | The project administrators group should have at most 4 members. This ensures that there is not too many people who can manage the project. This rule applies to the default project administrators group. 16 | 17 | Mininum TokenType: `ReadOnly` 18 | 19 | This setting is configurable and can be changed to suit your organization's needs with `ProjectAdminsMaxMembers` in the `configuration` section of your ps-rule.yaml file. 20 | 21 | ## RECOMMENDATION 22 | 23 | Consider removing members from the project administrators group. 24 | 25 | ## LINKS 26 | 27 | - [Azure DevOps Security best practices - Tasks](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#tasks) 28 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Settings.RequireCommentForPullRequestFromFork.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Important 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Settings.RequireCommentForPullRequestFromFork.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Settings.RequireCommentForPullRequestFromFork 8 | 9 | ## SYNOPSIS 10 | 11 | De projectinstellingen moeten een opmerking vereisen voor pull-aanvragen van een fork. 12 | 13 | ## DESCRIPTION 14 | 15 | Voordat een fork wordt gebouwd, moet een lid van het project de wijzigingen bekijken en de 16 | pull-aanvraag goedkeuren. Dit kan helpen voorkomen dat er kwaadaardige code in het project 17 | wordt geïntroduceerd. 18 | 19 | Mininum TokenType: `ReadOnly` 20 | 21 | ## RECOMMENDATION 22 | 23 | Overweeg om een opmerking te vereisen voor pull-aanvragen van een fork in de 24 | projectinstellingen. 25 | 26 | ## LINKS 27 | 28 | - [Azure DevOps Security best practices - Repos and branches](https://learn.microsoft.com/nl-nl/azure/devops/organizations/security/security-best-practices?view=azure-devops#repositories-and-branches) 29 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Settings.LimitJobAuthorizationScope.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Settings.LimitJobAuthorizationScope.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Settings.LimitJobAuthorizationScope 8 | 9 | ## SYNOPSIS 10 | 11 | De projectinstellingen moeten de machtigingsomvang van de taak beperken tot de huidige project. 12 | 13 | ## DESCRIPTION 14 | 15 | Het beperken van de machtigingsomvang van de taak tot het huidige project voorkomt dat de taak toegang krijgt tot resources in andere projecten. Dit kan helpen voorkomen dat er per ongeluk toegang wordt verkregen tot resources in andere projecten. 16 | 17 | Mininum TokenType: `ReadOnly` 18 | 19 | ## RECOMMENDATION 20 | 21 | Overweeg om de machtigingsomvang van de taak voor release-pipelines te beperken tot het huidige project in de projectinstellingen. 22 | 23 | ## LINKS 24 | 25 | - [Azure DevOps Security best practices - Tasks](https://learn.microsoft.com/nl-nl/azure/devops/organizations/security/security-best-practices?view=azure-devops#tasks) 26 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Releases.Definition.NoPlainTextSecrets.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Critical 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Releases.Definition.NoPlainTextSecrets.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Releases.Definition.NoPlainTextSecrets 8 | 9 | ## SYNOPSIS 10 | 11 | Release pipeline variables should not contain secrets in plain text. 12 | 13 | ## DESCRIPTION 14 | 15 | Release pipeline variables should not contain secrets in plain text. Secrets should be 16 | stored in Azure Key Vault and referenced in the variable group. This will prevent the 17 | secret from being exposed in the build logs. If the secret is stored in plain text, it 18 | will be exposed in the build logs. 19 | 20 | Mininum TokenType: `ReadOnly` 21 | 22 | ## RECOMMENDATION 23 | 24 | Consider storing secrets in Azure Key Vault and referencing them in the variable group. 25 | 26 | ## LINKS 27 | 28 | - [Azure DevOps Security best practices - Tasks](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#tasks) 29 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Core.NoPlainTextSecrets.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Critical 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Core.NoPlainTextSecrets.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Core.NoPlainTextSecrets 8 | 9 | ## SYNOPSIS 10 | 11 | Build pipelines zouden geen geheimen in platte tekst moeten bevatten. 12 | 13 | ## DESCRIPTION 14 | 15 | Build pipeline-variabelen mogen geen geheimen in platte tekst bevatten. Geheimen moeten 16 | worden opgeslagen in Azure Key Vault en worden gerefereerd in de variabele groep. Dit zal 17 | voorkomen dat het geheim wordt blootgesteld in de build logs. Als het geheim in platte 18 | tekst wordt opgeslagen, wordt het blootgesteld in de build logs. 19 | 20 | Mininum TokenType: `ReadOnly` 21 | 22 | ## RECOMMENDATION 23 | 24 | Overweeg om geheimen op te slaan in Azure Key Vault en ze te refereren in de variabele 25 | groep. 26 | 27 | ## LINKS 28 | 29 | - [Azure DevOps Security best practices - Tasks](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#tasks) 30 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Settings.SanitizeShellTaskArguments.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Settings.SanitizeShellTaskArguments.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Settings.SanitizeShellTaskArguments 8 | 9 | ## SYNOPSIS 10 | 11 | De projectinstellingen moeten het instellen van variabelen bij het wachtrijen beperken. 12 | 13 | ## DESCRIPTION 14 | 15 | Shell-taken kunnen worden gebruikt om willekeurige opdrachten op de agent uit te voeren. 16 | Als de argumenten niet worden gesaneerd, is het mogelijk dat een kwaadwillende extra 17 | opdrachten in de argumenten injecteert. Dit kan leiden tot de uitvoering van kwaadaardige 18 | code op de agent. 19 | 20 | Mininum TokenType: `ReadOnly` 21 | 22 | ## RECOMMENDATION 23 | 24 | Overweeg om het instellen van variabelen bij het wachtrijen uit te schakelen in de 25 | projectinstellingen. 26 | 27 | ## LINKS 28 | 29 | - [Azure DevOps Security best practices](https://learn.microsoft.com/nl-nl/azure/devops/organizations/security/security-best-practices?view=azure-devops#tasks) 30 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Groups.ProjectAdmins.MinMembers.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Groups.ProjectAdmins.MinMembers.md 5 | --- 6 | 7 | # Azure.DevOps.Groups.ProjectAdmins.MinMembers 8 | 9 | ## SYNOPSIS 10 | 11 | The project administrators group should have at least 2 members. 12 | 13 | ## DESCRIPTION 14 | 15 | The project administrators group should have at least 2 members. This ensures that there is more than one person who can manage the project. This rule applies to the default project administrators group. 16 | 17 | 18 | Mininum TokenType: `ReadOnly` 19 | 20 | This setting is configurable and can be changed to suit your organization's needs with `ProjectAdminsMinMembers` in the `configuration` section of your ps-rule.yaml file. 21 | 22 | ## RECOMMENDATION 23 | 24 | Consider adding more than one member to the project administrators group. 25 | 26 | ## LINKS 27 | 28 | - [Azure DevOps Security best practices - Tasks](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#tasks) 29 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Tasks.VariableGroup.NoPlainTextSecrets.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Critical 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Tasks.VariableGroup.NoPlainTextSecrets.md 5 | --- 6 | 7 | # Azure.DevOps.Tasks.VariableGroup.NoPlainTextSecrets 8 | 9 | ## SYNOPSIS 10 | 11 | Variable groups zouden geen geheimen in platte tekst moeten bevatten. 12 | 13 | ## DESCRIPTION 14 | 15 | Variable groups zouden geen geheimen in platte tekst moeten bevatten. Geheimen moeten 16 | worden opgeslagen in Azure Key Vault en worden gerefereerd in de variabele groep. Dit 17 | voorkomt dat het geheim wordt blootgesteld in de build logs. Als het geheim in platte 18 | tekst wordt opgeslagen, wordt het blootgesteld in de build logs. 19 | 20 | Mininum TokenType: `ReadOnly` 21 | 22 | ## RECOMMENDATION 23 | 24 | Overweeg om geheimen op te slaan in Azure Key Vault en ze te refereren in de variabele 25 | groep. 26 | 27 | ## LINKS 28 | 29 | - [Azure DevOps Security best practices - Tasks](https://learn.microsoft.com/nl-nl/azure/devops/organizations/security/security-best-practices?view=azure-devops#tasks) 30 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.GitHubAdvancedSecurityEnabled.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Important 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.GitHubAdvancedSecurityEnabled.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.GitHubAdvancedSecurityEnabled 8 | 9 | ## SYNOPSIS 10 | 11 | Enable GitHub Advanced Security for the repository for a suite of security features. 12 | 13 | ## DESCRIPTION 14 | 15 | GitHub Advanced Security provides a suite of security features for Azure DevOps 16 | repositories. This rule checks if GitHub Advanced Security is enabled for the 17 | repository. 18 | 19 | GitHub Advanced Security adds the following features: 20 | 21 | - Code scanning 22 | - Secret scanning push protection 23 | - Secret scanning repo scanning 24 | - Dependency scanning 25 | 26 | Mininum TokenType: `FullAccess` 27 | 28 | ## RECOMMENDATION 29 | 30 | Consider enabling GitHub Advanced Security for the repository. 31 | 32 | ## LINKS 33 | 34 | - [Configure GitHub Advanced Security](https://learn.microsoft.com/en-us/azure/devops/repos/security/configure-github-advanced-security-features?view=azure-devops&tabs=yaml) 35 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Project.MainRepositoryAcl.ProjectValidUsers.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Projects 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Project.MainRepositoryAcl.ProjectValidUsers.md 5 | --- 6 | 7 | # Azure.DevOps.Project.MainRepositoryAcl.ProjectValidUsers 8 | 9 | ## SYNOPSIS 10 | 11 | Project level repository acl should not have custom permissions for Project Valid 12 | Users 13 | 14 | ## DESCRIPTION 15 | 16 | Project level repository acl should not have custom permissions for Project Valid 17 | Users. The Project Valid Users group is a special group that is automatically 18 | created when a project is created. It contains all users and groups that have 19 | been added to the project. This group should not be used to grant permissions to 20 | a repository. 21 | 22 | Mininum TokenType: `FineGrained` 23 | 24 | ## RECOMMENDATION 25 | 26 | Remove the Project Valid Users group from the repository acl. 27 | 28 | ## LINKS 29 | 30 | - [Azure DevOps Security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#scoped-permissions) 31 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Project.MainVariableGroupAcl.ProjectValidUsers.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Projects 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/Azure.DevOps.Project.MainVariableGroupAcl.ProjectValidUsers.md 5 | --- 6 | 7 | # Azure.DevOps.Project.MainVariableGroupAcl.ProjectValidUsers 8 | 9 | ## SYNOPSIS 10 | 11 | Project level variable group acl should not have custom permissions for Project Valid 12 | Users 13 | 14 | ## DESCRIPTION 15 | 16 | Project level variable group acl should not have custom permissions for Project Valid 17 | Users. The Project Valid Users group is a special group that is automatically 18 | created when a project is created. It contains all users and groups that have 19 | been added to the project. This group should not be used to grant permissions to 20 | the variable groups. 21 | 22 | Mininum TokenType: `FineGrained` 23 | 24 | ## RECOMMENDATION 25 | 26 | Remove the Project Valid Users group from the variable group acl. 27 | 28 | ## LINKS 29 | 30 | - [Azure DevOps Security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#scoped-permissions) 31 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Project.MainEnvironmentAcl.ProjectValidUsers.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Projects 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Project.MainEnvironmentAcl.ProjectValidUsers.md 5 | --- 6 | 7 | # Azure.DevOps.Project.MainEnvironmentAcl.ProjectValidUsers 8 | 9 | ## SYNOPSIS 10 | 11 | Project level environment acl should not have custom permissions for Project Valid 12 | Users 13 | 14 | ## DESCRIPTION 15 | 16 | Project level environment acl should not have custom permissions for Project Valid 17 | Users. The Project Valid Users group is a special group that is automatically 18 | created when a project is created. It contains all users and groups that have 19 | been added to the project. This group should not be used to grant permissions to 20 | the environments. 21 | 22 | Mininum TokenType: `FineGrained` 23 | 24 | ## RECOMMENDATION 25 | 26 | Remove the Project Valid Users group from the environment acl. 27 | 28 | ## LINKS 29 | 30 | - [Azure DevOps Security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#scoped-permissions) 31 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.ServiceConnections.ProductionCheckProtection.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Service Connections 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.ServiceConnections.ProductionCheckProtection.md 5 | --- 6 | 7 | # Azure.DevOps.ServiceConnections.ProductionCheckProtection 8 | 9 | ## SYNOPSIS 10 | 11 | A service connection scoped to production should be protected. This will help 12 | ensure no accidental changes are made to the production resources. 13 | 14 | ## DESCRIPTION 15 | 16 | Protecting a service connection with one or more checks will help prevent 17 | accidental changes to production resources. For example, a service connection 18 | scoped to production should be protected with a check that requires a minimum 19 | number of reviewers or a specific CI pipeline must pass. 20 | 21 | Mininum TokenType: `ReadOnly` 22 | 23 | ## RECOMMENDATION 24 | 25 | Consider protecting a service connection scoped to production with one or 26 | more checks. 27 | 28 | ## LINKS 29 | 30 | - [Define approvals and checks](https://learn.microsoft.com/en-us/azure/devops/pipelines/process/approvals?view=azure-devops&tabs=check-pass) 31 | 32 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Releases.Definition.NoPlainTextSecrets.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Critical 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Releases.Definition.NoPlainTextSecrets.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Releases.Definition.NoPlainTextSecrets 8 | 9 | ## SYNOPSIS 10 | 11 | Release pipelines zouden geen geheimen in platte tekst moeten bevatten. 12 | 13 | ## DESCRIPTION 14 | 15 | Release pipeline-variabelen mogen geen geheimen in platte tekst bevatten. Geheimen moeten 16 | worden opgeslagen in Azure Key Vault en worden gerefereerd in de variabele groep. Dit zal 17 | voorkomen dat het geheim wordt blootgesteld in de build logs. Als het geheim in platte 18 | tekst wordt opgeslagen, wordt het blootgesteld in de build logs. 19 | 20 | Mininum TokenType: `ReadOnly` 21 | 22 | ## RECOMMENDATION 23 | 24 | Overweeg om geheimen op te slaan in Azure Key Vault en ze te refereren in de variabele 25 | groep. 26 | 27 | ## LINKS 28 | 29 | - [Azure DevOps Security best practices - Tasks](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#tasks) 30 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Project.MainReleaseDefinitionAcl.ProjectValidUsers.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Projects 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/Azure.DevOps.Project.MainReleaseDefinitionAcl.ProjectValidUsers.md 5 | --- 6 | 7 | # Azure.DevOps.Project.MainReleaseDefinitionAcl.ProjectValidUsers 8 | 9 | ## SYNOPSIS 10 | 11 | Project level release definition acl should not have custom permissions for Project Valid 12 | Users 13 | 14 | ## DESCRIPTION 15 | 16 | Project level release definition acl should not have custom permissions for Project Valid 17 | Users. The Project Valid Users group is a special group that is automatically 18 | created when a project is created. It contains all users and groups that have 19 | been added to the project. This group should not be used to grant permissions to 20 | the release definitions. 21 | 22 | Mininum TokenType: `FineGrained` 23 | 24 | ## RECOMMENDATION 25 | 26 | Remove the Project Valid Users group from the release definition acl. 27 | 28 | ## LINKS 29 | 30 | - [Azure DevOps Security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#scoped-permissions) 31 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Tasks.VariableGroup.NoKeyVaultNoSecrets.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Distributed Task 3 | severity: Critical 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Tasks.VariableGroup.NoKeyVaultNoSecrets.md 5 | --- 6 | 7 | # Azure.DevOps.Tasks.VariableGroup.NoKeyVaultNoSecrets 8 | 9 | ## SYNOPSIS 10 | 11 | Een variabele groep zou geen geheimen moeten bevatten wanneer deze niet is 12 | gekoppeld aan een key vault. 13 | 14 | ## DESCRIPTION 15 | 16 | Een variabele groep zou geen geheimen moeten bevatten wanneer deze niet is 17 | gekoppeld aan een key vault. Dit komt omdat de geheimen in platte tekst 18 | worden opgeslagen in de variabele groep en kunnen worden bekeken door 19 | iedereen met toegang tot de variabele groep. 20 | 21 | Mininum TokenType: `ReadOnly` 22 | 23 | ## RECOMMENDATION 24 | 25 | Overweeg om alle geheimen uit de variabele groep te verwijderen of te 26 | vervangen door variabelen die zijn gekoppeld aan een key vault. 