Framework/Configurations/SVT/ADO/ADO.Project.json

{
  "FeatureName": "Project",
  "Reference": "aka.ms/azsktcp/project",
  "IsMaintenanceMode": false,
  "Controls": [
    {
      "ControlID": "ADO_Project_AuthZ_Set_Visibility_Private_Or_Enterprise",
      "Description": "Ensure that project visibility is set to either private or enterprise.",
      "Id": "Project110",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckProjectVisibility",
      "Rationale": "Data/content in projects that have public visibility can be downloaded by anyone on the internet without authentication. This can lead to a compromise of corporate data/assets.",
      "Recommendation": "1. Go to Project settings. --> 2. In Overview, under Visibility, select 'Private' or 'Enterprise'. Refer: https://docs.microsoft.com/en-us/azure/devops/organizations/public/make-project-public?view=vsts&tabs=new-nav",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Project_AuthZ_Review_Group_Members",
      "Description": "Review membership of all project level privileged groups and teams.",
      "Id": "Project130",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "JustifyGroupMember",
      "Rationale": "Accounts that are a member of these groups without a legitimate business reason increase the risk for your Organization. By carefully reviewing and removing accounts that shouldn't be there in the first place, you can avoid attacks if those accounts are compromised.",
      "Recommendation": "Go to Project Settings --> Security --> Select Teams/Group --> Verify Members",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "AuthZ",
        "RBAC"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Project_DP_Disable_Anonymous_Access_To_Badges",
      "Description": "Disable anonymous access to status badge API for parallel pipelines.",
      "Id": "Project140",
      "ControlSeverity": "Low",
      "Automated": "Yes",
      "MethodName": "CheckBadgeAnonAccess",
      "Rationale": "Information that appears in the status badge API response should be hidden from external users.",
      "Recommendation": "Go to Project Settings --> Pipelines --> Settings --> Turn on 'Disable anonymous access to badges'.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "DP"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Project_SI_Limit_Variables_Settable_At_Queue_Time",
      "Description": "Allow queue time changes only to pipeline variables explicitly marked as settable.",
      "Id": "Project150",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckSettableQueueTime",
      "Rationale": "By default a pipeline user can set any variables at queue time unless this option is enabled. Enabling this setting enforces that variables must be explicitly marked settable at queue-time as needed.",
      "Recommendation": "1. Go to Project Settings --> 2. Pipelines --> 3. Settings --> 4. Enable 'Limit variables that can be set at queue time'.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "SI"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Project_AuthZ_Limit_Non_Release_Pipeline_Scope",
      "Description": "Limit scope of access for non-release pipelines to the current project.",
      "Id": "Project160",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckJobAuthZScope",
      "Rationale": "If the authorization scope of non-release pipelines is not limited to current project, an attacker can build a pipeline from a different (less sensitive project) to access resources in a target (more sensitive) project. This also in keeping with the principle of least privilege.",
      "Recommendation": "1. Go to Project Settings -->2. Pipelines -->3. Settings -->4. Enable 'Limit job authorization scope to current project for non-release pipelines.'.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Project_AuthZ_Limit_Release_Pipeline_Scope",
      "Description": "Limit scope of access for release pipelines to the current project.",
      "Id": "Project170",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckJobAuthZReleaseScope",
      "Rationale": "If the authorization scope of release pipelines is not limited to current project, an attacker can build a pipeline from a different (less sensitive project) to access resources in a target (more sensitive) project. This also in keeping with the principle of least privilege.",
      "Recommendation": "1. Go to Project Settings -->2. Pipelines -->3. Settings -->4. Enable 'Limit job authorization scope to current project for release pipelines.'.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Project_AuthZ_Limit_Pipeline_Scope_To_Referenced_Repos",
      "Description": "Limit scope of access for pipelines to explicitly referenced Azure DevOps repositories.",
      "Id": "Project180",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckAuthZRepoScope",
      "Rationale": "If the authorization scope of pipelines is not limited to referenced repos, an attacker can create a pipeline that can access sensitive repos within the project. This also in keeping with the principle of least privilege.",
