Framework/Configurations/SVT/ControlSettings.json

{
  "BaselineControls": {
    "ResourceTypeControlIdMappingList": [
      {
        "ResourceType": "Organization",
        "ControlIds": [
          "ADO_Organization_AuthN_Use_AAD_Auth",
          "ADO_Organization_AuthN_Disable_External_Guest_Users",
          "ADO_Organization_AuthZ_Justify_Guest_Identities",
          "ADO_Organization_SI_Review_Installed_Extensions",
          "ADO_Organization_SI_Review_Shared_Extensions",
          "ADO_Organization_AuthZ_Review_Extension_Managers",
          "ADO_Organization_AuthZ_Review_Project_Collection_Service_Accounts",
          "ADO_Organization_SI_Review_Auto_Injected_Extensions",
          "ADO_Organization_SI_Limit_Variables_Settable_At_Queue_Time",
          "ADO_Organization_AuthZ_Limit_Non_Release_Pipeline_Access",
          "ADO_Organization_AuthZ_Limit_Release_Pipeline_Access",
          "ADO_Organization_AuthZ_Limit_Pipeline_Access_To_Referenced_Repos",
          "ADO_Organization_DP_Dont_Allow_Public_Projects",
          "ADO_Organization_Enable_Audit_Stream",
          "ADO_Organization_BCDR_Min_Admin_Count",
          "ADO_Organization_AuthN_Use_ALT_Accounts_For_Admin"
        ]
      },
      {
        "ResourceType": "Project",
        "ControlIds": [
          "ADO_Project_AuthZ_Set_Visibility_Private_Or_Enterprise",
          "ADO_Project_SI_Limit_Variables_Settable_At_Queue_Time",
          "ADO_Project_BCDR_Min_Admin_Count",
          "ADO_Project_AuthZ_Limit_Non_Release_Pipeline_Access",
          "ADO_Project_AuthZ_Limit_Release_Pipeline_Access",
          "ADO_Project_AuthZ_Limit_Pipeline_Access_To_Referenced_Repos",
          "ADO_Project_AuthN_Use_ALT_Accounts_For_Admin"
        ]
      },
      {
        "ResourceType": "ServiceConnection",
        "ControlIds": [
          "ADO_ServiceConnection_AuthZ_Dont_Use_Classic_Connections",
          "ADO_ServiceConnection_AuthZ_Disable_Inherited_Permissions",
          "ADO_ServiceConnection_AuthZ_Dont_Grant_All_Pipelines_Access",
          "ADO_ServiceConnection_AuthZ_Dont_Allow_Global_Groups",
          "ADO_ServiceConnection_DP_Review_Inactive_Connection",
          "ADO_ServiceConnection_SI_Dont_Share_Across_Projects",
          "ADO_ServiceConnection_AuthZ_Dont_Grant_Subscription_Access"
        ]
      },
      {
        "ResourceType": "Build",
        "ControlIds": [
          "ADO_Build_AuthZ_Disable_Inherited_Permissions",
          "ADO_Build_DP_No_PlainText_Secrets_In_Definition",
          "ADO_Build_SI_Review_URL_Variables_Settable_At_Queue_Time",
          "ADO_Build_SI_Disable_Task_Group_Edit_Permission",
          "ADO_Build_SI_Disable_Variable_Group_Edit_Permission",
          "ADO_Build_AuthZ_Limit_Pipeline_Access"
        ]
      },
      {
        "ResourceType": "Release",
        "ControlIds": [
          "ADO_Release_AuthZ_Disable_Inherited_Permissions",
          "ADO_Release_SI_Review_External_Sources",
          "ADO_Release_DP_No_PlainText_Secrets_In_Definition",
          "ADO_Release_SI_Review_URL_Variables_Settable_At_Release_Time",
          "ADO_Release_SI_Disable_Task_Group_Edit_Permission",
          "ADO_Release_SI_Disable_Variable_Group_Edit_Permission"