27 | 28 | ## LINKS 29 | 30 | - [Create a variable group with key vault](https://learn.microsoft.com/nl-nl/azure/devops/pipelines/library/variable-groups?view=azure-devops&tabs=yaml#link-secrets-from-an-azure-key-vault) 31 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Repos.GitHubAdvancedSecurityEnabled.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Important 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Repos.GitHubAdvancedSecurityEnabled.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.GitHubAdvancedSecurityEnabled 8 | 9 | ## SYNOPSIS 10 | 11 | Schakel GitHub Advanced Security in voor het repository voor een reeks 12 | beveiligingsfuncties. 13 | 14 | ## DESCRIPTION 15 | 16 | GitHub Advanced Security biedt een reeks beveiligingsfuncties voor Azure DevOps 17 | repositories. Deze regel controleert of GitHub Advanced Security is ingeschakeld 18 | voor het repository. 19 | 20 | GitHub Advanced Security voegt de volgende functies toe: 21 | 22 | - Code scannen 23 | - Secret scannen push-bescherming 24 | - Secret scannen repo scannen 25 | - Afhankelijkheid scannen 26 | 27 | Mininum TokenType: `FullAccess` 28 | 29 | ## RECOMMENDATION 30 | 31 | Overweeg om GitHub Advanced Security in te schakelen voor het repository. 32 | 33 | ## LINKS 34 | 35 | - [Configureer GitHub Advanced Security](https://learn.microsoft.com/nl-nl/azure/devops/repos/security/configure-github-advanced-security-features?view=azure-devops&tabs=yaml) 36 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Core.UseYamlDefinition.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Repository 3 | severity: Important 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Core.UseYamlDefinition.md 5 | --- 6 | 7 | # Use YAML pipeline definitions 8 | 9 | ## SYNOPSIS 10 | 11 | Use YAML pipeline definitions to define build and release pipelines. 12 | 13 | ## DESCRIPTION 14 | 15 | Using YAML pipeline definitions allows you to define build and release pipelines 16 | as code. This allows you to manage changes to your pipelines in the same way as 17 | you manage changes to your application code. You can use source control to view 18 | changes to your pipelines, roll back to previous versions, and easily collaborate 19 | with other developers on your team. 20 | 21 | Mininum TokenType: `ReadOnly 22 | 23 | ## RECOMMENDATION 24 | 25 | Use YAML pipeline definitions to define build and release pipelines. 26 | 27 | ## LINKS 28 | 29 | - [Azure Pipelines YAML schema reference](https://docs.microsoft.com/en-us/azure/devops/pipelines/yaml-schema) 30 | - [Azure DevOps security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#definitions) 31 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Project.MainServiceConnectionAcl.ProjectValidUsers.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Projects 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Project.MainServiceConnectionAcl.ProjectValidUsers.md 5 | --- 6 | 7 | # Azure.DevOps.Project.MainServiceConnectionAcl.ProjectValidUsers 8 | 9 | ## SYNOPSIS 10 | 11 | Project level service connection acl should not have custom permissions for Project Valid 12 | Users 13 | 14 | ## DESCRIPTION 15 | 16 | Azure DevOps allows you to set custom permissions for Project Valid Users on the project 17 | level service connection acl. This is not recommended as it can lead to unintended access 18 | to service connections. It is recommended to use the default permissions for Project Valid 19 | Users and use custom permissions for specific users or custom groups. 20 | 21 | 22 | Mininum TokenType: `FineGrained` 23 | 24 | ## RECOMMENDATION 25 | 26 | Remove the Project Valid Users group from the service connection acl. 27 | 28 | ## LINKS 29 | 30 | - [Azure DevOps Security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#scoped-permissions) 31 | -------------------------------------------------------------------------------- /pipelines/README.md: -------------------------------------------------------------------------------- 1 | Example Azure DevOps Pipeline 2 | ============================= 3 | 4 | This folder contains an example Azure DevOps Pipeline that can be used to 5 | validate the rules in this module against your own Azure DevOps project. 6 | 7 | Copy the contents of this folder to your own Azure DevOps repository and 8 | update the `azure-pipelines.yml` file to point to your own repository using 9 | the variables for `devops_organization` and `devops_project`. The variable 10 | group `my-group` is used to store the PAT for the Azure DevOps project. 11 | The variable should be named `ADOPAT`. 12 | 13 | ```yaml 14 | variables: 15 | - group: my-group 16 | - name: devops_organization 17 | value: "MyOrg" 18 | - name: devops_project 19 | value: "MyProject" 20 | ``` 21 | 22 | The pipeline will run the `Export-AzDevOpsRuleData` command to export the 23 | data from the Azure DevOps project and then run the `Assert-PSRule` command 24 | to validate the rules in this module against the exported data. 25 | 26 | The pipeline will fail if any of the rules fail. The output of the 27 | `Assert-PSRule` command will be stored as an artifact in the pipeline 28 | run. The results can be viewer with the Sarif Viewer extension in Azure 29 | DevOps. 30 | 31 | ![Sarif Viewer](../assets/media/sarif-0.0.11.png) 32 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.ServiceConnections.ProductionHumanApproval.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Service Connections 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.ServiceConnections.ProductionHumanApproval.md 5 | --- 6 | 7 | # Azure.DevOps.ServiceConnections.ProductionHumanApproval 8 | 9 | ## SYNOPSIS 10 | 11 | A service connection scoped to production should be protected by a human review 12 | and approval. This will help ensure no accidental changes are made to the 13 | production resources. 14 | 15 | ## DESCRIPTION 16 | 17 | Protecting a service connection with a human check will help prevent accidental 18 | changes to production resources. For example, a service connection scoped to 19 | production should be protected with a check that requires a minimum number of 20 | reviewers or a specific CI pipeline must pass. 21 | 22 | Mininum TokenType: `ReadOnly` 23 | 24 | ## RECOMMENDATION 25 | 26 | Consider protecting a service connection scoped to production with a human 27 | approval step. 28 | 29 | ## LINKS 30 | 31 | - [Define approvals and checks](https://learn.microsoft.com/en-us/azure/devops/pipelines/process/approvals?view=azure-devops&tabs=check-pass) 32 | 33 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Settings.LimitSetVariablesAtQueueTime.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Settings.LimitSetVariablesAtQueueTime.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Settings.LimitSetVariablesAtQueueTime 8 | 9 | ## SYNOPSIS 10 | 11 | De projectinstellingen moeten het instellen van variabelen bij het wachtrijen beperken. 12 | 13 | ## DESCRIPTION 14 | 15 | Het instellen van variabelen bij het wachtrijen kan worden gebruikt om variabelen die in de 16 | pipeline zijn gedefinieerd te overschrijven. Dit kan handig zijn voor testen of debuggen. 17 | Dit kan echter ook worden gebruikt om variabelen te overschrijven die worden gebruikt om 18 | het gedrag van de pipeline te regelen en kan resulteren in onverwacht gedrag. 19 | 20 | Mininum TokenType: `ReadOnly` 21 | 22 | ## RECOMMENDATION 23 | 24 | Overweeg om het instellen van variabelen bij het wachtrijen uit te schakelen in de 25 | projectinstellingen. 26 | 27 | ## LINKS 28 | 29 | - [Azure DevOps Security best practices - Policies](https://learn.microsoft.com/nl-nl/azure/devops/organizations/security/security-best-practices?view=azure-devops#policies) 30 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.Branch.BranchPolicyMergeStrategy.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Important 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.Branch.BranchPolicyMergeStrategy.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.Branch.BranchPolicyMergeStrategy 8 | 9 | ## SYNOPSIS 10 | 11 | A policy should be configured to define a merge strategy for pull requests. 12 | 13 | ## DESCRIPTION 14 | 15 | Define a merge strategy for pull requests to ensure that changes are merged in a consistent way. This helps to ensure that changes are merged in a consistent way and thus reduces the risk of merge conflicts. 16 | 17 | Mininum TokenType: `ReadOnly` 18 | 19 | ## RECOMMENDATION 20 | 21 | Consider enabling the policy to define a merge strategy for pull requests. 22 | 23 | ## LINKS 24 | 25 | - [Create a branch policy](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops) 26 | - [Branch policies](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies-overview?view=azure-devops) 27 | - [Azure DevOps Security best practices](https://docs.microsoft.com/en-us/azure/devops/user-guide/security-best-practices?view=azure-devops#repositories-and-branches) 28 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.DefaultBranchPolicyMergeStrategy.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Important 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.DefaultBranchPolicyMergeStrategy.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.DefaultBranchPolicyMergeStrategy 8 | 9 | ## SYNOPSIS 10 | 11 | A policy should be configured to define a merge strategy for pull requests. 12 | 13 | ## DESCRIPTION 14 | 15 | Define a merge strategy for pull requests to ensure that changes are merged in a consistent way. This helps to ensure that changes are merged in a consistent way and thus reduces the risk of merge conflicts. 16 | 17 | Mininum TokenType: `ReadOnly` 18 | 19 | ## RECOMMENDATION 20 | 21 | Consider enabling the policy to define a merge strategy for pull requests. 22 | 23 | ## LINKS 24 | 25 | - [Create a branch policy](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops) 26 | - [Branch policies](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies-overview?view=azure-devops) 27 | - [Azure DevOps Security best practices](https://docs.microsoft.com/en-us/azure/devops/user-guide/security-best-practices?view=azure-devops#repositories-and-branches) 28 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.Branch.BranchPolicyAllowSelfApproval.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Critical 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.Branch.BranchPolicyAllowSelfApproval.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.Branch.BranchPolicyAllowSelfApproval 8 | 9 | ## SYNOPSIS 10 | 11 | Change authors should not be allowed to approve their own changes. 12 | 13 | ## DESCRIPTION 14 | 15 | The branch policy should not allow creators to approve 16 | their own changes. This will help ensure that the code in the default branch 17 | is of a high quality and that the team's Git workflow is followed. 18 | 19 | Mininum TokenType: `ReadOnly` 20 | 21 | ## RECOMMENDATION 22 | 23 | Consider disabling the option to allow creators to approve their own changes. 24 | 25 | ## LINKS 26 | 27 | - [Create a branch policy](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops) 28 | - [Branch policies](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies-overview?view=azure-devops) 29 | - [Azure DevOps Security best practices](https://docs.microsoft.com/en-us/azure/devops/user-guide/security-best-practices?view=azure-devops#repositories-and-branches) 30 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Settings.LimitJobAuthorizationScopeForYamlPipelines.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Settings.LimitJobAuthorizationScopeForYamlPipelines.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Settings.LimitJobAuthorizationScopeForYamlPipelines 8 | 9 | ## SYNOPSIS 10 | 11 | Project settings should limit job authorization scope for YAML pipelines. 12 | 13 | ## DESCRIPTION 14 | 15 | YAML pipelines can be used to deploy to multiple environments. Each environment 16 | can be configured to use a different set of resources. Limiting the job authorization 17 | scope to the current project will prevent the job from being able to access resources 18 | in other projects. This can help prevent accidental access to resources in other projects. 19 | 20 | Mininum TokenType: `ReadOnly` 21 | 22 | ## RECOMMENDATION 23 | 24 | Consider limiting the job authorization scope for YAML pipelines to the current project in the project settings. 25 | 26 | ## LINKS 27 | 28 | - [Azure DevOps Security best practices - Tasks](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#tasks) 29 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.Branch.BranchPolicyCommentResolution.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Important 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.Branch.BranchPolicyCommentResolution.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.Branch.BranchPolicyCommentResolution 8 | 9 | ## SYNOPSIS 10 | 11 | A policy should be configured to require comments for pull requests to be 12 | resolved. 13 | 14 | ## DESCRIPTION 15 | 16 | Require comments for pull requests to be resolved to ensure that all comments are addressed. This helps to ensure that all comments are addressed and improves the quality of the pull request. 17 | 18 | Mininum TokenType: `ReadOnly` 19 | 20 | ## RECOMMENDATION 21 | 22 | Consider enabling the policy to require comments for pull requests to be resolved. 23 | 24 | ## LINKS 25 | 26 | - [Create a branch policy](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops) 27 | - [Branch policies](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies-overview?view=azure-devops) 28 | - [Azure DevOps Security best practices](https://docs.microsoft.com/en-us/azure/devops/user-guide/security-best-practices?view=azure-devops#repositories-and-branches) 29 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Settings.LimitJobAuthorizationScopeForReleasePipelines.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Settings.LimitJobAuthorizationScopeForReleasePipelines.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Settings.LimitJobAuthorizationScopeForReleasePipelines 8 | 9 | ## SYNOPSIS 10 | 11 | Project settings should limit job authorization scope for release pipelines. 12 | 13 | ## DESCRIPTION 14 | 15 | Release pipelines can be used to deploy to multiple environments. Each environment 16 | can be configured to use a different set of resources. Limiting the job authorization 17 | scope to the current project will prevent the job from being able to access resources 18 | in other projects. This can help prevent accidental access to resources in other projects. 19 | 20 | Mininum TokenType: `ReadOnly` 21 | 22 | ## RECOMMENDATION 23 | 24 | Consider limiting the job authorization scope for release pipelines to the current project in the project settings. 25 | 26 | ## LINKS 27 | 28 | - [Azure DevOps Security best practices - Tasks](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#tasks) 29 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.RetentionSettings.PullRequestRunsMinimumRetentionDays.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Retention Settings 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.RetentionSettings.PullRequestRunsMinimumRetentionDays.md 5 | --- 6 | 7 | # Azure.DevOps.RetentionSettings.PullRequestRunsMinimumRetentionDays 8 | 9 | ## SYNOPSIS 10 | 11 | Retention settings for rull request runs should be configured to meet compliance 12 | requirements such as 30 days for production environments. 13 | 14 | ## DESCRIPTION 15 | 16 | Retention settings for rull request runs should be configured to meet compliance 17 | requirements such as 30 days for production environments. 18 | 19 | This rule requires a minimum retention period of 7 days. The rule is configurable 20 | to allow a different minimum retention period with the 21 | `PullRequestRunsMinimumRetentionDays` conifguration setting. 22 | 23 | Mininum TokenType: `ReadOnly` 24 | 25 | ## RECOMMENDATION 26 | 27 | Consider setting a minimum retention period of more than 7 days for pull request runs. 28 | 29 | ## LINKS 30 | 31 | - [Define approvals and checks](https://learn.microsoft.com/en-us/azure/devops/pipelines/process/approvals?view=azure-devops&tabs=check-pass) 32 | 33 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Environments.ProductionCheckProtection.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Environments.ProductionCheckProtection.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Environments.ProductionCheckProtection 8 | 9 | ## SYNOPSIS 10 | 11 | An environment scoped to production should be protected with one or more 12 | checks to prevent accidental changes to production resources. 13 | 14 | ## DESCRIPTION 15 | 16 | An environment scoped to production should be protected with one or more 17 | checks to prevent accidental changes to production resources. Checks can 18 | be used to require a user to approve a deployment or require a successful 19 | build before a deployment can be made. 20 | 21 | Mininum TokenType: `FineGrained` 22 | 23 | ## RECOMMENDATION 24 | 25 | Consider adding one or more checks to the environment. 26 | 27 | ## LINKS 28 | 29 | - [Define approvals and checks](https://learn.microsoft.com/en-us/azure/devops/pipelines/process/approvals?view=azure-devops&tabs=check-pass) 30 | - [Create an environment](https://docs.microsoft.com/en-us/azure/devops/pipelines/process/environments?view=azure-devops&tabs=yaml#create-an-environment) 31 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.DefaultBranchPolicyAllowSelfApproval.