      "Recommendation": "1. Go to Project Settings -->2. Pipelines -->3. Settings -->4. Enable 'Limit job authorization scope to referenced Azure DevOps repositories'.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Project_DP_Publish_Metadata_From_Pipeline",
      "Description": "Consider using artifact evaluation for fine-grained control over pipeline stages.",
      "Id": "Project190",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckPublishMetadata",
      "Rationale": "Allow pipelines to record metadata. Evaluate artifact check can be configured to define policies using the metadata recorded.",
      "Recommendation": "Go to Project Settings --> Pipelines --> Settings --> Enable 'Publish metadata from pipelines'.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "DP"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Project_AuthZ_Limit_Admin_Count",
      "Description": "Ensure that there are at most $($this.ControlSettings.Project.MaxPAMembersPermissible) project administrators in your project.",
      "Id": "Project200",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckMaxPACount",
      "Rationale": "Each additional person in the administrator role increases the attack surface for the entire project (if an admin's credentials are compromised via a phishing attack). The number of members in these roles should be kept as low as possible.",
      "Recommendation": "1. Project settings --> 2. General --> 3. Permissions --> 4. Groups --> 5. Select the group : Project Administrators --> 6. Remove the redundant members of this group",
      "Tags": [
        "SDL",
        "AuthZ",
        "Automated",
        "Best Practice"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Project_BCDR_Min_Admin_Count",
      "Description": "Ensure that there are at least $($this.ControlSettings.Project.MinPAMembersPermissible) project administrators in your project.",
      "Id": "Project210",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckMinPACount",
      "Rationale": "Having the minimum required number of administrators reduces the risk of losing admin access. This is useful in case of breakglass scenarios.",
      "Recommendation": "1. Go to Project settings --> 2. General --> 3. Permissions --> 4.Groups --> 5. Select the group: Project Administrators --> 6. Add additional members of this group",
      "Tags": [
        "SDL",
        "BCDR",
        "Automated",
        "Best Practice"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Project_AuthN_Use_ALT_Accounts_For_Admin",
      "Description": "Alternate (ALT) accounts must be used for administrative activity at project scope.",
      "Id": "Project220",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckSCALTForAdminMembers",
      "Rationale": "Corporate accounts are subject to a lot of credential theft attacks due to various activities that a user conducts using such accounts (e.g., browsing the web, clicking on email links, etc.). A user account that gets compromised (say via a phishing attack) immediately subjects the entire Azure DevOps organization to risk if it is privileged with critical roles in the organization. Use of smartcard-backed alternate (SC-ALT) accounts instead protects the organization from this risk.",
      "Recommendation": "1. Go to Project settings --> 2. General --> 3. Permissions --> 4. Groups --> 5. Review whether each user in administrator groups is added via SC-ALT account.",
      "Tags": [
        "SDL",
        "AuthN",
        "Automated",
        "Best Practice",
        "MSW"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Project_SI_Review_Author_Email_Validation_Policy",
      "Description": "Enable commit author email validation to restrict commits to repositories from untrusted users.",
      "Id": "Project260",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckAuthorEmailValidationPolicy",
      "Rationale": "Allowing commits from untrusted users can be dangerous as any malicious actor can push changes that can expose secrets/vulnerabilities outside the organization.",
      "Recommendation": "Go to Project Settings --> Repositories --> Policies --> Enable 'Commit author email validation' and specify exact emails or wildcards for identities who can commit code.",
      "Tags": [
        "SDL",
        "SI",
        "Automated",
        "Best Practice"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Project_DP_Enable_Credentials_And_Secrets_Policy",
      "Description": "Enable credential scanner to block pushes that contain credentials and other secrets.",
      "Id": "Project270",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckCredentialsAndSecretsPolicy",
      "Rationale": "Exposed credentials in engineering systems continue to provide easily exploitable opportunities for attackers. To defend against this threat, Microsoft security experts developed the CredScan tool to automatically find exposed secrets. CredScan indexes and scans for credentials & other sensitive content in source code, as well as other data sources.",
      "Recommendation": "Go to Project Settings --> Repositories --> Policies --> Enable 'Check for credentials and other secrets'.",
      "Tags": [
        "SDL",
        "DP",
        "Automated",
