Framework/Configurations/SVT/ADO/ADO.CommonSVTControls.json

{
  "FeatureName": "CommonSVTControls",
  "Reference": "aka.ms/azsktcp/commonsvtcontrols",
  "IsMaintenanceMode": false,
  "Controls": [
    {
      "ControlID": "ADO_Repository_DP_Inactive_Repos",
      "Description": "Inactive repositories must be removed if no more required.",
      "Id": "Repository100",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckInactiveRepo",
      "Rationale": "Each additional repository being accessed by pipelines increases the attack surface. To minimize this risk ensure that only active and legitimate repositories are present in project.",
      "Recommendation": "To remove inactive repository, follow the steps given here: 1. Navigate to the project settings -> 2. Repositories -> 3. Select the repository and delete.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "DP",
        "Repository"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Repository_AuthZ_Dont_Grant_All_Pipelines_Access",
      "Description": "Do not make repository accessible to all (YAML) pipelines.",
      "Id": "Repository110",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckRepositoryPipelinePermission",
      "Rationale": "If a repository is granted access to all YAML pipelines, an unauthorized user can steal information from the repository by building a pipeline and accessing the repository. Note that this does not prevent classic pipelines from accessing the repository as it depends on the permissions granted to pipeline user.",
      "Recommendation": "1. Go to Project --> 2. Repositories --> 3. Select the repository --> 4. Security --> 5. Under 'Pipeline Permissions', remove YAML pipelines that repository no more requires access to or click 'Restrict Permission' to avoid granting access to all YAML pipelines. ",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Repository_AuthZ_Dont_Grant_BuildSvc_Permission_On_Branch",
      "Description": "Do not grant build service groups excessive permissions on repository branches.",
      "Id": "Repository120",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckBuildServiceAccessOnBranch",
      "Rationale": "If 'Project Collection Build Service' or 'Project Build Service' groups have excessive permissions on important branches of a repository, then a malicious user can access the repository and tamper its contents by bypassing any defined policies.",
      "Recommendation": "1. Navigate to Project Settings. --> 2. Click on Repository under Repos. --> 3. Select your repository. --> 4. Click on 'Security'. --> 5. Click on 'All Branches' under 'Git refs permissions'. --> 6. Ensure 'Excessive' permissions of broader groups is not set to 'Allow'. Refer to detailed scan log (Repository.LOG) for broader groups and excessive permissions list. --> 5. Repeat this for any other groups for other individual branches that should not have excessive permissions.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "MSW",
        "AutomatedFix"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Feed_AuthZ_Restrict_Broader_Group_Access",
      "Description": "Do not allow a broad group of users to upload packages to feed.",
      "Id": "Feed100",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckBroaderGroupAccessOnFeeds",
      "Rationale": "If a broad group of users (e.g., Contributors) have permissions to upload package to feed, then integrity of your pipeline can be compromised by a malicious user who uploads a package.",
      "Recommendation": "1. Go to Project --> 2. Artifacts --> 3. Select Feed --> 4. Feed Settings --> 5. Permissions --> 6. Groups --> 7. Review users/groups which have administrator and contributor roles. Ensure broader groups have read-only access. Refer to detailed scan log (Feed.LOG) for broader group list.",
      "Tags": [
        "SDL",
        "TCP",
        "AuthZ",
        "RBAC",
        "MSW",
        "AutomatedFix"
      ],
      "Enabled": true
    },
    {
        "ControlID": "ADO_Feed_AuthZ_Dont_Grant_BuildSvcAcct_Permission",
        "Description": "Do not grant Build Service Account direct access to feed.",
        "Id": "Feed110",
        "ControlSeverity": "High",
        "Automated": "Yes",
        "MethodName": "CheckBuildSvcAccAccessOnFeeds",
        "Rationale": "Build service account is default identity used as part every build in project. Providing direct access to this common service account will expose feeds to all build definitions in the project.",
        "Recommendation": "1. Go to Project --> 2. Artifacts --> 3. Select Feed --> 4. Feed Settings --> 5. Permissions --> 6. Groups --> 7. Review Build service accounts should not have administrator/contributor/collaborator roles.",
        "Tags": [
          "SDL",
          "TCP",
          "Automated",
          "AuthZ",
          "MSW",
          "AutomatedFix"
        ],
        "Enabled": true
    },
    {
      "ControlID": "ADO_SecureFile_AuthZ_Dont_Grant_All_Pipelines_Access",
      "Description": "Do not make secure files accessible to all (YAML) pipelines.",
      "Id": "SecureFile100",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckSecureFilesPermission",
      "Rationale": "If a secure file is granted access to all YAML pipelines, an unauthorized user can steal information from the secure files by building a YAML pipeline and accessing the secure file. Note that this does not prevent classic pipelines from accessing the secure file as it depends on the permissions granted to pipeline user.",
      "Recommendation": "1. Go to Project --> 2. Pipelines --> 3. Library --> 4. Secure Files --> 5. Select your secure file from the list --> 6. Click 'Pipeline Permissions', remove YAML pipelines that secure file no more requires access to or click 'Restrict Permission' to avoid granting access to all YAML pipelines. For classic pipeline review user permissions carefully.",
      "Tags": [
        "SDL",
        "AuthZ",
        "Automated",
        "Best Practice",
        "MSW"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_SecureFile_AuthZ_Restrict_Broader_Group_Access",
      "Description": "Do not allow secure file to have excessive permissions for a broad group of users.",
      "Id": "SecureFile110",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckBroaderGroupAccessOnSecureFile",
      "Rationale": "If a broad group of users (e.g. Contributors) have excessive permissions on a secure file, A malicious user may gain access of stored secret/certificate which may open the door to malicious attack (e.g. SSH for accessing machine/server using these secret/certifcate).",