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Critical 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.DefaultBranchPolicyAllowSelfApproval.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.DefaultBranchPolicyAllowSelfApproval 8 | 9 | ## SYNOPSIS 10 | 11 | Change authors should not be allowed to approve their own changes. 12 | 13 | ## DESCRIPTION 14 | 15 | The branch policy on the default branch should not allow creators to approve 16 | their own changes. This will help ensure that the code in the default branch 17 | is of a high quality and that the team's Git workflow is followed. 18 | 19 | Mininum TokenType: `ReadOnly` 20 | 21 | ## RECOMMENDATION 22 | 23 | Consider disabling the option to allow creators to approve their own changes. 24 | 25 | ## LINKS 26 | 27 | - [Create a branch policy](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops) 28 | - [Branch policies](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies-overview?view=azure-devops) 29 | - [Azure DevOps Security best practices](https://docs.microsoft.com/en-us/azure/devops/user-guide/security-best-practices?view=azure-devops#repositories-and-branches) 30 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.DefaultBranchPolicyCommentResolution.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Important 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.DefaultBranchPolicyCommentResolution.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.DefaultBranchPolicyCommentResolution 8 | 9 | ## SYNOPSIS 10 | 11 | A policy should be configured on the default branch to require comments for 12 | pull requests to be resolved. 13 | 14 | ## DESCRIPTION 15 | 16 | Require comments for pull requests to be resolved to ensure that all comments are addressed. This helps to ensure that all comments are addressed and improves the quality of the pull request. 17 | 18 | Mininum TokenType: `ReadOnly` 19 | 20 | ## RECOMMENDATION 21 | 22 | Consider enabling the policy to require comments for pull requests to be resolved. 23 | 24 | ## LINKS 25 | 26 | - [Create a branch policy](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops) 27 | - [Branch policies](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies-overview?view=azure-devops) 28 | - [Azure DevOps Security best practices](https://docs.microsoft.com/en-us/azure/devops/user-guide/security-best-practices?view=azure-devops#repositories-and-branches) 29 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.Branch.BranchPolicyEnforceLinkedWorkItems.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Informational 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.Branch.BranchPolicyEnforceLinkedWorkItems.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.Branch.BranchPolicyEnforceLinkedWorkItems 8 | 9 | ## SYNOPSIS 10 | 11 | A policy should be configured to require linked work items for pull requests. 12 | 13 | ## DESCRIPTION 14 | 15 | Require linked work items for pull requests to ensure that changes are associated with a work item. This helps to track changes and ensure that changes are associated with a work item and thus documented in some way. 16 | 17 | Mininum TokenType: `ReadOnly` 18 | 19 | ## RECOMMENDATION 20 | 21 | Consider enabling the policy to require linked work items for pull requests. 22 | 23 | ## LINKS 24 | 25 | - [Create a branch policy](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops) 26 | - [Branch policies](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies-overview?view=azure-devops) 27 | - [Azure DevOps Security best practices](https://docs.microsoft.com/en-us/azure/devops/user-guide/security-best-practices?view=azure-devops#repositories-and-branches) 28 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Releases.Definition.ProductionApproval.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Releases.Definition.ProductionApproval.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Releases.Definition.ProductionApproval 8 | 9 | ## SYNOPSIS 10 | 11 | An environment scoped to production should be protected by a human review 12 | 13 | ## DESCRIPTION 14 | 15 | Protecting a release pipeline production stage with a human check will help prevent 16 | accidental changes to production resources. For example, a service connection scoped 17 | to production should be protected with a check that requires a minimum number of 18 | reviewers or a specific CI pipeline must pass. 19 | 20 | You can configure the minimum number of approvers for this rule by setting the 21 | `releaseMinimumProductionApproverCount` configuration value in PSRule. The default 22 | value is `1`. 23 | 24 | Mininum TokenType: `ReadOnly` 25 | 26 | ## RECOMMENDATION 27 | 28 | Consider protecting a release stage environment scoped to production with a human 29 | approval check. 30 | 31 | ## LINKS 32 | 33 | - [Release Pipelines](https://docs.microsoft.com/en-us/azure/devops/pipelines/release/?view=azure-devops) 34 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Core.UseYamlDefinition.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Repository 3 | severity: Important 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Core.UseYamlDefinition.md 5 | --- 6 | 7 | # Gebruik YAML Pipeline-definities 8 | 9 | ## SYNOPSIS 10 | 11 | Maak gebruik van YAML pipeline-definities om build- en release-pipelines te definiëren. 12 | 13 | ## DESCRIPTION 14 | 15 | Het gebruik van YAML pipeline-definities biedt een aantal voordelen ten opzichte van de klassieke visuele editor: 16 | 17 | - YAML pipeline-definities kunnen worden opgeslagen in een Git-repository, 18 | waardoor ze onder versiebeheer kunnen worden geplaatst. 19 | - YAML pipeline-definities kunnen worden gecontroleerd op wijzigingen en 20 | worden goedgekeurd voordat ze worden geïmplementeerd. 21 | 22 | Mininum TokenType: `ReadOnly` 23 | 24 | ## RECOMMENDATION 25 | 26 | Overweeg om YAML pipeline-definities te gebruiken om build- en 27 | release-pipelines te definiëren. 28 | 29 | ## LINKS 30 | 31 | - [Azure Pipelines YAML schema reference](https://docs.microsoft.com/nl-nl/azure/devops/pipelines/yaml-schema) 32 | - [Azure DevOps security best practices](https://learn.microsoft.com/nl-nl/azure/devops/organizations/security/security-best-practices?view=azure-devops#definitions) 33 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.DefaultBranchPolicyEnforceLinkedWorkItems.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Informational 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.DefaultBranchPolicyEnforceLinkedWorkItems.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.DefaultBranchPolicyEnforceLinkedWorkItems 8 | 9 | ## SYNOPSIS 10 | 11 | A policy should be configured on the default branch to require linked work 12 | items for pull requests. 13 | 14 | ## DESCRIPTION 15 | 16 | Require linked work items for pull requests to ensure that changes are associated with a work item. This helps to track changes and ensure that changes are associated with a work item and thus documented in some way. 17 | 18 | Mininum TokenType: `ReadOnly` 19 | 20 | ## RECOMMENDATION 21 | 22 | Consider enabling the policy to require linked work items for pull requests. 23 | 24 | ## LINKS 25 | 26 | - [Create a branch policy](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops) 27 | - [Branch policies](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies-overview?view=azure-devops) 28 | - [Azure DevOps Security best practices](https://docs.microsoft.com/en-us/azure/devops/user-guide/security-best-practices?view=azure-devops#repositories-and-branches) 29 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.RetentionSettings.ArtifactMinimumRetentionDays.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Retention Settings 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.RetentionSettings.ArtifactMinimumRetentionDays.md 5 | --- 6 | 7 | # Azure.DevOps.RetentionSettings.ArtifactMinimumRetentionDays 8 | 9 | ## SYNOPSIS 10 | 11 | Retention settings for artifacts should be configured to meet compliance 12 | requirements. For example, a retention policy of 30 days may be required for 13 | production environments. 14 | 15 | ## DESCRIPTION 16 | 17 | Retention settings for artifacts should be configured to meet compliance 18 | requirements. For example, a retention policy of 30 days may be required for 19 | production environments. 20 | 21 | This rule requires a minimum retention period of 7 days. The rule is configurable 22 | to allow a different minimum retention period with the `ArtifactMinimumRetentionDays` 23 | conifguration setting. 24 | 25 | Mininum TokenType: `ReadOnly` 26 | 27 | ## RECOMMENDATION 28 | 29 | Consider setting a minimum retention period of more than 7 days for artifacts. 30 | 31 | ## LINKS 32 | 33 | - [Define approvals and checks](https://learn.microsoft.com/en-us/azure/devops/pipelines/process/approvals?view=azure-devops&tabs=check-pass) 34 | 35 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.ServiceConnections.WorkloadIdentityFederation.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Service Connections 3 | severity: Important 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.ServiceConnections.WorkloadIdentityFederation.md 5 | --- 6 | 7 | # Azure.DevOps.ServiceConnections.WorkloadIdentityFederation 8 | 9 | ## SYNOPSIS 10 | 11 | A Service connection should use Workload Identity Federation. 12 | 13 | ## DESCRIPTION 14 | 15 | Workload Identity Federation allows you to use a service principal 16 | managed by Azure Active Directory to authenticate to Azure services 17 | instead of using a service principal managed by Azure DevOps. This is 18 | more secure as the service principal is not stored in Azure DevOps. 19 | 20 | Mininum TokenType: `ReadOnly` 21 | 22 | ## RECOMMENDATION 23 | 24 | Consider using Workload Identity Federation for your service connections. 25 | 26 | ## LINKS 27 | 28 | - [Azure DevOps security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#scope-service-accounts) 29 | - [Create a service connection](https://learn.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=azure-devops#create-an-azure-resource-manager-service-connection-using-workload-identity-federation) 30 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.ServiceConnections.ProductionHumanApproval.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Service Connections 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.ServiceConnections.ProductionHumanApproval.md 5 | --- 6 | 7 | # Azure.DevOps.ServiceConnections.ProductionHumanApproval 8 | 9 | ## SYNOPSIS 10 | 11 | Een service connection die is beperkt tot productie moet worden beschermd 12 | door een menselijke review en goedkeuring. Dit zal helpen om ervoor te 13 | zorgen dat er geen onbedoelde wijzigingen worden aangebracht in de 14 | productie resources. 15 | 16 | ## DESCRIPTION 17 | 18 | Door een service connection te beperken tot productie, wordt voorkomen dat 19 | deze wordt gebruikt voor het wijzigen van resources in andere omgevingen. 20 | Bijvoorbeeld, een service connection die is beperkt tot productie zou moeten 21 | worden beschermd met een check die een minimum aantal reviewers vereist. 22 | 23 | Mininum TokenType: `ReadOnly` 24 | 25 | ## RECOMMENDATION 26 | 27 | Overweeg om een service connection die is beperkt tot productie te 28 | beschermen met een menselijke review en goedkeuring. 29 | 30 | ## LINKS 31 | 32 | - [Define approvals and checks](https://learn.microsoft.com/nl-nl/azure/devops/pipelines/process/approvals?view=azure-devops&tabs=check-pass) 33 | 34 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Repos.BranchPolicyAllowSelfApproval.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Critical 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/AzureDevOps.Repos.BranchPolicyAllowSelfApproval.md 5 | --- 6 | 7 | # AzureDevOps.Repos.BranchPolicyAllowSelfApproval 8 | 9 | ## SYNOPSIS 10 | 11 | Auteur van wijzigingen zou niet moeten worden toegestaan om hun eigen 12 | wijzigingen goed te keuren. 13 | 14 | ## DESCRIPTION 15 | 16 | De branch policy zou niet moeten toestaan dat de auteur van wijzigingen zijn 17 | eigen wijzigingen goedkeurt. Dit zal helpen om ervoor te zorgen dat de code 18 | in de standaard branch van hoge kwaliteit is en dat de Git workflow van het 19 | team wordt gevolgd. 20 | 21 | Mininum TokenType: `ReadOnly` 22 | 23 | ## RECOMMENDATION 24 | 25 | Overweeg om de optie om makers hun eigen wijzigingen te laten goedkeuren 26 | uit te schakelen. 27 | 28 | ## LINKS 29 | 30 | - [Create a branch policy](https://docs.microsoft.com/nl-nl/azure/devops/repos/git/branch-policies?view=azure-devops) 31 | - [Branch policies](https://docs.microsoft.com/nl-nl/azure/devops/repos/git/branch-policies-overview?view=azure-devops) 32 | - [Azure DevOps Security best practices](https://docs.microsoft.com/nl-nl/azure/devops/user-guide/security-best-practices?view=azure-devops#repositories-and-branches) 33 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Repos.BranchPolicyCommentResolution.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Important 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Repos.BranchPolicyCommentResolution.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.BranchPolicyCommentResolution 8 | 9 | ## SYNOPSIS 10 | 11 | Een Azure DevOps Repos branch policy zou moeten worden geconfigureerd om te 12 | vereisen dat opmerkingen voor pull requests worden opgelost. 13 | 14 | ## DESCRIPTION 15 | 16 | Zorg ervoor dat opmerkingen voor pull requests worden opgelost om ervoor te 17 | zorgen dat alle opmerkingen worden aangepakt. Dit helpt om ervoor te zorgen 18 | dat alle opmerkingen worden aangepakt en verbetert de kwaliteit van de pull 19 | request. 20 | 21 | Mininum TokenType: `ReadOnly` 22 | 23 | ## RECOMMENDATION 24 | 25 | Overweeg om de optie om opmerkingen voor pull requests op te lossen in te 26 | schakelen. 27 | 28 | ## LINKS 29 | 30 | - [Create a branch policy](https://docs.microsoft.com/nl-nl/azure/devops/repos/git/branch-policies?view=azure-devops) 31 | - [Branch policies](https://docs.microsoft.com/nl-nl/azure/devops/repos/git/branch-policies-overview?view=azure-devops) 32 | - [Azure DevOps Security best practices](https://docs.microsoft.com/nl-nl/azure/devops/user-guide/security-best-practices?view=azure-devops#repositories-and-branches) 33 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Repos.BranchPolicyEnforceLinkedWorkItems.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Informational 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Repos.BranchPolicyEnforceLinkedWorkItems.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.BranchPolicyEnforceLinkedWorkItems 8 | 9 | ## SYNOPSIS 10 | 11 | Een Azure DevOps Repos branch policy zou moeten worden geconfigureerd om te 12 | eisen dat er gekoppelde work items zijn voor pull requests. 13 | 14 | ## DESCRIPTION 15 | 16 | Het vereisen van gekoppelde work items voor pull requests helpt om 17 | wijzigingen bij te houden en ervoor te zorgen dat wijzigingen zijn gekoppeld 18 | aan een work item en dus op de een of andere manier zijn gedocumenteerd. 19 | 20 | Mininum TokenType: `ReadOnly` 21 | 22 | ## RECOMMENDATION 23 | 24 | Overweeg om de optie om gekoppelde work items voor pull requests te 25 | vereisen in te schakelen. 26 | 27 | ## LINKS 28 | 29 | - [Create a branch policy](https://docs.microsoft.com/nl-nl/azure/devops/repos/git/branch-policies?view=azure-devops) 30 | - [Branch policies](https://docs.microsoft.com/nl-nl/azure/devops/repos/git/branch-policies-overview?view=azure-devops) 31 | - [Azure DevOps Security best practices](https://docs.microsoft.com/nl-nl/azure/devops/user-guide/security-best-practices?view=azure-devops#repositories-and-branches) 32 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Environments.ProductionHumanApproval.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Environments.ProductionHumanApproval.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Environments.ProductionHumanApproval 8 | 9 | ## SYNOPSIS 10 | 11 | An environment scoped to production should be protected by a human review 12 | and approval. This will help ensure no accidental changes are made to the 13 | production resources. 14 | 15 | ## DESCRIPTION 16 | 17 | Protecting a service connection with a human check will help prevent accidental 18 | changes to production resources. For example, a service connection scoped to 19 | production should be protected with a check that requires a minimum number of 20 | reviewers or a specific CI pipeline must pass. 21 | 22 | Mininum TokenType: `FineGrained` 23 | 24 | ## RECOMMENDATION 25 | 26 | Consider protecting a service connection scoped to production with a human 27 | approval check. 28 | 29 | ## LINKS 30 | 31 | - [Define approvals and checks](https://learn.microsoft.com/en-us/azure/devops/pipelines/process/approvals?view=azure-devops&tabs=check-pass) 32 | - [Create an environment](https://docs.microsoft.com/en-us/azure/devops/pipelines/process/environments?view=azure-devops&tabs=yaml#create-an-environment) 33 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Settings.LimitJobAuthorizationScopeForYamlPipelines.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Settings.LimitJobAuthorizationScopeForYamlPipelines.