        "Best Practice"
      ],
      "Enabled": false
    },
    {
      "ControlID": "ADO_Project_Check_Inactive_Project",
      "Description": "Projects with no development activity (no active builds, releases, repos, agent pools, service connections, etc.) should be deleted.",
      "Id": "Project310",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckInactiveProject",
      "Rationale": "Projects which have no activity are likely to be abandoned efforts. It is recommended to delete such projects to minimize exposure of corporate assets, credentials, etc.",
      "Recommendation": "If the project is not active or no more required, it should be removed.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated"
      ],
      "Enabled": true
    },
    {
        "ControlID": "ADO_Project_AuthZ_Revoke_Admin_Access_for_Guest_Users",
        "Description": "Remove guest users from administrative roles in your project.",
        "Id": "Project320",
        "ControlSeverity": "High",
        "Automated": "Yes",
        "MethodName": "CheckGuestUsersAccessInAdminRoles",
        "Rationale": "Guest user accounts are not carefully managed and governed. If these accounts have admin access then a compromised account can be easily leveraged to access arbitrary resources in the project.",
        "Recommendation": "1. Go to Project Settings --> 2. Permissions --> 3. Search for Collection group of the guest user --> 4. Go to members tab --> 5. Remove its access by clicking on three dots against its row.",
        "Tags": [
          "SDL",
          "TCP",
          "Automated",
          "AuthZ",
          "MSW",
          "AutomatedFix"
        ],
        "Enabled": true
    },
    {
      "ControlID": "ADO_Project_AuthZ_Restrict_Broader_Group_Access_on_Builds",
      "Description": "Do not allow build pipelines to inherit excessive permissions for a broad group of users at project level.",
      "Id": "Project340",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckBroaderGroupInheritanceSettingsForBuild",
      "Rationale": "If a broad group (e.g., Contributors) is configured with excessive permissions at a project level, they are inherited by individual build pipelines in the project. A malicious user can abuse these permissions to compromise the security of the pipeline.",
      "Recommendation": "1. Go to Project --> 2. Pipelines --> 3. Click on three dots at top right corner. --> 4. Manage security --> 5. Ensure 'Excessive' permissions of broader groups is not set to 'Allow'. Refer to detailed scan log (Project.LOG) for broader groups and excessive permissions list. --> 6. Repeat this for any other groups that should not have excessive permissions.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "MSW",
        "AutomatedFix"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Project_AuthZ_Restrict_Broader_Group_Access_on_Releases",
      "Description": "Do not allow release pipelines to inherit excessive permissions for a broad group of users at project level.",
      "Id": "Project350",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckBroaderGroupInheritanceSettingsForRelease",
      "Rationale": "If a broad group (e.g., Contributors) is configured with excessive permissions at a project level, they are inherited by individual release pipelines in the project. A malicious user can abuse these permissions to compromise the security of the pipeline.",
      "Recommendation": "1. Go to Project --> 2. Pipelines --> 3. Releases. --> 4. Click on 'View all release pipelines' (Folder icon). --> 5. All pipelines. --> 6. Click on three dots. --> 7. Security --> 8. Ensure 'Excessive' permissions of broader groups is not set to 'Allow'. Refer to detailed scan log (Project.LOG) for broader groups and excessive permissions list. --> 9. Repeat this for any other groups that should not have excessive permissions.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "MSW",
        "AutomatedFix"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Project_AuthZ_Restrict_Broader_Group_Access_on_SvcConn",
      "Description": "Do not allow service connections to inherit excessive permissions for a broad group of users at project level.",
      "Id": "Project360",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckBroaderGroupInheritanceSettingsForSvcConn",
      "Rationale": "If a broad group (e.g., Contributors) is configured with excessive permissions at a project level, they are inherited by individual service connections in the project. Then the confidentiality/integrity of a pipeline using such service connections can be compromised by a malicious user.",
      "Recommendation": "1. Go to Project Settings --> 2. Service connections --> 3. Click on three dots and select security. --> 4. Ensure broader groups have read-only access. Refer to detailed scan log (Project.LOG) for broader group list",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "MSW",
        "AutomatedFix"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Project_AuthZ_Restrict_Broader_Group_Access_on_Agentpool",
      "Description": "Do not allow agent pools to inherit excessive permissions for a broad group of users at project level.",