        ]
      },
      {
        "ResourceType": "AgentPool",
        "ControlIds": [
          "ADO_AgentPool_AuthZ_Disable_Inherited_Permissions",
          "ADO_AgentPool_AuthZ_Project_Dont_Grant_All_Pipeline_Access",
          "ADO_AgentPool_AuthZ_Dont_Enable_Auto_Provisioning",
          "ADO_AgentPool_DP_Review_Inactive_Pool"
        ]
      },
      {
        "ResourceType": "VariableGroup",
        "ControlIds": [
          "ADO_VariableGroup_AuthZ_Dont_Grant_All_Pipelines_Access",
          "ADO_VariableGroup_AuthZ_Disable_Inherited_Permissions",
          "ADO_VariableGroup_DP_No_PlainText_Secrets_In_Variables"
        ]
      }
    ]
  },
  "PreviewBaselineControls": {
    "ResourceTypeControlIdMappingList": []
  },
  "PartialScan": {
    "ResourceTrackerValidforDays": 3,
    "StoreResourceTrackerLocally": "True",
    "LocalScanUpdateFrequency": "100",
    "DurableScanUpdateFrequency": "200"
  },
  "DockerImage":{
    "ImageName" : "azskado/adosecurityscan"
  },
  "AllowAttestationResourceType": [
    "Organization",
    "Project",
    "Build",
    "Release",
    "ServiceConnection",
    "AgentPool",
    "VariableGroup"
  ],
  "AttestationExpiryPeriodInDays": {
    "Default": 90,
    "ControlSeverity": {
      "Critical": 7,
      "High": 30,
      "Medium": 60,
      "Low": 90
    }
  },
  "AllowAttestationByGroups": [
    {
      "ResourceType": "Organization",
      "GroupNames": [
        "Project Collection Administrators"
      ]
    },
    {
      "ResourceType": "Project",
      "GroupNames": [
        "Project Collection Administrators",
        "Project Administrators"
      ]
    }
  ],
  "AttestationRepo": "",
  "AttestationBranch": "",
  "IsAllowLongRunningScan": true,
  "LongRunningScanCheckPoint": 1000,
  "DefaultValidAttestationStates": [
    "NotAnIssue",
    "WillFixLater",
    "WillNotFix"
  ],
  "NewControlGracePeriodInDays": {
    "Default": 60,
    "ControlSeverity": {
      "Critical": 7,
      "High": 30,
      "Medium": 60,
      "Low": 90
    }
  },
  "AttestationPeriodInDays": {
    "Default": 90,
    "ControlSeverity": {
      "Critical": 7,
      "High": 30,
      "Medium": 60,
      "Low": 90
    }
  },
  "ControlSeverity": {
    "Critical": "Critical",
    "High": "High",
    "Medium": "Medium",
    "Low": "Low"
  },
  "Build": {
    "BuildHistoryPeriodInDays": 180,
    "ExemptedUserIdentities": [
      {
        "Domain": "Build",
        "DisplayName": [
          "OneITVSO Build Service (MicrosoftIT)",
          "Project Collection Build Service (MicrosoftIT)"
        ]
      }
    ],
    "ExcludeFromSecretsCheck": [
        "system.debug",
        "BuildConfiguration",
        "BuildPlatform",
        "InputFeeds",
        "Environment",
        "SolutionName"
    ]
  },
  "Release": {
    "ReleaseHistoryPeriodInDays": 180,
    "ExemptedUserIdentities": [
      {
        "Domain": "Build",
        "DisplayName": [
          "OneITVSO Build Service (MicrosoftIT)",
          "Project Collection Build Service (MicrosoftIT)"
        ]
      }
    ],
    "RequirePreDeployApprovals": [
      "Production",
      "Pre-Production",
      "Prod",
      "Pre-Prod"
    ],
    "ExcludeFromSecretsCheck": [
        "Domain",