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Settings.LimitJobAuthorizationScopeForYamlPipelines 8 | 9 | ## SYNOPSIS 10 | 11 | De projectinstellingen moeten de machtigingsomvang van de taak beperken tot de huidige project. 12 | 13 | ## DESCRIPTION 14 | 15 | YAML-pipelines kunnen worden gebruikt om te implementeren naar meerdere omgevingen. 16 | Elke omgeving kan worden geconfigureerd om een andere set resources te gebruiken. Door de 17 | machtigingsomvang van de taak te beperken tot het huidige project, kan de taak geen 18 | toegang krijgen tot resources in andere projecten. Dit kan helpen voorkomen dat er per 19 | ongeluk toegang wordt verkregen tot resources in andere projecten. 20 | 21 | Mininum TokenType: `ReadOnly` 22 | 23 | ## RECOMMENDATION 24 | 25 | Overweeg om de machtigingsomvang van de taak voor release-pipelines te beperken tot het 26 | huidige project in de projectinstellingen. 27 | 28 | ## LINKS 29 | 30 | - [Azure DevOps Security best practices - Tasks](https://learn.microsoft.com/nl-nl/azure/devops/organizations/security/security-best-practices?view=azure-devops#tasks) 31 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Settings.LimitJobAuthorizationScopeForReleasePipelines.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Settings.LimitJobAuthorizationScopeForReleasePipelines.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Settings.LimitJobAuthorizationScopeForReleasePipelines 8 | 9 | ## SYNOPSIS 10 | 11 | De projectinstellingen moeten de machtigingsomvang van de taak beperken tot de huidige project. 12 | 13 | ## DESCRIPTION 14 | 15 | Release-pipelines kunnen worden gebruikt om te implementeren naar meerdere omgevingen. 16 | Elke omgeving kan worden geconfigureerd om een andere set resources te gebruiken. Door de 17 | machtigingsomvang van de taak te beperken tot het huidige project, kan de taak geen 18 | toegang krijgen tot resources in andere projecten. Dit kan helpen voorkomen dat er per 19 | ongeluk toegang wordt verkregen tot resources in andere projecten. 20 | 21 | Mininum TokenType: `ReadOnly` 22 | 23 | ## RECOMMENDATION 24 | 25 | Overweeg om de machtigingsomvang van de taak voor release-pipelines te beperken tot het huidige project in de projectinstellingen. 26 | 27 | ## LINKS 28 | 29 | - [Azure DevOps Security best practices - Tasks](https://learn.microsoft.com/nl-nl/azure/devops/organizations/security/security-best-practices?view=azure-devops#tasks) 30 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Repos.BranchPolicyMergeStrategy.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Important 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Repos.BranchPolicyMergeStrategy.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.BranchPolicyMergeStrategy 8 | 9 | ## SYNOPSIS 10 | 11 | Een Azure DevOps Repos branch policy zou moeten worden geconfigureerd om een 12 | merge strategie voor pull requests te definiëren. 13 | 14 | ## DESCRIPTION 15 | 16 | Definieer een merge strategie voor pull requests om ervoor te zorgen dat 17 | wijzigingen op een consistente manier worden samengevoegd. Dit helpt om 18 | ervoor te zorgen dat wijzigingen op een consistente manier worden 19 | samengevoegd en vermindert zo het risico op merge conflicten. 20 | 21 | Mininum TokenType: `ReadOnly` 22 | 23 | ## RECOMMENDATION 24 | 25 | Overweeg om de optie om een merge strategie voor pull requests te definiëren 26 | in te schakelen. 27 | 28 | ## LINKS 29 | 30 | - [Create a branch policy](https://docs.microsoft.com/nl-nl/azure/devops/repos/git/branch-policies?view=azure-devops) 31 | - [Branch policies](https://docs.microsoft.com/nl-nl/azure/devops/repos/git/branch-policies-overview?view=azure-devops) 32 | - [Azure DevOps Security best practices](https://docs.microsoft.com/nl-nl/azure/devops/user-guide/security-best-practices?view=azure-devops#repositories-and-branches) 33 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.ServiceConnections.WorkloadIdentityFederation.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Service Connections 3 | severity: Important 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.ServiceConnections.WorkloadIdentityFederation.md 5 | --- 6 | 7 | # Azure.DevOps.ServiceConnections.WorkloadIdentityFederation 8 | 9 | ## SYNOPSIS 10 | 11 | Een Service connection moet Workload Identity Federation gebruiken. 12 | 13 | ## DESCRIPTION 14 | 15 | Workload Identity Federation maakt het mogelijk om een service principal 16 | beheerd door Azure Active Directory te gebruiken om te authenticeren 17 | naar Azure services in plaats van een service principal beheerd door 18 | Azure DevOps. Dit is veiliger omdat de service principal niet wordt 19 | opgeslagen in Azure DevOps. 20 | 21 | Mininum TokenType: `ReadOnly` 22 | 23 | ## RECOMMENDATION 24 | 25 | Overweeg om Workload Identity Federation te gebruiken voor je service connections. 26 | 27 | ## LINKS 28 | 29 | - [Azure DevOps security best practices](https://learn.microsoft.com/nl-nl/azure/devops/organizations/security/security-best-practices?view=azure-devops#scope-service-accounts) 30 | - [Create a service connection](https://learn.microsoft.com/nl-nl/azure/devops/pipelines/library/connect-to-azure?view=azure-devops#create-an-azure-resource-manager-service-connection-using-workload-identity-federation) 31 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.Branch.HasBranchPolicy.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Critical 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.Branch.HasBranchPolicy.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.Branch.HasBranchPolicy 8 | 9 | ## SYNOPSIS 10 | 11 | The branch should have a branch policy 12 | 13 | ## DESCRIPTION 14 | 15 | A branch policy is a set of rules that govern the quality of the code and the 16 | team's Git workflow. Branch policies can enforce your team's code quality and 17 | change management standards. They can also help your team find and fix bugs 18 | earlier in the development cycle. 19 | 20 | Mininum TokenType: `ReadOnly` 21 | 22 | ## RECOMMENDATION 23 | 24 | Consider adding a branch policy to the default branch of your repository. 25 | This will help ensure that the code in the default branch is of a high quality 26 | and that the team's Git workflow is followed. 27 | 28 | ## LINKS 29 | 30 | - [Create a branch policy](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops) 31 | - [Branch policies](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies-overview?view=azure-devops) 32 | - [Azure DevOps Security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#secure-azure-repos) 33 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.ServiceConnections.GitHubPAT.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Service Connections 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.ServiceConnections.GitHubPAT.md 5 | --- 6 | 7 | # Azure.DevOps.ServiceConnections.GitHubPAT 8 | 9 | ## SYNOPSIS 10 | 11 | A service connection should not use a GitHub Personal Access Token (PAT). 12 | 13 | ## DESCRIPTION 14 | 15 | A service connection is a secure stored object that contains information about how to 16 | connect to a service. Service connections are used during the build or release pipeline 17 | to connect to external and remote resources. The GitHub PAT service connection type is 18 | linked to a personal account and cannot be traced back to the specific connection from 19 | Azure DevOps. This means any user with access to the service connection can impersonate 20 | the user who created the service connection. 21 | 22 | Mininum TokenType: `ReadOnly` 23 | 24 | ## RECOMMENDATION 25 | 26 | Consider using an oauth-based service connection. 27 | 28 | ## LINKS 29 | 30 | - [Azure DevOps security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#secure-github-integrations) 31 | - [Create a service connection](https://learn.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=azure-devops) 32 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.HasDefaultBranchPolicy.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Critical 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.HasDefaultBranchPolicy.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.HasDefaultBranchPolicy 8 | 9 | ## SYNOPSIS 10 | 11 | The repository's default branch should have a branch policy 12 | 13 | ## DESCRIPTION 14 | 15 | A branch policy is a set of rules that govern the quality of the code and the 16 | team's Git workflow. Branch policies can enforce your team's code quality and 17 | change management standards. They can also help your team find and fix bugs 18 | earlier in the development cycle. 19 | 20 | Mininum TokenType: `ReadOnly` 21 | 22 | ## RECOMMENDATION 23 | 24 | Consider adding a branch policy to the default branch of your repository. 25 | This will help ensure that the code in the default branch is of a high quality 26 | and that the team's Git workflow is followed. 27 | 28 | ## LINKS 29 | 30 | - [Create a branch policy](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops) 31 | - [Branch policies](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies-overview?view=azure-devops) 32 | - [Azure DevOps Security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#secure-azure-repos) 33 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.Branch.BranchPolicyResetVotes.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.Branch.BranchPolicyResetVotes.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.Branch.BranchPolicyResetVotes 8 | 9 | ## SYNOPSIS 10 | 11 | The branch policy should reset votes when changes are updated. This will help 12 | ensure that the code in the default branch is of a high quality and that the 13 | team's Git workflow is followed. 14 | 15 | ## DESCRIPTION 16 | 17 | When a branch policy is configured to require a minimum number of reviewers and 18 | votes, the policy should be configured to reset votes when changes are updated. 19 | This will help ensure that the code in the default branch is of a high quality 20 | and that the team's Git workflow is followed. 21 | 22 | Mininum TokenType: `ReadOnly` 23 | 24 | ## RECOMMENDATION 25 | 26 | Consider configuring the branch policy to reset votes when changes are updated. 27 | 28 | ## LINKS 29 | 30 | - [Create a branch policy](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops) 31 | - [Branch policies](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies-overview?view=azure-devops) 32 | - [Azure DevOps Security best practices](https://docs.microsoft.com/en-us/azure/devops/user-guide/security-best-practices?view=azure-devops#repositories-and-branches) 33 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.DefaultBranchPolicyResetVotes.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.DefaultBranchPolicyResetVotes.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.DefaultBranchPolicyResetVotes 8 | 9 | ## SYNOPSIS 10 | 11 | The branch policy should reset votes when changes are updated. This will help 12 | ensure that the code in the default branch is of a high quality and that the 13 | team's Git workflow is followed. 14 | 15 | ## DESCRIPTION 16 | 17 | When a branch policy is configured to require a minimum number of reviewers and 18 | votes, the policy should be configured to reset votes when changes are updated. 19 | This will help ensure that the code in the default branch is of a high quality 20 | and that the team's Git workflow is followed. 21 | 22 | Mininum TokenType: `ReadOnly` 23 | 24 | ## RECOMMENDATION 25 | 26 | Consider configuring the branch policy to reset votes when changes are updated. 27 | 28 | ## LINKS 29 | 30 | - [Create a branch policy](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops) 31 | - [Branch policies](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies-overview?view=azure-devops) 32 | - [Azure DevOps Security best practices](https://docs.microsoft.com/en-us/azure/devops/user-guide/security-best-practices?view=azure-devops#repositories-and-branches) 33 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.ServiceConnections.Scope.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Service Connections 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.ServiceConnections.Scope.md 5 | --- 6 | 7 | # Azure.DevOps.ServiceConnections.Scope 8 | 9 | ## SYNOPSIS 10 | 11 | A service connection scoped to production should use a narrow scope. 12 | This will help ensure no unwanted changes or access is made to the 13 | production resources or beyond 14 | 15 | ## DESCRIPTION 16 | 17 | A service connection scoped to production should use a narrow scope. For 18 | example, a service connection scoped to production should only have access 19 | to the production resource groups. This will help ensure no unwanted changes 20 | or access is made to the production resources or beyond. Normally it is not 21 | desirable to have a service connection with access to all resource groups 22 | in a subscription. 23 | 24 | Mininum TokenType: `ReadOnly` 25 | 26 | ## RECOMMENDATION 27 | 28 | Consider using a resource group scope for a service connection scoped to 29 | production. 30 | 31 | ## LINKS 32 | 33 | - [Azure DevOps security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#scope-service-accounts) 34 | - [Create a service connection](https://docs.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=azure-devops&tabs=yaml) 35 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.Branch.BranchPolicyRequireBuild.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.Branch.BranchPolicyRequireBuild.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.Branch.BranchPolicyRequireBuild 8 | 9 | ## SYNOPSIS 10 | 11 | The branch policy should be configured to require a build or CI pipeline to 12 | pass before changes can be merged into the default branch. 13 | 14 | ## DESCRIPTION 15 | 16 | The branch policy should be configured to require a build or CI pipeline to pass 17 | before changes can be merged into the default branch. This ensures that changes 18 | are validated before being merged into the default branch. This rule does not 19 | validate that the build or CI pipeline is configured correctly. It only validates 20 | that a build or CI pipeline is configured. 21 | 22 | Mininum TokenType: `ReadOnly` 23 | 24 | ## RECOMMENDATION 25 | 26 | Consider enabling the branch policy to require a build or CI pipeline to pass 27 | 28 | ## LINKS 29 | 30 | - [Create a branch policy](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops) 31 | - [Branch policies](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies-overview?view=azure-devops) 32 | - [Azure DevOps Security best practices](https://docs.microsoft.com/en-us/azure/devops/user-guide/security-best-practices?view=azure-devops#policies) 33 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Repos.HasBranchPolicy.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Critical 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/AzureDevOps.Repos.HasBranchPolicy.md 5 | --- 6 | 7 | # AzureDevOps.Repos.HasBranchPolicy 8 | 9 | ## SYNOPSIS 10 | 11 | Het standaard branch van het repository zou een branch policy moeten hebben. 12 | 13 | ## DESCRIPTION 14 | 15 | Een branch policy is een set regels die de kwaliteit van de code en de Git 16 | workflow van het team bepalen. Branch policies kunnen de codekwaliteit en 17 | de normen voor wijzigingsbeheer van uw team afdwingen. Ze kunnen uw team ook 18 | helpen om bugs eerder in de ontwikkelingscyclus te vinden en op te lossen. 19 | 20 | Mininum TokenType: `ReadOnly` 21 | 22 | ## RECOMMENDATION 23 | 24 | Overweeg om een branch policy toe te voegen aan de standaard branch van uw 25 | repository. Dit zal helpen om ervoor te zorgen dat de code in de standaard 26 | branch van hoge kwaliteit is en dat de Git workflow van het team wordt gevolgd. 27 | 28 | ## LINKS 29 | 30 | - [Create a branch policy](https://docs.microsoft.com/nl-nl/azure/devops/repos/git/branch-policies?view=azure-devops) 31 | - [Branch policies](https://docs.microsoft.com/nl-nl/azure/devops/repos/git/branch-policies-overview?view=azure-devops) 32 | - [Azure DevOps Security best practices](https://learn.microsoft.com/nl-nl/azure/devops/organizations/security/security-best-practices?view=azure-devops#secure-azure-repos) 33 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.DefaultBranchPolicyRequireBuild.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.DefaultBranchPolicyRequireBuild.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.DefaultBranchPolicyRequireBuild 8 | 9 | ## SYNOPSIS 10 | 11 | The branch policy for the default branch should be configured to require a 12 | build or CI pipeline to pass before changes can be merged into the default 13 | branch. 14 | 15 | ## DESCRIPTION 16 | 17 | The branch policy should be configured to require a build or CI pipeline to pass 18 | before changes can be merged into the default branch. This ensures that changes 19 | are validated before being merged into the default branch. This rule does not 20 | validate that the build or CI pipeline is configured correctly. It only validates 21 | that a build or CI pipeline is configured. 