      "Id": "Project370",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckBroaderGroupInheritanceSettingsForAgentpool",
      "Rationale": "If a broad group (e.g., Contributors) is configured with excessive permissions at a project level, they are inherited by individual agent pools in the project. Then integrity of such agent pools can be compromised by a malicious user",
      "Recommendation": "1. Go to Project Settings --> 2. Agent pools --> 3. select security. --> 4. Ensure broader groups have read-only access. Refer to detailed scan log (Project.LOG) for broader group list",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "MSW",
        "AutomatedFix"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Project_AuthZ_Restrict_Broader_Group_Access_on_VarGrp",
      "Description": "Do not allow variable groups to inherit excessive permissions for a broad group of users at project level.",
      "Id": "Project380",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckBroaderGroupInheritanceSettingsForVarGrp",
      "Rationale": "If a broad group (e.g., Contributors) is configured with excessive permissions at a project level, they are inherited by individual variable groups in the project. Then the integrity of variable groups can be compromised by a malicious user",
      "Recommendation": "1. Go to Project --> 2. Pipelines --> 3. Library. --> 4. Security. --> 5. Ensure broader groups have read-only access. Refer to detailed scan log (Project.LOG) for broader group list",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "MSW",
        "AutomatedFix"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Project_AuthZ_Revoke_Admin_Access_for_Inactive_Users",
      "Description": "Remove inactive users from administrative roles in your project.",
      "Id": "Project330",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckInactiveUsersInAdminRoles",
      "Rationale": "Inactive users in administrative roles provide more opportunities for hackers to leverage credential harvesting attacks to gain admin access. It is best to restrict critical roles in the project to active members only.",
      "Recommendation": "1. Go to Project Settings --> 2. Permissions --> 3. Search for Collection group of the inactive user --> 4. Go to members tab --> 5. Remove its access by clicking on three dots against its row.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "MSW",
        "AutomatedFix"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Project_AuthZ_Restrict_Broader_Group_Access_on_Env",
      "Description": "Do not allow environments to inherit excessive permissions for a broad group of users at project level.",
      "Id": "Project390",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckBroaderGroupInheritanceSettingsForEnv",
      "Rationale": "If a broad group (e.g., Contributors) is configured with excessive permissions at a project level, they are inherited by individual environments in the project. Then the integrity of environments can be compromised by a malicious user.",
      "Recommendation": "1. Go to Project --> 2. Pipelines --> 3. Environments --> 4. Security. --> 5. Ensure broader groups have read-only access. Refer to detailed scan log (Project.LOG) for broader group list.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Project_AuthZ_Restrict_Broader_Group_Access_on_Repo",
      "Description": "Do not allow repositories to inherit excessive permissions for a broad group of users at project level.",
      "Id": "Project400",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckBroaderGroupInheritanceSettingsForRepo",
      "Rationale": "If a broad group (e.g., Contributors) is configured with excessive permissions at a project level, they are inherited by individual repositories in the project. Then the integrity of repository can be compromised by a malicious user.",
      "Recommendation": "1. Go to Project Settings --> 2. Repos --> 3. Repositories. --> 4. Security. --> 5. Ensure broader groups have read-only access. Refer to detailed scan log (Project.LOG) for broader group list.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "MSW",
        "AutomatedFix"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Project_AuthZ_Restrict_Broader_Group_Access_on_SecureFile",
      "Description": "Do not allow secure files to inherit excessive permissions for a broad group of users at project level.",
      "Id": "Project410",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckBroaderGroupInheritanceSettingsForSecureFile",
      "Rationale": "If a broad group (e.g., Contributors) is configured with excessive permissions at a project level, they are inherited by individual secure files in the project. Then the integrity of secure files can be compromised by a malicious user.",
      "Recommendation": "1. Go to Project --> 2. Pipelines --> 3. Library. --> 4. Secure Files. --> 5. Security. --> 5. Ensure broader groups have read-only access. Refer to detailed scan log (Project.LOG) for broader group list.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "MSW",
        "AutomatedFix"
      ],
      "Enabled": true
    }
  ]
}