        "UserName",
        "Build",
        "AgentPath",
        "BuildNumber",
        "MachineGroup",
        "Environment",
        "System.debug",
        "BuildConfiguration"
    ]
  },
  "AgentPool": {
    "AgentPoolHistoryPeriodInDays": 180
  },
  "AlernateAccountRegularExpressionForOrg": "^SC-.*@.*microsoft.com$",
  "Organization": {
    "InActiveUserActivityLogsPeriodInDays": 90,
    "TopInActiveUserCount": 100,
    "TrustedExtensionPublishers": [
      "Microsoft",
      "Microsoft DevLabs"
    ],
    "MaxPCAMembersPermissible": 5,
    "MinPCAMembersPermissible": 2,
    "GroupsToCheckForSCAltMembers": [
      "Project Collection Administrators"
    ]
  },
  "Project": {
    "MaxPAMembersPermissible": 5,
    "MinPAMembersPermissible": 2,
    "GroupsToCheckForSCAltMembers": [
      "Project Administrators"
    ]
  },
  "ServiceConnection": {
    "ServiceConnectionHistoryPeriodInDays": 180,
    "ExemptedGroupIdentities": [
      "Endpoint Administrators"
    ],
    "RestrictedGlobalGroupsForSerConn": [
      "Microsoft IT Build Admins (msitbuildadm@microsoft.com)",
      "Everyone Microsoft FTE",
      "Project Collection Administrators",
      "Project Collection Build Administrators",
      "Project Collection Proxy Service Accounts",
      "Project Collection Service Accounts",
      "Project Collection Valid Users",
      "Security Service Group",
      "Project Administrators",
      "Build Administrators",
      "Release Administrators",
      "CSEOPipelineContributors",
      "Endpoint Creators",
      "Contributors",
      "Readers"
    ]
  },
  "Patterns": [
    {
      "RegexCode": "SecretsInBuild",
      "RegexList": [
        "(?# To match general passwords.)^(?=\\D*\\d)(?=[^a-z]*[a-z])(?=[^A-Z]*[A-Z])(?=(\\w*\\W|\\w*))[0-9\\Wa-zA-Z]{7,20}$",
        "(?# To match SQL/MySQL conn strings.)((P|p)assword|pwd)\\s*=\\s*\\w+;?",
        "(?# To match Azure storage keys.)^[A-Za-z0-9/+]{86}==$",
        "(?# To match storage SAS.)([^?]*\\?sv=)[^&]+(&s[a-z]=[^&]+){4}",
        "(?# To match ADO PATs.)^[a-z2-7]{52}$"
      ]
    },
    {
      "RegexCode": "SecretsInRelease",
      "RegexList": [
        "(?# To match general passwords.)^(?=\\D*\\d)(?=[^a-z]*[a-z])(?=[^A-Z]*[A-Z])(?=(\\w*\\W|\\w*))[0-9\\Wa-zA-Z]{7,20}$",
        "(?# To match SQL/MySQL conn strings.)((P|p)assword|pwd)\\s*=\\s*\\w+;?",
        "(?# To match Azure storage keys.)^[A-Za-z0-9/+]{86}==$",
        "(?# To match storage SAS.)([^?]*\\?sv=)[^&]+(&s[a-z]=[^&]+){4}",
        "(?# To match ADO PATs.)^[a-z2-7]{52}$"
      ]
    },
    {
      "RegexCode": "URLs",
      "RegexList": [
        "(?# To match any URL.)(www.|http:|https:)+[^\\s]+[\\w]"
      ]
    }
  ],
  "BugLogging": {
    "BugLogAreaPath": "RootDefaultProject",
    "BugLogIterationPath": "RootDefaultProject",
    "ResolvedBugLogBehaviour": "ReactiveOldBug",
    "MaxKeyWordsToQueryForBugClose": 30,
    "AutoCloseProjectBug": true,
    "AutoCloseOrgBug": true,
    "BugAssigneeAndPathCustomFlow": false,
    "BuildSTData": "BuildSTData.json",
    "ReleaseSTData": "ReleaseSTData.json",
    "ServiceTreeData": "ServiceTreeData.json",
    "DomainName": "microsoft.com"
  },
  "GenerateSecurityEvaluationJsonFile" : false
}