22 | 23 | Mininum TokenType: `ReadOnly` 24 | 25 | ## RECOMMENDATION 26 | 27 | Consider enabling the branch policy to require a build or CI pipeline to pass 28 | 29 | ## LINKS 30 | 31 | - [Create a branch policy](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops) 32 | - [Branch policies](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies-overview?view=azure-devops) 33 | - [Azure DevOps Security best practices](https://docs.microsoft.com/en-us/azure/devops/user-guide/security-best-practices?view=azure-devops#policies) 34 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.ServiceConnections.ProductionCheckProtection.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Service Connections 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.ServiceConnections.ProductionCheckProtection.md 5 | --- 6 | 7 | # Azure.DevOps.ServiceConnections.ProductionCheckProtection 8 | 9 | ## SYNOPSIS 10 | 11 | Een service connection die is beperkt tot productie zou moeten worden 12 | beschermd. Dit zal helpen om ervoor te zorgen dat er geen onbedoelde 13 | wijzigingen worden aangebracht in de productie resources. 14 | 15 | ## DESCRIPTION 16 | 17 | Door een service connection te beperken tot productie, wordt voorkomen dat 18 | deze wordt gebruikt voor het wijzigen van resources in andere omgevingen. 19 | Het beschermen van een service connection met één of meer checks zal helpen 20 | voorkomen dat er per ongeluk wijzigingen worden aangebracht in productie 21 | resources. Bijvoorbeeld, een service connection die is beperkt tot productie 22 | zou moeten worden beschermd met een check die een minimum aantal reviewers 23 | vereist of een specifieke CI pipeline moet doorlopen. 24 | 25 | Mininum TokenType: `ReadOnly` 26 | 27 | ## RECOMMENDATION 28 | 29 | Overweeg om een service connection die is beperkt tot productie te 30 | beschermen met één of meer checks. 31 | 32 | ## LINKS 33 | 34 | - [Define approvals and checks](https://learn.microsoft.com/nl-nl/azure/devops/pipelines/process/approvals?view=azure-devops&tabs=check-pass) 35 | 36 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Releases.Definition.ProductionApproval.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Releases.Definition.ProductionApproval.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Releases.Definition.ProductionApproval 8 | 9 | ## SYNOPSIS 10 | 11 | Een Azure DevOps Pipelines release stage die is beperkt tot productie zou 12 | moeten worden beschermd met een menselijke goedkeuring om te voorkomen dat 13 | er per ongeluk wijzigingen worden aangebracht in productiebronnen. 14 | 15 | ## DESCRIPTION 16 | 17 | Het toevoegen van een menselijke goedkeuring aan een Azure DevOps Pipelines 18 | release stage die is beperkt tot productie kan helpen om per ongeluk wijzigingen in productiebronnen te voorkomen. Een goedkeuring kan worden 19 | gebruikt om te eisen dat een gebruiker een implementatie goedkeurt voordat 20 | deze kan worden uitgevoerd. 21 | 22 | U kunt het vereiste aantal goedkeurders voor deze regel configureren door de 23 | `releaseMinimumProductionApproverCount` configuratiewaarde in PSRule in te 24 | stellen. De standaardwaarde is `1`. 25 | 26 | Mininum TokenType: `ReadOnly` 27 | 28 | ## RECOMMENDATION 29 | 30 | Overweeg om een menselijke goedkeuring toe te voegen aan de Azure DevOps 31 | Pipelines release stage die is beperkt tot productie. 32 | 33 | ## LINKS 34 | 35 | - [Release Pipelines](https://docs.microsoft.com/nl-nl/azure/devops/pipelines/release/?view=azure-devops) 36 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.ServiceConnections.GitHubPAT.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Service Connections 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.ServiceConnections.GitHubPAT.md 5 | --- 6 | 7 | # Azure.DevOps.ServiceConnections.GitHubPAT 8 | 9 | ## SYNOPSIS 10 | 11 | Een serviceverbinding zou geen GitHub-persoonlijke toegangstoken (PAT) moeten gebruiken. 12 | 13 | ## DESCRIPTION 14 | 15 | Een serviceverbinding is een veilig opgeslagen object dat informatie bevat over hoe u 16 | verbinding kunt maken met een service. Serviceverbindingen worden tijdens de build- of 17 | release-pijplijn gebruikt om verbinding te maken met externe en externe bronnen. Het GitHub 18 | PAT-serviceverbindingstype is gekoppeld aan een persoonlijk account en kan niet worden 19 | getraceerd naar de specifieke verbinding vanuit Azure DevOps. Dit betekent dat elke 20 | gebruiker met toegang tot de serviceverbinding zich kan voordoen als de gebruiker die de 21 | serviceverbinding heeft gemaakt. 22 | 23 | Mininum TokenType: `ReadOnly` 24 | 25 | ## RECOMMENDATION 26 | 27 | Overweeg een oauth-gebaseerde serviceverbinding te gebruiken. 28 | 29 | ## LINKS 30 | 31 | - [Azure DevOps security best practices](https://learn.microsoft.com/nl-nl/azure/devops/organizations/security/security-best-practices?view=azure-devops#secure-github-integrations) 32 | - [Create a service connection](https://learn.microsoft.com/nl-nl/azure/devops/pipelines/library/connect-to-azure?view=azure-devops) 33 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Environments.ProductionHumanApproval.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Environments.ProductionHumanApproval.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Environments.ProductionHumanApproval 8 | 9 | ## SYNOPSIS 10 | 11 | Een Azure DevOps Pipelines environment die is beperkt tot productie zou 12 | moeten worden beschermd met een menselijke goedkeuring om te voorkomen dat 13 | er per ongeluk wijzigingen worden aangebracht in productiebronnen. 14 | 15 | ## DESCRIPTION 16 | 17 | De implementatie van een Azure DevOps Pipelines environment die is beperkt 18 | tot productie zou moeten worden beschermd met een menselijke goedkeuring om 19 | te voorkomen dat er per ongeluk wijzigingen worden aangebracht in 20 | productiebronnen. Een goedkeuring kan worden gebruikt om te eisen dat een 21 | gebruiker een implementatie goedkeurt voordat deze kan worden uitgevoerd. 22 | 23 | Mininum TokenType: `FineGrained` 24 | 25 | ## RECOMMENDATION 26 | 27 | Overweeg om een menselijke goedkeuring toe te voegen aan de Azure DevOps 28 | Pipelines environment die is beperkt tot productie. 29 | 30 | ## LINKS 31 | 32 | - [Define approvals and checks](https://learn.microsoft.com/nl-nl/azure/devops/pipelines/process/approvals?view=azure-devops&tabs=check-pass) 33 | - [Create an environment](https://docs.microsoft.com/nl-nl/azure/devops/pipelines/process/environments?view=azure-devops&tabs=yaml#create-an-environment) 34 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Repos.BranchPolicyRequireBuild.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Repos.BranchPolicyRequireBuild.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.BranchPolicyRequireBuild 8 | 9 | ## SYNOPSIS 10 | 11 | Een build of CI-pijplijn moet worden geconfigureerd om te worden uitgevoerd voordat 12 | wijzigingen kunnen worden samengevoegd in de standaardbranch. 13 | 14 | ## DESCRIPTION 15 | 16 | De branch policy moet worden geconfigureerd om een build of CI-pijplijn te vereisen 17 | om te worden uitgevoerd voordat wijzigingen kunnen worden samengevoegd in de 18 | standaardbranch. Dit zorgt ervoor dat wijzigingen worden gevalideerd voordat ze 19 | worden samengevoegd in de standaardbranch. Deze regel valideert niet dat de build 20 | of CI-pijplijn correct is geconfigureerd. Het valideert alleen dat een build of 21 | CI-pijplijn is geconfigureerd. 22 | 23 | Mininum TokenType: `ReadOnly` 24 | 25 | ## RECOMMENDATION 26 | 27 | Overweeg om de branch policy in te schakelen om een build of CI-pijplijn te vereisen. 28 | 29 | ## LINKS 30 | 31 | - [Create a branch policy](https://docs.microsoft.com/nl-nl/azure/devops/repos/git/branch-policies?view=azure-devops) 32 | - [Branch policies](https://docs.microsoft.com/nl-nl/azure/devops/repos/git/branch-policies-overview?view=azure-devops) 33 | - [Azure DevOps Security best practices](https://docs.microsoft.com/nl-nl/azure/devops/user-guide/security-best-practices?view=azure-devops#policies) 34 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Settings.RestrictSecretsForPullRequestFromFork.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Critical 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Settings.RestrictSecretsForPullRequestFromFork.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Settings.RestrictSecretsForPullRequestFromFork 8 | 9 | ## SYNOPSIS 10 | 11 | Project settings should restrict access to secrets for pull requests from a fork. 12 | 13 | ## DESCRIPTION 14 | 15 | Secrets can be used to store sensitive information such as passwords and access tokens. Secrets can be used in pipelines to access resources such as Azure Key Vault. Secrets can be configured to be available to all pipelines or only to specific pipelines. Secrets can also be configured to be available to pull requests from forks. This can be useful for open source projects that accept contributions from the community. However, this can also be a security risk. A malicious user could create a pull request from a fork and access the secrets in the pipeline. This could allow the malicious user to access sensitive information such as passwords and access tokens. 16 | 17 | Mininum TokenType: `ReadOnly` 18 | 19 | ## RECOMMENDATION 20 | 21 | Consider restricting access to secrets for pull requests from a fork in the project settings. 22 | 23 | ## LINKS 24 | 25 | - [Azure DevOps Security best practices - Forks](https://learn.microsoft.com/en-us/azure/devops/pipelines/security/repos?view=azure-devops#dont-provide-secrets-to-fork-builds) 26 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Environments.ProductionCheckProtection.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Environments.ProductionCheckProtection.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Environments.ProductionCheckProtection 8 | 9 | ## SYNOPSIS 10 | 11 | Een Azure DevOps Pipelines environment die is beperkt tot productie zou 12 | moeten worden beschermd met een of meer controles om te voorkomen dat er 13 | per ongeluk wijzigingen worden aangebracht in productiebronnen. 14 | 15 | ## DESCRIPTION 16 | 17 | Een Azure DevOps Pipelines environment die is beperkt tot productie zou 18 | moeten worden beschermd met een of meer controles om te voorkomen dat er 19 | per ongeluk wijzigingen worden aangebracht in productiebronnen. Controles 20 | kunnen worden gebruikt om te eisen dat een gebruiker een implementatie 21 | goedkeurt of dat er een succesvolle build moet zijn voordat een 22 | implementatie kan worden uitgevoerd. 23 | 24 | Mininum TokenType: `FineGrained` 25 | 26 | ## RECOMMENDATION 27 | 28 | Overweeg om een of meer controles toe te voegen aan de Azure DevOps 29 | Pipelines environment die is beperkt tot productie. 30 | 31 | ## LINKS 32 | 33 | - [Define approvals and checks](https://learn.microsoft.com/nl-nl/azure/devops/pipelines/process/approvals?view=azure-devops&tabs=check-pass) 34 | - [Create an environment](https://docs.microsoft.com/nl-nl/azure/devops/pipelines/process/environments?view=azure-devops&tabs=yaml#create-an-environment) 35 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Repos.BranchPolicyResetVotes.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/AzureDevOps.Repos.BranchPolicyResetVotes.md 5 | --- 6 | 7 | # AzureDevOps.Repos.BranchPolicyResetVotes 8 | 9 | ## SYNOPSIS 10 | 11 | De branch policy zou stemmen moeten resetten wanneer wijzigingen worden 12 | bijgewerkt. Dit zal helpen om ervoor te zorgen dat de code in de standaard 13 | branch van hoge kwaliteit is en dat de Git workflow van het team wordt 14 | gevolgd. 15 | 16 | ## DESCRIPTION 17 | 18 | Als een branch policy is geconfigureerd om een minimum aantal reviewers en 19 | stemmen te vereisen, moet de policy worden geconfigureerd om stemmen te 20 | resetten wanneer wijzigingen worden bijgewerkt. Dit zal helpen om ervoor te 21 | zorgen dat de code in de standaard branch van hoge kwaliteit is en dat de 22 | Git workflow van het team wordt gevolgd. 23 | 24 | Mininum TokenType: `ReadOnly` 25 | 26 | ## RECOMMENDATION 27 | 28 | Overweeg om de branch policy te configureren om stemmen te resetten wanneer 29 | wijzigingen worden bijgewerkt. 30 | 31 | ## LINKS 32 | 33 | - [Create a branch policy](https://docs.microsoft.com/nl-nl/azure/devops/repos/git/branch-policies?view=azure-devops) 34 | - [Branch policies](https://docs.microsoft.com/nl-nl/azure/devops/repos/git/branch-policies-overview?view=azure-devops) 35 | - [Azure DevOps Security best practices](https://docs.microsoft.com/nl-nl/azure/devops/user-guide/security-best-practices?view=azure-devops#repositories-and-branches) 36 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/1-bug-report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: "🐞 Bug Report" 3 | about: "Report an issue to help the project improve." 4 | title: "Bug: " 5 | labels: ["bug"] 6 | assignees: webtonize 7 | 8 | --- 9 | 10 | # **🐞 Bug Report** 11 | 12 | ## **Describe the bug** 13 | 14 | 15 | * 16 | 17 | --- 18 | 19 | ### **Is this a regression?** 20 | 21 | 22 | 23 | --- 24 | 25 | ### **To Reproduce** 26 | 27 | 33 | 34 | 35 | 36 | 1. 37 | 2. 38 | 3. 39 | 4. 40 | 41 | --- 42 | 43 | ### **Expected behaviour** 44 | 45 | 46 | * 47 | 48 | --- 49 | 50 | ### **Media prove** 51 | 52 | 53 | --- 54 | 55 | ### **Your environment** 56 | 57 | 59 | 60 | * OS: 61 | * PowerShell version: 62 | * PSRule version: 63 | * PSRule.Rules.AzureDevOps version: 64 | 65 | 66 | --- 67 | 68 | ### **Additional context** 69 | 70 | 71 | * 72 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.ServiceConnections.Scope.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Service Connections 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en-US/Azure.DevOps.ServiceConnections.Scope.md 5 | --- 6 | 7 | # Azure.DevOps.ServiceConnections.Scope 8 | 9 | ## SYNOPSIS 10 | 11 | Een service connection die is beperkt tot productie zou een smalle scope 12 | moeten gebruiken. Dit zal helpen om ervoor te zorgen dat er geen onbedoelde 13 | wijzigingen worden aangebracht in de productie resources of daarbuiten. 14 | 15 | ## DESCRIPTION 16 | 17 | Een service connection die is beperkt tot productie zou een smalle scope 18 | moeten gebruiken. Bijvoorbeeld, een service connection die is beperkt tot 19 | productie zou alleen toegang moeten hebben tot de productie resource groups. 20 | Dit zal helpen om ervoor te zorgen dat er geen onbedoelde wijzigingen worden 21 | aangebracht in de productie resources of daarbuiten. Normaal gesproken is 22 | het niet wenselijk om een service connection te hebben met toegang tot alle 23 | resource groups in een abonnement. 24 | 25 | Mininum TokenType: `ReadOnly` 26 | 27 | ## RECOMMENDATION 28 | 29 | Overweeg om een service connection die is beperkt tot productie te beperken 30 | tot een smalle scope. 31 | 32 | ## LINKS 33 | 34 | - [Azure DevOps security best practices](https://learn.microsoft.com/nl-nl/azure/devops/organizations/security/security-best-practices?view=azure-devops#scope-service-accounts) 35 | - [Create a service connection](https://docs.microsoft.com/nl-nl/azure/devops/pipelines/library/connect-to-azure?view=azure-devops&tabs=yaml) 36 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.ServiceConnections.ClassicAzure.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Service Connections 3 | severity: Critical 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.ServiceConnections.ClassicAzure.md 5 | --- 6 | 7 | # Azure.DevOps.ServiceConnections.ClassicAzure 8 | 9 | ## SYNOPSIS 10 | 11 | A Service connection should not use the Classic Azure service connection type. 12 | 13 | ## DESCRIPTION 14 | 15 | A service connection is a securely stored object that contains information about how to 16 | connect to a service. Service connections are used during the build or release pipeline to 17 | connect to external and remote resources. The Classic Azure service connection type can not 18 | be scoped to a specific resource group or subscription. This means that any user with 19 | access to the service connection can deploy to any resource group or subscription. Also 20 | the Classic Azure service connection type does not support modern ways of authentication. 21 | 22 | Mininum TokenType: `ReadOnly` 23 | 24 | ## RECOMMENDATION 25 | 26 | Consider using a service connection type that can be scoped to a specific resource group 27 | with modern authentication. 28 | 29 | ## LINKS 30 | 31 | - [Azure DevOps security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#scope-service-accounts) 32 | - [Create a service connection](https://learn.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=azure-devops#create-an-azure-resource-manager-service-connection-using-workload-identity-federation) 33 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Repos.BranchPolicyMinimumReviewers.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/AzureDevOps.Repos.BranchPolicyMinimumReviewers.md 5 | --- 6 | 7 | # AzureDevOps.Repos.BranchPolicyMinimumReviewers 8 | 9 | ## SYNOPSIS 10 | 11 | De standaard branch van het repository zou een branch policy moeten hebben 12 | met een minimum aantal reviewers. 13 | 14 | ## DESCRIPTION 15 | 16 | Door een minimum aantal reviewers voor een branch policy in te stellen, 17 | wordt ervoor gezorgd dat de code in de standaard branch van hoge kwaliteit 18 | is en dat de Git workflow van het team wordt gevolgd. 19 | 20 | Je kunt het minimum aantal reviewers voor deze regel configureren door de 21 | `branchMinimumApproverCount` configuratiewaarde in PSRule in te stellen. 22 | 23 | Mininum TokenType: `ReadOnly` 24 | 25 | ## RECOMMENDATION 26 | 27 | Overweeg om de optie om een minimum aantal reviewers voor een branch policy 28 | in te stellen in te schakelen. 29 | 30 | ## LINKS 31 | 32 | - [Create a branch policy](https://docs.microsoft.com/nl-nl/azure/devops/repos/git/branch-policies?view=azure-devops) 33 | - [Branch policies](https://docs.microsoft.com/nl-nl/azure/devops/repos/git/branch-policies-overview?view=azure-devops) 34 | - [Minimum number of reviewers](https://docs.microsoft.com/nl-nl/azure/devops/repos/git/branch-policies-overview?view=azure-devops#minimum-number-of-reviewers) 35 | - [Azure DevOps Security best practices](https://docs.microsoft.com/nl-nl/azure/devops/user-guide/security-best-practices?view=azure-devops#repositories-and-branches) 36 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Description 4 | 5 | 6 | ## Related Issue 7 | 8 | 9 | 10 | 11 | 12 | ## Motivation and Context 13 | 14 | 15 | ## How Has This Been Tested? 16 | 17 | 18 | 19 | 20 | ## Screenshots (if appropriate): 21 | 22 | ## Types of changes 23 | 24 | - [ ] Bug fix (non-breaking change which fixes an issue) 25 | - [ ] New feature (non-breaking change which adds functionality) 26 | - [ ] Breaking change (fix or feature that would cause existing functionality to change) 27 | 28 | ## Checklist: 29 | 30 | 31 | - [ ] My code follows the code style of this project. 32 | - [ ] My change requires a change to the documentation. 33 | - [ ] I have updated the documentation accordingly. 34 | - [ ] I have added tests to cover my changes. 35 | - [ ] All new and existing tests passed. 36 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.Branch.BranchPolicyIsEnabled.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Critical 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.Branch.BranchPolicyIsEnabled.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.Branch.BranchPolicyIsEnabled 8 | 9 | ## SYNOPSIS 10 | 11 | The repository's branch should have a branch policy enabled. 12 | 13 | ## DESCRIPTION 14 | 15 | A branch policy is a set of rules that govern the quality of the code and 16 | the team's Git workflow. Branch policies can enforce your team's code quality 17 | and change management standards. They can also help your team find and fix 18 | bugs earlier in the development cycle. 19 | 20 | A branch policy can be enabled for the default branch of a repository. This 21 | will help ensure that the code in the default branch is of a high quality and 22 | that the team's Git workflow is followed. 23 | 24 | Mininum TokenType: `ReadOnly` 25 | 26 | ## RECOMMENDATION 27 | 28 | Make sure that the branch policy is enabled for the default branch of your 29 | repository. This will help ensure that the code in the default branch is of 30 | a high quality and that the team's Git workflow is followed. 31 | 32 | ## LINKS 33 | 34 | - [Create a branch policy](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops) 35 | - [Branch policies](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies-overview?view=azure-devops) 36 | - [Azure DevOps Security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#secure-azure-repos) 37 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.DefaultBranchPolicyIsEnabled.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Critical 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.DefaultBranchPolicyIsEnabled.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.DefaultBranchPolicyIsEnabled 8 | 9 | ## SYNOPSIS 10 | 11 | The repository's default branch should have a branch policy enabled. 12 | 13 | ## DESCRIPTION 14 | 15 | A branch policy is a set of rules that govern the quality of the code and 16 | the team's Git workflow. Branch policies can enforce your team's code quality 17 | and change management standards. They can also help your team find and fix 18 | bugs earlier in the development cycle. 19 | 20 | A branch policy can be enabled for the default branch of a repository. This 21 | will help ensure that the code in the default branch is of a high quality and 22 | that the team's Git workflow is followed. 23 | 24 | Mininum TokenType: `ReadOnly` 25 | 26 | ## RECOMMENDATION 27 | 28 | Make sure that the branch policy is enabled for the default branch of your 29 | repository. This will help ensure that the code in the default branch is of 30 | a high quality and that the team's Git workflow is followed. 31 | 32 | ## LINKS 33 | 34 | - [Create a branch policy](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops) 35 | - [Branch policies](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies-overview?view=azure-devops) 36 | - [Azure DevOps Security best practices](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#secure-azure-repos) 37 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.ServiceConnections.ClassicAzure.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Service Connections 3 | severity: Critical 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.ServiceConnections.ClassicAzure.md 5 | --- 6 | 7 | # Azure.DevOps.ServiceConnections.ClassicAzure 8 | 9 | ## SYNOPSIS 10 | 11 | Een serviceverbinding mag niet het klassieke Azure-serviceverbindingstype gebruiken. 12 | 13 | ## DESCRIPTION 14 | 15 | Een serviceverbinding is een veilig opgeslagen object dat informatie bevat over hoe u 16 | verbinding kunt maken met een service. Serviceverbindingen worden tijdens de build- of 17 | release-pijplijn gebruikt om verbinding te maken met externe en externe bronnen. Het 18 | klassieke Azure-serviceverbindingstype kan niet worden geschaald naar een specifieke 19 | resourcegroep of abonnement. Dit betekent dat elke gebruiker met toegang tot de 20 | serviceverbinding kan implementeren naar elke resourcegroep of elk abonnement. Ook het 21 | klassieke Azure-serviceverbindingstype ondersteunt geen moderne manieren van authenticatie. 22 | 23 | Mininum TokenType: `ReadOnly` 24 | 25 | ## RECOMMENDATION 26 | 27 | Overweeg om een serviceverbindingstype te gebruiken dat kan worden geschaald naar een 28 | specifieke resourcegroep met moderne authenticatie. 29 | 30 | ## LINKS 31 | 32 | - [Azure DevOps security best practices](https://learn.microsoft.com/nl-nl/azure/devops/organizations/security/security-best-practices?view=azure-devops#scope-service-accounts) 33 | - [Create a service connection](https://learn.microsoft.com/nl-nl/azure/devops/pipelines/library/connect-to-azure?view=azure-devops#create-an-azure-resource-manager-service-connection-using-workload-identity-federation) 34 | -------------------------------------------------------------------------------- /.github/workflows/psrule-monitor.yml: -------------------------------------------------------------------------------- 1 | # Run on manual trigger and every day at 6:00 AM UTC 2 | on: 3 | workflow_dispatch: 4 | schedule: 5 | - cron: '0 6 * * *' 6 | 7 | name: Run module with log analytics 8 | 9 | jobs: 10 | run-psrule-monitor: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - uses: actions/checkout@v3 14 | name: Checkout 15 | 16 | - name: Install PSRule 17 | run: | 18 | # Install-Module -Name PSRule -Force -Scope CurrentUser -SkipPublisherCheck 19 | Install-Module -Name PSRule.Monitor -Force -Scope CurrentUser -SkipPublisherCheck 20 | shell: pwsh 21 | 22 | - name: Run PSRule 23 | run: | 24 | Import-Module PSRule 25 | Import-Module PSRule.Monitor 26 | Import-Module ./src/PSRule.Rules.AzureDevOps/PSRule.Rules.AzureDevOps.psd1 -Force 27 | Connect-AzDevOps -Organization ${{ secrets.ADO_ORGANIZATION }} -PAT ${{ secrets.ADO_PAT }} 28 | New-Item -Path ./data -ItemType Directory -Force 29 | Export-AzDevOpsOrganizationRuleData -OutputPath ./data 30 | $result = Invoke-PSRule -InputPath ./data/ ` 31 | -Module "PSRule.Rules.AzureDevOps","PSRule.Monitor" ` 32 | -Format Detect -Culture en 33 | $result | Send-PSRuleMonitorRecord -WorkspaceId $Env:PSRULE_CONFIGURATION_MONITOR_WORKSPACE_ID ` 34 | -SharedKey $Env:PSRULE_CONFIGURATION_MONITOR_WORKSPACE_KEY -LogName RjbTest 35 | shell: pwsh 36 | env: 37 | PSRULE_CONFIGURATION_MONITOR_WORKSPACE_ID: ${{ secrets.PSRULE_CONFIGURATION_MONITOR_WORKSPACE_ID }} 38 | PSRULE_CONFIGURATION_MONITOR_WORKSPACE_KEY: ${{ secrets.PSRULE_CONFIGURATION_MONITOR_WORKSPACE_KEY }} 39 | PSRULE_CONVENTION_INCLUDE: "Monitor.LogAnalytics.Import" 40 | -------------------------------------------------------------------------------- /docs/branch-strategy-suppression.md: -------------------------------------------------------------------------------- 1 | Branch strategy based suppression 2 | ================================= 3 | 4 | Using PSRule suppression groups for branch strategies. 5 | ------------------------------------------------------ 6 | 7 | Since version 0.4.0 PSRule.Rules.AzureDevOps exports all branches 8 | for a repository and inspects them with the full set of rules. Under 9 | normal circumstances, you don't want to run all rules against all 10 | branches. You will typically want users to work in feature branches that 11 | do not have the same requirements as the main, release or your custom 12 | branches. 13 | 14 | PSRule offers a feature called suppression groups that allows you to 15 | suppress rules for _targets_, in our case branches. This allows you to 16 | define a set of suppression groups that can be applied to branches 17 | based on a branch name pattern. 18 | 19 | For example, you can define a suppression group called `feature` that 20 | suppresses all rules for branches that start with `refs/heads/feature/`. 21 | Place the file in the root from where you run PSRule with an extension 22 | of `.Rule.yaml`. 23 | 24 | ``` yaml 25 | --- 26 | # Synopsis: Feature branch does not need protection 27 | apiVersion: github.com/microsoft/PSRule/v1 28 | kind: SuppressionGroup 29 | metadata: 30 | name: 'feature' 31 | spec: 32 | expiresOn: null 33 | rule: 34 | - 'Azure.DevOps.Repo.Branch.HasBranchPolicy' 35 | if: 36 | name: '.' 37 | contains: 'refs/heads/feature/' 38 | ``` 39 | 40 | The synopsis is optional and can be used to describe 41 | the suppression group. It will be displayed when running 42 | PSRule as the suppression group is applied. Read more on suppression 43 | groups in the [PSRule documentation](https://microsoft.github.io/PSRule/v2/concepts/PSRule/en-US/about_PSRule_SuppressionGroups/). -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Settings.RestrictSecretsForPullRequestFromFork.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Pipelines 3 | severity: Critical 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Pipelines.Settings.RestrictSecretsForPullRequestFromFork.md 5 | --- 6 | 7 | # Azure.DevOps.Pipelines.Settings.RestrictSecretsForPullRequestFromFork 8 | 9 | ## SYNOPSIS 10 | 11 | De projectinstellingen moeten de toegang tot geheimen voor pull-aanvragen van een fork 12 | beperken. 13 | 14 | ## DESCRIPTION 15 | 16 | Geheimen kunnen worden gebruikt om gevoelige informatie zoals wachtwoorden en 17 | toegangstokens op te slaan. Geheimen kunnen in pipelines worden gebruikt om 18 | resources zoals Azure Key Vault te openen. Geheimen kunnen worden geconfigureerd om 19 | beschikbaar te zijn voor alle pipelines of alleen voor specifieke pipelines. Geheimen 20 | kunnen ook worden geconfigureerd om beschikbaar te zijn voor pull-aanvragen van een fork. 21 | Dit kan nuttig zijn voor open source projecten die bijdragen van de community accepteren. 22 | Dit kan echter ook een beveiligingsrisico zijn. Een kwaadwillende gebruiker kan een 23 | pull-aanvraag van een fork maken en de geheimen in de pipeline openen. Dit kan de 24 | kwaadwillende gebruiker in staat stellen om gevoelige informatie zoals wachtwoorden en 25 | toegangstokens te openen. 26 | 27 | Mininum TokenType: `ReadOnly` 28 | 29 | ## RECOMMENDATION 30 | 31 | Overweeg om de toegang tot geheimen voor pull-aanvragen van een fork te beperken in de 32 | projectinstellingen. 33 | 34 | ## LINKS 35 | 36 | - [Azure DevOps Security best practices - Forks](https://learn.microsoft.com/nl-nl/azure/devops/pipelines/security/repos?view=azure-devops#dont-provide-secrets-to-fork-builds) 37 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.Branch.BranchPolicyMinimumReviewers.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.Branch.BranchPolicyMinimumReviewers.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.Branch.BranchPolicyMinimumReviewers 8 | 9 | ## SYNOPSIS 10 | 11 | The repository's branch should have a branch policy with a minimum 12 | number of reviewers. 13 | 14 | ## DESCRIPTION 15 | 16 | Having a minimum number of reviewers for a branch policy helps ensure that the 17 | code in the default branch is of a high quality and that the team's Git 18 | workflow is followed. 19 | 20 | You can configure the minimum number of reviewers for this rule by setting the 21 | `branchMinimumApproverCount` configuration value in PSRule. The default 22 | value is `1`. 23 | 24 | Mininum TokenType: `ReadOnly` 25 | 26 | ## RECOMMENDATION 27 | 28 | Make sure that the branch policy has a minimum number of reviewers for the 29 | default branch of your repository. This will help ensure that the code in the 30 | default branch is of a high quality and that the team's Git workflow is 31 | followed. 32 | 33 | ## LINKS 34 | 35 | - [Create a branch policy](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops) 36 | - [Branch policies](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies-overview?view=azure-devops) 37 | - [Minimum number of reviewers](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies-overview?view=azure-devops#minimum-number-of-reviewers) 38 | - [Azure DevOps Security best practices](https://docs.microsoft.com/en-us/azure/devops/user-guide/security-best-practices?view=azure-devops#repositories-and-branches) 39 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.DefaultBranchPolicyMinimumReviewers.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Severe 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Repos.DefaultBranchPolicyMinimumReviewers.md 5 | --- 6 | 7 | # Azure.DevOps.Repos.DefaultBranchPolicyMinimumReviewers 8 | 9 | ## SYNOPSIS 10 | 11 | The repository's default branch should have a branch policy with a minimum 12 | number of reviewers. 13 | 14 | ## DESCRIPTION 15 | 16 | Having a minimum number of reviewers for a branch policy helps ensure that the 17 | code in the default branch is of a high quality and that the team's Git 18 | workflow is followed. 19 | 20 | You can configure the minimum number of reviewers for this rule by setting the 21 | `branchMinimumApproverCount` configuration value in PSRule. The default 22 | value is `1`. 23 | 24 | Mininum TokenType: `ReadOnly` 25 | 26 | ## RECOMMENDATION 27 | 28 | Make sure that the branch policy has a minimum number of reviewers for the 29 | default branch of your repository. This will help ensure that the code in the 30 | default branch is of a high quality and that the team's Git workflow is 31 | followed. 32 | 33 | ## LINKS 34 | 35 | - [Create a branch policy](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops) 36 | - [Branch policies](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies-overview?view=azure-devops) 37 | - [Minimum number of reviewers](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies-overview?view=azure-devops#minimum-number-of-reviewers) 38 | - [Azure DevOps Security best practices](https://docs.microsoft.com/en-us/azure/devops/user-guide/security-best-practices?view=azure-devops#repositories-and-branches) 39 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/nl/Azure.DevOps.Repos.BranchPolicyIsEnabled.md: -------------------------------------------------------------------------------- 1 | --- 2 | category: Microsoft Azure DevOps Repos 3 | severity: Critical 4 | online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/nl/AzureDevOps.Repos.BranchPolicyIsEnabled.md 5 | --- 6 | 7 | # AzureDevOps.Repos.BranchPolicyIsEnabled 8 | 9 | ## SYNOPSIS 10 | 11 | De standaard branch van het repository zou een branch policy moeten hebben 12 | die is ingeschakeld. 13 | 14 | ## DESCRIPTION 15 | 16 | Een branch policy is een set regels die de kwaliteit van de code en de Git 17 | workflow van het team bepalen. Branch policies kunnen de codekwaliteit en 18 | de normen voor wijzigingsbeheer van uw team afdwingen. Ze kunnen uw team ook 19 | helpen om bugs eerder in de ontwikkelingscyclus te vinden en op te lossen. 20 | 21 | Een branch policy kan worden ingeschakeld voor de standaard branch van een 22 | repository. Dit zal helpen om ervoor te zorgen dat de code in de standaard 23 | branch van hoge kwaliteit is en dat de Git workflow van het team wordt 24 | gevolgd. 25 | 26 | Mininum TokenType: `ReadOnly` 27 | 28 | ## RECOMMENDATION 29 | 30 | Zorg ervoor dat de branch policy is ingeschakeld voor de standaard branch 31 | van uw repository. Dit zal helpen om ervoor te zorgen dat de code in de 32 | standaard branch van hoge kwaliteit is en dat de Git workflow van het team 33 | wordt gevolgd. 34 | 35 | ## LINKS 36 | 37 | - [Create a branch policy](https://docs.microsoft.com/nl-nl/azure/devops/repos/git/branch-policies?view=azure-devops) 38 | - [Branch policies](https://docs.microsoft.com/nl-nl/azure/devops/repos/git/branch-policies-overview?view=azure-devops) 39 | - [Azure DevOps Security best practices](https://learn.microsoft.com/nl-nl/azure/devops/organizations/security/security-best-practices?view=azure-devops#secure-azure-repos) 40 | -------------------------------------------------------------------------------- /.github/workflows/wiki.yml: -------------------------------------------------------------------------------- 1 | # File: .github/workflows/wiki.yml 2 | 3 | on: 4 | release: 5 | types: 6 | - "published" 7 | workflow_dispatch: 8 | 9 | name: Publish Wiki 10 | 11 | permissions: 12 | contents: write 13 | pull-requests: write 14 | 15 | jobs: 16 | build-publish-wiki: 17 | runs-on: ubuntu-22.04 18 | steps: 19 | - name: Checkout PSRule.Rules.AzureDevOps 20 | uses: actions/checkout@v3 21 | with: 22 | path: main 23 | 24 | - name: Checkout Wiki 25 | uses: actions/checkout@v3 26 | with: 27 | repository: ${{github.repository}}.wiki 28 | path: wiki 29 | 30 | - name: Copy wiki base sources 31 | shell: bash 32 | run: | 33 | rm -f ./wiki/*.md 34 | rm -f ./wiki/rules/*.md 35 | # Copy wiki base page 36 | cp ./main/README.md ./wiki/Home.md 37 | # Copy wiki rules 38 | cp ./main/src/PSRule.Rules.AzureDevOps/en/*.md ./wiki/rules 39 | # Copy docs 40 | cp ./main/docs/*.md ./wiki 41 | 42 | - name: Generate Module docs 43 | shell: pwsh 44 | run: | 45 | Install-Module PSRule -Scope CurrentUser -Force 46 | Import-Module PSRule 47 | New-Item -Path ./wiki -Name commands -ItemType Directory -Force 48 | Set-PSRepository PSGallery -InstallationPolicy Trusted 49 | Install-Module Az.Resources 50 | Install-Module PlatyPS 51 | Import-Module PlatyPS 52 | Import-Module ./main/src/PSRule.Rules.AzureDevOps 53 | New-MarkdownHelp -Module PSRule.Rules.AzureDevOps ` 54 | -Verbose ` 55 | -Force ` 56 | -NoMetadata ` 57 | -OutputFolder ./wiki/commands 58 | 59 | - name: Commit and push changes to wiki 60 | shell: bash 61 | working-directory: ./wiki 62 | run: | 63 | git config user.name github-actions 64 | git config user.email github-actions@github.com 65 | git add . 66 | git commit -m "generated docs from actions workflow" 67 | git push 68 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/rules/AzureDevOps.RetentionSettings.Rule.ps1: -------------------------------------------------------------------------------- 1 | # PSRule rule definitions for Azure DevOps Retention Settings 2 | 3 | # Synopsis: Retention settings should allow for artifacts to be retained for a minimum of 7 days 4 | Rule 'Azure.DevOps.RetentionSettings.ArtifactMinimumRetentionDays' ` 5 | -Ref 'ADO-RET-001' ` 6 | -Type 'Azure.DevOps.RetentionSettings' ` 7 | -Tag @{ release = 'GA'} ` 8 | -Level Warning { 9 | # Description "Retention settings allow for artifacts to be retained for a minimum of 7 days" 10 | Reason "Retention settings allow for artifacts to be retained for at least 7 days" 11 | Recommend "Consider increasing the minimum retention days to 7 days" 12 | # Links "https://docs.microsoft.com/en-us/azure/devops/pipelines/policies/retention?view=azure-devops#minimum-retention-days" 13 | AllOf { 14 | $Assert.HasField($TargetObject, "RetentionSettings.purgeArtifacts.value", $true) 15 | $Assert.GreaterOrEqual($TargetObject, "RetentionSettings.purgeArtifacts.value", $Configuration.GetValueOrDefault('ArtifactMinimumRetentionDays', 7)) 16 | } 17 | } 18 | 19 | # Synopsis: Retention settings should allow pull request runs to be retained at least 7 days 20 | Rule 'Azure.DevOps.RetentionSettings.PullRequestRunsMinimumRetentionDays' ` 21 | -Ref 'ADO-RET-002' ` 22 | -Type 'Azure.DevOps.RetentionSettings' ` 23 | -Tag @{ release = 'GA'} ` 24 | -Level Warning { 25 | # Description "Retention settings should allow pull request runs to be retained at least 7 days" 26 | Reason "Retention settings should allow pull request runs to be retained at least 7 days" 27 | Recommend "Consider increasing the minimum retention days to 7 days" 28 | # Links "https://docs.microsoft.com/en-us/azure/devops/pipelines/policies/retention?view=azure-devops#minimum-retention-days" 29 | AllOf { 30 | $Assert.HasField($TargetObject, "RetentionSettings.purgePullRequestRuns.value", $true) 31 | $Assert.GreaterOrEqual($TargetObject, "RetentionSettings.purgePullRequestRuns.value", $Configuration.GetValueOrDefault('PullRequestRunsMinimumRetentionDays', 7)) 32 | } 33 | } -------------------------------------------------------------------------------- /pipelines/azure-pipelines.yml: -------------------------------------------------------------------------------- 1 | name: PSRule-ADO 2 | 3 | pool: 4 | vmImage: 'ubuntu-latest' 5 | 6 | variables: 7 | # Set to your variable group containing ADO_PAT 8 | - group: 'ado-psrule-run' 9 | # Set to your Azure DevOps organization 10 | - name: devops_organization 11 | value: 'cloudyspells' 12 | # Set to your Azure DevOps project 13 | - name: devops_project 14 | value: 'psrule-fail-project' 15 | 16 | schedules: 17 | - cron: "5 8 * * 0" 18 | displayName: Run every Sunday 19 | branches: 20 | include: 21 | - '*' 22 | 23 | stages: 24 | - stage: Run 25 | displayName: Run 26 | jobs: 27 | - job: Run 28 | displayName: Run 29 | steps: 30 | - checkout: self 31 | clean: true 32 | - task: PowerShell@2 33 | displayName: Install PSRule 34 | inputs: 35 | targetType: 'inline' 36 | script: | 37 | Install-Module -Name PSRule -Scope CurrentUser -Force 38 | Install-Module -Name PSRule.Rules.AzureDevOps -Scope CurrentUser -Force 39 | - task: PowerShell@2 40 | displayName: Create temporary output directory 41 | inputs: 42 | targetType: 'inline' 43 | script: | 44 | New-Item -Path $(Build.SourcesDirectory) -Name Temp -ItemType Directory -Force 45 | - task: PowerShell@2 46 | displayName: Run PSRule 47 | inputs: 48 | targetType: 'inline' 49 | script: | 50 | Connect-AzDevOps -Organization $(devops_organization) -PAT "$(ADOPAT)" 51 | Export-AzDevOpsRuleData ` 52 | -Project $(devops_project) ` 53 | -OutputPath .\Temp 54 | Assert-PSRule -Style AzurePipelines ` 55 | -Module PSRule.Rules.AzureDevOps ` 56 | -InputPath '$(Build.SourcesDirectory)/Temp/' ` 57 | -Format Detect ` 58 | -OutputPath ./results.sarif ` 59 | -OutputFormat Sarif ` 60 | -Culture en 61 | 62 | - task: PublishPipelineArtifact@1 63 | condition: always() 64 | displayName: Publish results 65 | inputs: 66 | targetPath: ./results.sarif 67 | artifact: 'CodeAnalysisLogs' 68 | -------------------------------------------------------------------------------- /.github/workflows/publish-on-release.yml: -------------------------------------------------------------------------------- 1 | # File: .github/workflows/qa.yml 2 | on: 3 | release: 4 | types: 5 | - "published" 6 | workflow_dispatch: 7 | 8 | name: Publish Module to PSGallery 9 | 10 | jobs: 11 | publish: 12 | runs-on: ubuntu-22.04 13 | steps: 14 | - name: Checkout 15 | uses: actions/checkout@v3 16 | 17 | - name: Install PSRule module 18 | shell: pwsh 19 | run: | 20 | Install-Module -Name PSRule -Force -Scope CurrentUser -Repository PSGallery 21 | 22 | # Update the module manifest for preview-release 23 | - name: Update the module manifest for preview-release 24 | if: github.event.release.prerelease == true 25 | shell: pwsh 26 | run: | 27 | # Update the module manifest with the version number in the release tag 28 | $version = ($env:GITHUB_REF -replace 'refs/tags/v','') -split '-' | Select-Object -First 1 29 | $prerelease = "-" + (($env:GITHUB_REF -replace 'refs/tags/v') -split '-' | Select-Object -Last 1) 30 | $path = './src/PSRule.Rules.AzureDevOps/PSRule.Rules.AzureDevOps.psd1' 31 | Update-ModuleManifest -Path $path -ModuleVersion $version -ReleaseNotes "${{ github.event.release.body }}" -Prerelease $prerelease 32 | 33 | # Update the module manifest for full-release 34 | - name: Update the module manifest for full-release 35 | if: github.event.release.prerelease == false 36 | shell: pwsh 37 | run: | 38 | # Update the module manifest with the version number in the release tag 39 | $version = $env:GITHUB_REF -replace 'refs/tags/v' 40 | $path = './src/PSRule.Rules.AzureDevOps/PSRule.Rules.AzureDevOps.psd1' 41 | Update-ModuleManifest -Path $path -ModuleVersion $version -ReleaseNotes "${{ github.event.release.body }}" 42 | 43 | # Publish to PowerShell Gallery on pre-release 44 | - name: Publish preview module 45 | if: github.event.release.prerelease == true 46 | shell: pwsh 47 | id: publish-module-preview 48 | run: | 49 | Publish-Module -Path ./src/PSRule.Rules.AzureDevOps -NuGetApiKey ${{ secrets.PS_GALLERY_KEY }} -Repository PSGallery 50 | 51 | # Publish to PowerShell Gallery on full-release 52 | - name: Publish module 53 | if: github.event.release.prerelease == false 54 | shell: pwsh 55 | id: publish-module 56 | run: | 57 | Publish-Module -Path ./src/PSRule.Rules.AzureDevOps -NuGetApiKey ${{ secrets.PS_GALLERY_KEY }} 58 | -------------------------------------------------------------------------------- /example/best-practice/SupressionGroups.Rule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Synopsis: Only main, master, develop, and release branches should be protected 3 | apiVersion: github.com/microsoft/PSRule/v1 4 | kind: SuppressionGroup 5 | metadata: 6 | name: 'non-production-branches' 7 | spec: 8 | expiresOn: null 9 | rule: 10 | - Azure.DevOps.Repos.Branch.BranchPolicyAllowSelfApproval 11 | - Azure.DevOps.Repos.Branch.BranchPolicyCommentResolution 12 | - Azure.DevOps.Repos.Branch.BranchPolicyEnforceLinkedWorkItems 13 | - Azure.DevOps.Repos.Branch.BranchPolicyIsEnabled 14 | - Azure.DevOps.Repos.Branch.BranchPolicyMergeStrategy 15 | - Azure.DevOps.Repos.Branch.BranchPolicyMinimumReviewers 16 | - Azure.DevOps.Repos.Branch.BranchPolicyRequireBuild 17 | - Azure.DevOps.Repos.Branch.BranchPolicyResetVotes 18 | - Azure.DevOps.Repos.Branch.HasBranchPolicy 19 | if: 20 | allOf: 21 | - name: '.' 22 | notContains: 23 | - 'refs/heads/main' 24 | - 'refs/heads/master' 25 | - 'refs/heads/develop' 26 | - 'refs/heads/release' 27 | - field: 'ObjectType' 28 | equals: 'Azure.DevOps.Repo.Branch' 29 | 30 | --- 31 | # Synposis: Only accept and production environments and should be protected 32 | apiVersion: github.com/microsoft/PSRule/v1 33 | kind: SuppressionGroup 34 | metadata: 35 | name: 'non-production-environments' 36 | spec: 37 | expiresOn: null 38 | rule: 39 | - Azure.DevOps.Pipelines.Environments.ProductionBranchLimit 40 | - Azure.DevOps.Pipelines.Environments.ProductionCheckProtection 41 | - Azure.DevOps.Pipelines.Environments.ProductionHumanApproval 42 | if: 43 | allOf: 44 | - name: '.' 45 | notContains: 46 | - 'acc' 47 | - 'accept' 48 | - 'acceptance' 49 | - 'live' 50 | - 'pre' 51 | - 'prd' 52 | - 'prod' 53 | - 'production' 54 | - field: 'ObjectType' 55 | in: 56 | - 'Azure.DevOps.Pipelines.Environment' 57 | 58 | --- 59 | # Synposis: Only accept and production service connections should be protected 60 | apiVersion: github.com/microsoft/PSRule/v1 61 | kind: SuppressionGroup 62 | metadata: 63 | name: 'non-production-service-connections' 64 | spec: 65 | expiresOn: null 66 | rule: 67 | - Azure.DevOps.ServiceConnections.ProductionBranchLimit 68 | - Azure.DevOps.ServiceConnections.ProductionCheckProtection 69 | - Azure.DevOps.ServiceConnections.ProductionHumanApproval 70 | if: 71 | allOf: 72 | - name: '.' 73 | notContains: 74 | - 'acc' 75 | - 'accept' 76 | - 'acceptance' 77 | - 'live' 78 | - 'pre' 79 | - 'prd' 80 | - 'prod' 81 | - 'production' 82 | - field: 'ObjectType' 83 | in: 84 | - 'Azure.DevOps.ServiceConnection' 85 | -------------------------------------------------------------------------------- /tests/Rules.Common.Tests.ps1: -------------------------------------------------------------------------------- 1 | BeforeAll { 2 | # Setup error handling 3 | $ErrorActionPreference = 'Stop'; 4 | Set-StrictMode -Version latest; 5 | 6 | if ($Env:SYSTEM_DEBUG -eq 'true') { 7 | $VerbosePreference = 'Continue'; 8 | } 9 | 10 | # Setup tests paths 11 | # $rootPath = $PWD; 12 | $rootPath = $env:GITHUB_WORKSPACE 13 | $ourModule = (Join-Path -Path $rootPath -ChildPath '/src/PSRule.Rules.AzureDevOps') 14 | 15 | Import-Module -Name $ourModule -Force; 16 | $here = (Resolve-Path $PSScriptRoot).Path; 17 | 18 | # Create tempory test output folder and store path 19 | $outPath = New-Item -Path (Join-Path -Path $here -ChildPath 'out') -ItemType Directory -Force; 20 | $outPath = $outPath.FullName; 21 | 22 | # Export all Azure DevOps rule data for project 'psrule-fail-project' to output folder 23 | Connect-AzDevOps -Organization $env:ADO_ORGANIZATION -PAT $env:ADO_PAT 24 | Export-AzDevOpsRuleData -Project $env:ADO_PROJECT -OutputPath $outPath 25 | 26 | # Create a temporary test output folder for tests with the ReadOnly TokenType 27 | $outPathReadOnly = New-Item -Path (Join-Path -Path $here -ChildPath 'outReadOnly') -ItemType Directory -Force; 28 | $outPathReadOnly = $outPathReadOnly.FullName; 29 | 30 | # Export all Azure DevOps rule data for project 'psrule-fail-project' to ReadOnly output folder 31 | Connect-AzDevOps -Organization $env:ADO_ORGANIZATION -PAT $env:ADO_PAT_READONLY -TokenType ReadOnly 32 | Export-AzDevOpsRuleData -Project $env:ADO_PROJECT -OutputPath $outPathReadOnly 33 | 34 | # Create a temporary test output folder for tests with the FineGrained TokenType 35 | $outPathFineGrained = New-Item -Path (Join-Path -Path $here -ChildPath 'outFineGrained') -ItemType Directory -Force; 36 | $outPathFineGrained = $outPathFineGrained.FullName; 37 | 38 | # Export all Azure DevOps rule data for project 'psrule-fail-project' to FineGrained output folder 39 | Connect-AzDevOps -Organization $env:ADO_ORGANIZATION -PAT $env:ADO_PAT_FINEGRAINED -TokenType FineGrained 40 | Export-AzDevOpsRuleData -Project $env:ADO_PROJECT -OutputPath $outPathFineGrained 41 | } 42 | 43 | Describe "PSRule.Rules.AzureDevOps Rules" { 44 | Context ' Base rules' { 45 | It ' should contain 77 rules' { 46 | $rules = Get-PSRule -Module PSRule.Rules.AzureDevOps 47 | $rules.Count | Should -Be 77 48 | } 49 | 50 | It ' should contain a markdown help file for each rule' { 51 | $rules = Get-PSRule -Module PSRule.Rules.AzureDevOps 52 | $rules | ForEach-Object { 53 | $helpFile = Join-Path -Path "$ourModule/en" -ChildPath "$($_.Name).md" 54 | Test-Path -Path $helpFile | Should -Be $true 55 | } 56 | } 57 | } 58 | } 59 | 60 | AfterAll { 61 | # Remove Module 62 | Disconnect-AzDevOps 63 | Remove-Module -Name PSRule.Rules.AzureDevOps -Force; 64 | } -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/rules/AzureDevOps.Pipelines.PipelineYaml.Rule.ps1: -------------------------------------------------------------------------------- 1 | 2 | # Synopsis: Microsoft hosted agent pool should target a specific version 3 | Rule 'Azure.DevOps.Pipelines.PipelineYaml.AgentPoolVersionNotLatest' ` 4 | -Ref 'ADO-YAML-001' ` 5 | -Type 'Azure.DevOps.Pipelines.PipelineYaml' ` 6 | -Tag @{ release = 'GA'} ` 7 | -Level Warning { 8 | # Description 'Microsoft hosted agent pool should target a specific version' 9 | Reason 'Pipeline is using the latest version of the Microsoft hosted agent pool' 10 | Recommend 'Specify a specific version of the Microsoft hosted agent pool' 11 | # Links '' 12 | AllOf { 13 | AnyOf { 14 | $Assert.NotMatch($TargetObject, "stages.jobs[*].pool.vmImage", "latest") 15 | $Assert.Null($TargetObject, "stages.jobs[*].pool.vmImage") 16 | } 17 | AnyOf { 18 | $Assert.NotMatch($TargetObject, "stages[*].pool.vmImage", "latest") 19 | $Assert.Null($TargetObject, "stages[*].pool.vmImage") 20 | } 21 | AnyOf { 22 | $Assert.NotMatch($TargetObject, "pool.vmImage", "latest") 23 | $Assert.Null($TargetObject, "pool.vmImage") 24 | } 25 | } 26 | } 27 | 28 | # Synopsis: All steps should have a display name 29 | Rule 'Azure.DevOps.Pipelines.PipelineYaml.StepDisplayName' ` 30 | -Ref 'ADO-YAML-002' ` 31 | -Type 'Azure.DevOps.Pipelines.PipelineYaml' ` 32 | -Tag @{ release = 'GA'} ` 33 | -Level Warning { 34 | # Description 'All steps should have a display name' 35 | Reason 'Step is missing a display name' 36 | Recommend 'Add a display name to the step' 37 | # Links '' 38 | AllOf { 39 | If($TargetObject.stages) { 40 | $TargetObject.stages | ForEach-Object { 41 | $Assert.HasField($_, "jobs", $true) 42 | $_.jobs | ForEach-Object { 43 | $Assert.HasField($_, "steps", $true) 44 | $_.steps | ForEach-Object { 45 | $Assert.HasField($_, "displayName", $true) 46 | $Assert.HasFieldValue($_, "displayName") 47 | } 48 | } 49 | } 50 | } 51 | elseif ($TargetObject.jobs) { 52 | $Assert.HasField($TargetObject, "jobs", $true) 53 | $TargetObject.jobs | ForEach-Object { 54 | $Assert.HasField($_, "steps", $true) 55 | $_.steps | ForEach-Object { 56 | $Assert.HasField($_, "displayName", $true) 57 | $Assert.HasFieldValue($_, "displayName") 58 | } 59 | } 60 | } 61 | else { 62 | $Assert.HasField($TargetObject, "steps", $true) 63 | $TargetObject.steps | ForEach-Object { 64 | $Assert.HasField($_, "displayName", $true) 65 | $Assert.HasFieldValue($_, "displayName") 66 | } 67 | } 68 | } 69 | } 70 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/rules/AzureDevOps.Groups.Rule.ps1: -------------------------------------------------------------------------------- 1 | # PSRule rule definitions for Azure DevOps Groups 2 | 3 | # Synopsis: The Project Administrators group should not have less than 2 members 4 | Rule 'Azure.DevOps.Groups.ProjectAdmins.MinMembers' ` 5 | -Ref 'ADO-GRP-001' ` 6 | -Type 'Azure.DevOps.Group' ` 7 | -If { $TargetObject.displayName -eq 'Project Administrators' } ` 8 | -Tag @{ release = 'GA'} ` 9 | -Level Warning { 10 | # Description "The Project Administrators group should not have less than 2 members" 11 | Reason "The Project Administrators group has less than 2 members" 12 | Recommend "Consider adding more members to the Project Administrators group" 13 | # Links "https://docs.microsoft.com/en-us/azure/devops/organizations/security/permissions?view=azure-devops#project-administrator" 14 | AllOf { 15 | $Assert.HasField($TargetObject, "Members", $true) 16 | $Assert.HasField($TargetObject, "Members.Length", $true) 17 | $Assert.GreaterOrEqual($TargetObject, "Members.Length", $Configuration.GetValueOrDefault('ProjectAdminsMinMembers', 2)) 18 | } 19 | } 20 | 21 | # Synopsis: The Project Administrators group should not have more than 4 members 22 | Rule 'Azure.DevOps.Groups.ProjectAdmins.MaxMembers' ` 23 | -Ref 'ADO-GRP-002' ` 24 | -Type 'Azure.DevOps.Group' ` 25 | -If { $TargetObject.displayName -eq 'Project Administrators' } ` 26 | -Tag @{ release = 'GA'} ` 27 | -Level Warning { 28 | # Description "The Project Administrators group should not have more than 4 members" 29 | Reason "The Project Administrators group has more than 4 members" 30 | Recommend "Consider removing members from the Project Administrators group" 31 | # Links "https://docs.microsoft.com/en-us/azure/devops/organizations/security/permissions?view=azure-devops#project-administrator" 32 | AllOf { 33 | $Assert.HasField($TargetObject, "Members", $true) 34 | $Assert.HasField($TargetObject, "Members.Length", $true) 35 | $Assert.LessOrEqual($TargetObject, "Members.Length", $Configuration.GetValueOrDefault('ProjectAdminsMaxMembers', 4)) 36 | } 37 | } 38 | 39 | # Synopsis: The Project Valid User should only be member of the Project Collection Valid Users group 40 | Rule 'Azure.DevOps.Groups.ProjectValidUsers.DoNotAssignMemberOfOtherGroups' ` 41 | -Ref 'ADO-GRP-003' ` 42 | -Type 'Azure.DevOps.Group' ` 43 | -If { $TargetObject.displayName -eq 'Project Valid Users' } ` 44 | -Tag @{ release = 'GA'} ` 45 | -Level Warning { 46 | # Description "The Project Valid Users group should only be member of the Project Collection Valid Users group" 47 | Reason "The Project Valid User is member of other groups than the Project Collection Valid Users group" 48 | Recommend "Consider removing the Project Valid User from other groups than the Project Collection Valid Users group" 49 | # Links "https://docs.microsoft.com/en-us/azure/devops/organizations/security/permissions?view=azure-devops#project-valid-user" 50 | AllOf { 51 | $Assert.HasField($TargetObject, "MemberOf", $true) 52 | $Assert.HasField($TargetObject, "MemberOf.Length", $true) 53 | $Assert.LessOrEqual($TargetObject, "MemberOf.Length", 1) 54 | $Assert.HasFieldValue($TargetObject, "MemberOf[0].displayName", "Project Collection Valid Users") 55 | } 56 | } 57 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/Functions/DevOps.Pipelines.Settings.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get the projects's pipelines settings from Azure DevOps 4 | 5 | .DESCRIPTION 6 | Get the projects's pipelines settings from Azure DevOps 7 | 8 | .PARAMETER ProjectId 9 | Project ID for Azure DevOps 10 | 11 | .EXAMPLE 12 | Get-AzDevOpsPipelinesSettings -ProjectId $ProjectId 13 | #> 14 | Function Get-AzDevOpsPipelinesSettings { 15 | [CmdletBinding()] 16 | param ( 17 | [Parameter(Mandatory)] 18 | [string] 19 | $Project 20 | ) 21 | if ($null -eq $script:connection) { 22 | throw "Not connected to Azure DevOps. Run Connect-AzDevOps first" 23 | } 24 | $Organization = $script:connection.Organization 25 | $header = $script:connection.GetHeader() 26 | $uri = "https://dev.azure.com/$Organization/$Project/_apis/build/generalsettings?api-version=7.1-preview.1" 27 | Write-Verbose "URI: $uri" 28 | try { 29 | $pipelinesSettings = Invoke-RestMethod -Uri $uri -Method Get -Headers $header -ContentType 'application/json' 30 | # if the response is not an object but a string, the authentication failed or the pipeline was not found 31 | if ($pipelinesSettings -is [string]) { 32 | throw "Authentication failed or pipeline not found" 33 | } 34 | } 35 | catch { 36 | throw $_.Exception.Message 37 | } 38 | return $pipelinesSettings 39 | } 40 | Export-ModuleMember -Function Get-AzDevOpsPipelinesSettings 41 | # End of Function Get-AzDevOpsPipelinesSettings 42 | 43 | <# 44 | .SYNOPSIS 45 | Export the projects's pipelines settings from Azure DevOps to a JSON file 46 | 47 | .DESCRIPTION 48 | Export the projects's pipelines settings from Azure DevOps to a JSON file with .ado.pls.json extension 49 | 50 | .PARAMETER Project 51 | Project name for Azure DevOps 52 | 53 | .PARAMETER OutputPath 54 | Output path for JSON files 55 | 56 | .PARAMETER PassThru 57 | Return the exported pipelines settings as objects to the pipeline instead of writing to a file 58 | 59 | .EXAMPLE 60 | Export-AzDevOpsPipelinesSettings -Project $Project -OutputPath $OutputPath 61 | #> 62 | function Export-AzDevOpsPipelinesSettings { 63 | [CmdletBinding()] 64 | param ( 65 | [Parameter(Mandatory)] 66 | [string] 67 | $Project, 68 | [Parameter(ParameterSetName = 'JsonFile')] 69 | [string] 70 | $OutputPath, 71 | [Parameter(ParameterSetName = 'PassThru')] 72 | [switch] 73 | $PassThru 74 | ) 75 | if ($null -eq $script:connection) { 76 | throw "Not connected to Azure DevOps. Run Connect-AzDevOps first" 77 | } 78 | Write-Verbose "Getting pipelines settings from Azure DevOps" 79 | $pipelinesSettings = Get-AzDevOpsPipelinesSettings -Project $Project 80 | $pipelinesSettings | Add-Member -MemberType NoteProperty -Name ObjectType -Value 'Azure.DevOps.Pipelines.Settings' 81 | $pipelinesSettings | Add-Member -MemberType NoteProperty -Name ObjectName -Value ("{0}.{1}.PipelineSettings" -f $script:connection.Organization,$Project) 82 | $pipelinesSettings | Add-Member -MemberType NoteProperty -Name Name -Value "PipelineSettings" 83 | $id = @{ 84 | originalId = $null 85 | resourceName = 'PipelineSettings' 86 | project = $Project 87 | organization = $script:connection.Organization 88 | } | ConvertTo-Json -Depth 100 89 | $pipelinesSettings | Add-Member -MemberType NoteProperty -Name id -Value $id 90 | if ($PassThru) { 91 | Write-Output $pipelinesSettings 92 | } else { 93 | $pipelinesSettings | ConvertTo-Json -Depth 10 | Out-File (Join-Path -Path $OutputPath -ChildPath "$Project.ado.pls.json") 94 | } 95 | } 96 | Export-ModuleMember -Function Export-AzDevOpsPipelinesSettings 97 | # End of Function Export-AzDevOpsPipelinesSettings 98 | -------------------------------------------------------------------------------- /src/PSRule.Rules.AzureDevOps/Functions/DevOps.RetentionSettings.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get retention settings for a project. 4 | 5 | .DESCRIPTION 6 | Get retention settings for a project from Azure DevOps REST API. 7 | 8 | .PARAMETER Project 9 | The project to get retention settings for. 10 | 11 | .EXAMPLE 12 | Get-AzDevOpsRetentionSettings -Project 'MyProject' 13 | 14 | .NOTES 15 | This function requires a connection to Azure DevOps. See Connect-AzDevOps for more information. 16 | #> 17 | Function Get-AzDevOpsRetentionSettings { 18 | [CmdletBinding()] 19 | param ( 20 | [Parameter(Mandatory=$true)] 21 | [string] 22 | $Project 23 | ) 24 | if($null -eq $script:connection) { 25 | throw 'Not connected to Azure DevOps. Run Connect-AzDevOps first.' 26 | } 27 | $Organization = $script:connection.Organization 28 | $header = $script:connection.GetHeader() 29 | 30 | # Azure DevOps REST API endpoint for project retention settings 31 | $settingsUri = "https://dev.azure.com/$($Organization)/$($Project)/_apis/build/retention?api-version=7.1-preview.1" 32 | $policyUri = "https://dev.azure.com/$($Organization)/$($Project)/_apis/build/settings?api-version=7.1-preview.1" 33 | try { 34 | $settingsResponse = Invoke-RestMethod -Uri $settingsUri -Method Get -Headers $header 35 | $policyResponse = Invoke-RestMethod -Uri $policyUri -Method Get -Headers $header 36 | If($settingsResponse -is [string] -or $policyResponse -is [string]) { 37 | throw "Failed to get retention settings for project '$($Project)' from Azure DevOps" 38 | } 39 | } 40 | catch { 41 | throw "Failed to get retention settings for project '$($Project)' from Azure DevOps" 42 | } 43 | return @{ 44 | RetentionSettings = $settingsResponse 45 | RetentionPolicy = $policyResponse 46 | ObjectType = 'Azure.DevOps.RetentionSettings' 47 | ObjectName = "$Organization.$Project.RetentionSettings" 48 | } 49 | } 50 | Export-ModuleMember -Function Get-AzDevOpsRetentionSettings 51 | 52 | <# 53 | .SYNOPSIS 54 | Export retention settings for a project to a JSON file. 55 | 56 | .DESCRIPTION 57 | Export retention settings for a project to a JSON file from Azure DevOps REST API. 58 | 59 | .PARAMETER Project 60 | The project to get retention settings for. 61 | 62 | .PARAMETER OutputPath 63 | The path to export the retention settings to. 64 | 65 | .PARAMETER PassThru 66 | If set, the function will return the retention settings as objects instead of writing them to a file. 67 | 68 | .EXAMPLE 69 | Get-AzDevOpsRetentionSettings -Project 'MyProject' -OutputPath 'C:\Temp\' 70 | 71 | .NOTES 72 | This function requires a connection to Azure DevOps. See Connect-AzDevOps for more information. 73 | #> 74 | Function Export-AzDevOpsRetentionSettings { 75 | [CmdletBinding()] 76 | param ( 77 | [Parameter(Mandatory=$true)] 78 | [string] 79 | $Project, 80 | 81 | [Parameter(ParameterSetName = 'JsonFile')] 82 | [string] 83 | $OutputPath, 84 | 85 | [Parameter(ParameterSetName = 'PassThru')] 86 | [switch] 87 | $PassThru 88 | ) 89 | $settings = Get-AzDevOpsRetentionSettings -Project $Project 90 | $id = @{ 91 | originalId = $null 92 | resourceName = 'RetentionSettings' 93 | project = $Project 94 | organization = $script:connection.Organization 95 | } | ConvertTo-Json -Depth 100 96 | $settings.Add('id',$id) 97 | $settings.Add('name','RetentionSettings') 98 | if($PassThru) { 99 | Write-Output $settings 100 | } else { 101 | $settings | ConvertTo-Json -Depth 100 | Out-File -FilePath "$OutputPath\$($Project).ret.ado.json" 102 | } 103 | } 104 | Export-ModuleMember -Function Export-AzDevOpsRetentionSettings 105 | -------------------------------------------------------------------------------- /tests/Rules.RetentionSettings.Tests.ps1: -------------------------------------------------------------------------------- 1 | BeforeAll { 2 | # Setup error handling 3 | $ErrorActionPreference = 'Stop'; 4 | Set-StrictMode -Version latest; 5 | 6 | if ($Env:SYSTEM_DEBUG -eq 'true') { 7 | $VerbosePreference = 'Continue'; 8 | } 9 | 10 | # Setup tests paths 11 | # $rootPath = $PWD; 12 | $rootPath = $env:GITHUB_WORKSPACE 13 | $ourModule = (Join-Path -Path $rootPath -ChildPath '/src/PSRule.Rules.AzureDevOps') 14 | 15 | Import-Module -Name $ourModule -Force 16 | $here = (Resolve-Path $PSScriptRoot).Path 17 | 18 | # Get tempory test output folder and store path 19 | $outPath = Get-Item -Path (Join-Path -Path $here -ChildPath 'out') 20 | $outPath = $outPath.FullName 21 | 22 | # Run rules with default token type 23 | $ruleResult = Invoke-PSRule -InputPath "$($outPath)/" -Module PSRule.Rules.AzureDevOps -Format Detect -Culture en 24 | 25 | # Get temporary test output folder for tests with the ReadOnly TokenType 26 | $outPathReadOnly = Get-Item -Path (Join-Path -Path $here -ChildPath 'outReadOnly') 27 | $outPathReadOnly = $outPathReadOnly.FullName 28 | 29 | # Run rules with ReadOnly token type 30 | $ruleResultReadOnly = Invoke-PSRule -InputPath "$($outPathReadOnly)/" -Module PSRule.Rules.AzureDevOps -Format Detect -Culture en 31 | 32 | # Get temporary test output folder for tests with the FineGrained TokenType 33 | $outPathFineGrained = Get-Item -Path (Join-Path -Path $here -ChildPath 'outFineGrained') 34 | $outPathFineGrained = $outPathFineGrained.FullName 35 | 36 | # Run rules with FineGrained token type 37 | $ruleResultFineGrained = Invoke-PSRule -InputPath "$($outPathFineGrained)/" -Module PSRule.Rules.AzureDevOps -Format Detect -Culture en 38 | } 39 | 40 | Describe "Azure.DevOps.RetentionSettings rules" { 41 | Context ' Azure.DevOps.RetentionSettings.ArtifactMinimumRetentionDays' { 42 | It ' should pass once' { 43 | $ruleHits = @($ruleResult | Where-Object { $_.RuleName -eq 'Azure.DevOps.RetentionSettings.ArtifactMinimumRetentionDays' }) 44 | $ruleHits[0].Outcome | Should -Be 'Pass'; 45 | $ruleHits.Count | Should -Be 1; 46 | } 47 | 48 | It ' should pass once for ReadOnly token type' { 49 | $ruleHits = @($ruleResultReadOnly | Where-Object { $_.RuleName -eq 'Azure.DevOps.RetentionSettings.ArtifactMinimumRetentionDays' }) 50 | $ruleHits[0].Outcome | Should -Be 'Pass'; 51 | $ruleHits.Count | Should -Be 1; 52 | } 53 | 54 | It ' should pass once for FineGrained token type' { 55 | $ruleHits = @($ruleResultFineGrained | Where-Object { $_.RuleName -eq 'Azure.DevOps.RetentionSettings.ArtifactMinimumRetentionDays' }) 56 | $ruleHits[0].Outcome | Should -Be 'Pass'; 57 | $ruleHits.Count | Should -Be 1; 58 | } 59 | } 60 | 61 | Context ' Azure.DevOps.RetentionSettings.PullRequestRunsMinimumRetentionDays' { 62 | It ' should pass once' { 63 | $ruleHits = @($ruleResult | Where-Object { $_.RuleName -eq 'Azure.DevOps.RetentionSettings.PullRequestRunsMinimumRetentionDays' }) 64 | $ruleHits[0].Outcome | Should -Be 'Pass'; 65 | $ruleHits.Count | Should -Be 1; 66 | } 67 | 68 | It ' should pass once for ReadOnly token type' { 69 | $ruleHits = @($ruleResultReadOnly | Where-Object { $_.RuleName -eq 'Azure.DevOps.RetentionSettings.PullRequestRunsMinimumRetentionDays' }) 70 | $ruleHits[0].Outcome | Should -Be 'Pass'; 71 | $ruleHits.Count | Should -Be 1; 72 | } 73 | 74 | It ' should pass once for FineGrained token type' { 75 | $ruleHits = @($ruleResultFineGrained | Where-Object { $_.RuleName -eq 'Azure.DevOps.RetentionSettings.PullRequestRunsMinimumRetentionDays' }) 76 | $ruleHits[0].Outcome | Should -Be 'Pass'; 77 | $ruleHits.Count | Should -Be 1; 78 | } 79 | } 80 | } 81 | 82 | AfterAll { 83 | # Remove Module 84 | Remove-Module -Name PSRule.Rules.AzureDevOps -Force 85 | } 86 | -------------------------------------------------------------------------------- /.github/workflows/module-ci.yml: -------------------------------------------------------------------------------- 1 | # GitHub workflow for running pester unit tests on pull requests 2 | 3 | on: 4 | pull_request: 5 | paths: 6 | - 'src/PSRule.Rules.AzureDevOps/Functions/**' 7 | - 'src/PSRule.Rules.AzureDevOps/Classes/**' 8 | - 'src/PSRule.Rules.AzureDevOps/rules/**' 9 | - 'src/PSRule.Rules.AzureDevOps/PSRule.Rules.AzureDevOps.psm1' 10 | - 'tests/**' 11 | - '.github/workflows/module-ci.yml' 12 | branches: 13 | - main 14 | push: 15 | paths: 16 | - 'src/PSRule.Rules.AzureDevOps/Functions/**' 17 | - 'src/PSRule.Rules.AzureDevOps/PSRule.Rules.AzureDevOps.psm1' 18 | - 'tests/**' 19 | branches: 20 | - main 21 | 22 | name: PS Module CI 23 | 24 | permissions: 25 | checks: write 26 | pull-requests: write 27 | 28 | jobs: 29 | run-pester: 30 | runs-on: self-hosted 31 | steps: 32 | - uses: actions/checkout@v3 33 | 34 | - name: Install PSRule and Pester 35 | run: | 36 | Install-Module -Name PSRule -Force -SkipPublisherCheck 37 | Install-Module -Name Pester -Force -SkipPublisherCheck 38 | shell: pwsh 39 | 40 | # Temporarily disabled until PSScriptAnalyzer is updated to support PowerShell 7 41 | # - name: Run PSScriptAnalyzer 42 | # run: | 43 | # Invoke-ScriptAnalyzer -Path .\src -Recurse -Verbose 44 | # shell: pwsh 45 | 46 | - name: Run Pester Tests 47 | run: | 48 | # Set Pester configuration for detailed output with code coverage and Nunit test results 49 | Import-Module Pester -Force 50 | # Create ADO export directory 51 | New-Item -Path $env:ADO_EXPORT_DIR -ItemType Directory -Force 52 | # Set Pester configuration for detailed output with code coverage and Nunit test results 53 | $config = New-PesterConfiguration 54 | $config.CodeCoverage.Enabled = $true 55 | $config.CodeCoverage.OutputPath = "$($env:GITHUB_WORKSPACE)\coverage.xml" 56 | $config.CodeCoverage.OutputFormat = 'JaCoCo' 57 | $config.CodeCoverage.Path = "$($env:GITHUB_WORKSPACE)\src\PSRule.Rules.AzureDevOps\Functions","$($env:GITHUB_WORKSPACE)\src\PSRule.Rules.AzureDevOps\Classes" 58 | $config.Output.Verbosity = 'Detailed' 59 | $config.TestResult.Enabled = $true 60 | $config.TestResult.OutputFormat = 'NUnitXml' 61 | $config.TestResult.OutputPath = "$($env:GITHUB_WORKSPACE)\testresults.xml" 62 | $config.Output.CIFormat = 'GitHubActions' 63 | # Run Pester tests 64 | Invoke-Pester -Configuration $config 65 | shell: pwsh 66 | env: 67 | ADO_EXPORT_DIR: "${{ github.workspace }}/tmp" 68 | ADO_PAT: ${{ secrets.ADO_PAT }} 69 | ADO_ORGANIZATION: ${{ secrets.ADO_ORGANIZATION }} 70 | ADO_PROJECT: ${{ secrets.ADO_PROJECT }} 71 | ADO_PAT_FINEGRAINED: ${{ secrets.ADO_PAT_FINEGRAINED }} 72 | ADO_PAT_READONLY: ${{ secrets.ADO_PAT_READONLY }} 73 | ADO_CLIENT_ID: ${{ secrets.ADO_CLIENT_ID }} 74 | ADO_CLIENT_SECRET: ${{ secrets.ADO_CLIENT_SECRET }} 75 | ADO_TENANT_ID: ${{ secrets.ADO_TENANT_ID }} 76 | ADO_MSI_CLIENT_ID: ${{ secrets.ADO_MSI_CLIENT_ID }} 77 | 78 | - name: Upload Test Results 79 | uses: EnricoMi/publish-unit-test-result-action/composite@v2 80 | with: 81 | files: | 82 | **/testresults.xml 83 | 84 | - name: Upload Code Coverage 85 | uses: codecov/codecov-action@v1 86 | with: 87 | file: coverage.xml 88 | flags: unittests 89 | env: 90 | CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} 91 | sonarcloud: 92 | name: SonarCloud 93 | runs-on: ubuntu-latest 94 | steps: 95 | - uses: actions/checkout@v3 96 | with: 97 | fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis 98 | - name: SonarCloud Scan 99 | uses: SonarSource/sonarcloud-github-action@master 100 | env: 101 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any 102 | SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} --------------------------------------------------------------------------------