      "Recommendation": "1. Go to Project --> 2. Pipelines --> 3. Library --> 4. Secure Files --> 5. Select your secure file from the list --> 6. Click 'Security' --> 7. Review users/groups which have administrator and user roles. Ensure broader groups have read-only access. Refer to detailed scan log (SecureFile.LOG) for broader group list.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "MSW",
        "AutomatedFix"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Environment_AuthZ_Dont_Grant_All_Pipelines_Access",
      "Description": "Do not make environment accessible to all (YAML) pipelines.",
      "Id": "Environment100",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckEnviornmentAccess",
      "Rationale": "To support security of the pipeline operations, environments must not be granted access to all YAML pipelines. This is in keeping with the principle of least privilege because a vulnerability in components used by one pipeline can be leveraged by an attacker to attack other pipelines having access to critical resources. Note that this does not prevent classic pipelines from accessing the environment as it depends on the permissions granted to pipeline user.",
      "Recommendation": "1. Go to Pipelines --> 2. Environments --> 3. Select your environment from the list --> 4. Click Security --> 5. Under 'Pipeline Permissions', remove YAML pipelines that environment no more requires access to or click 'Restrict Permission' to avoid granting access to all YAML pipelines. For classic pipeline review user permissions carefully.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Environment_AuthZ_Restrict_Broader_Group_Access",
      "Description": "Do not allow environment to have excessive permissions for a broad group of users.",
      "Id": "Environment110",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckBroaderGroupAccessOnEnvironment",
      "Rationale": "If a broad group of users (e.g., Contributors) have excessive permissions on an environment, a malicious user can abuse these permissions to compromise integrity of the environment.",
      "Recommendation": "1. Go to Project --> 2. Pipelines --> 3. Environments --> 4. Select your environment from the list --> 5. Click 'Security' --> 6. Review users/groups which have administrator and user roles. Ensure broader groups have read-only access. Refer to detailed scan log (Environment.LOG) for broader group list.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Environment_AuthZ_Enable_PreDeployment_Approval",
      "Description": "Environments for production deployments must have approvals enabled.",
      "Id": "Environment120",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckPreDeploymentApprovalOnEnv",
      "Rationale": "Approvals on an environment ensure that deployment from a YAML pipeline happens only after designated users have reviewed the changes being deployed. This provides an additional layer of defense against inadvertent (or possibly malicious) changes to your production environment.",
      "Recommendation": "1. Go to Project --> 2. Pipelines --> 3. Environments --> 4. Select your environment from the list --> 5. Click on the three dots in upper right corner --> 6. Select 'Approvals and Checks' --> 7. Add an approval check on environment --> 8. Add the appropriate users and groups in list of approvers.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Environment_AuthZ_Review_PreDeployment_Approvers",
      "Description": "Approvers on environment must be periodically reviewed.",
      "Id": "Environment130",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckPreDeploymentApproversOnEnv",
      "Rationale": "Periodic review of approvers list for production deployments ensures that only appropriate people are members of such a critical role. As team composition/membership changes, this privilege may need to be revoked from members who are no more in the team.",
      "Recommendation": "To remove any user/group from the approvers list: 1. Go to Project --> 2. Pipelines --> 3. Environments --> 4. Select your environment from the list --> 5. Click on the three dots in upper right corner --> 6. Select 'Approvals and Checks' --> 7. Select 'Approvals' --> 8. Review users/groups as needed from approvers list. Refer detailed log file to review the list of approvers. ",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Environment_SI_Use_Good_Branch_Hygiene",
      "Description": "All deployments to production environments must be done from standard branches.",
      "Id": "Environment140",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckBranchHygieneOnEnv",
      "Rationale": "You should ensure that deployments to environments are always done from standard branches (like main, master and develop). These branches should have the tightest access controls and approval standards. Any changes in the source code should be tested first on a development branch before merging in the standard branches. The source code in these branches should correspond to production bits at all times. This helps in maintaining stable source code and helps prevent deployment of breaking changes (and potential security bugs) into the production environment.",
      "Recommendation": "1. Go to Project --> 2. Pipelines --> 3. Environments --> 4. Select your environment from the list --> 5. Click on the three dots in upper right corner --> 6. Select 'Branch Control' --> 7. Review all the branches that have been added in the list.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "SI"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Repository_AuthZ_Disable_Inherited_Permissions",
      "Description": "Do not allow inherited permission on repository.",
      "Id": "Repository130",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckInheritedPermissionsOnRepository",
      "Rationale": "Disabling inherited permissions lets you finely control access to various operations at the repository level for different stakeholders. This ensures that you follow the principle of least privilege and provide access only to the persons that require it.",
      "Recommendation": "1. Go to Project Settings --> 2. Repositories --> 3. Select a Repository --> 4. Permissions --> 5. Disable 'Inheritance'.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Repository_AuthZ_Dont_Grant_BuildSvcAcct_Permission",
      "Description": "Do not grant Build Service Account direct access to repositories.",
      "Id": "Repository140",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckBuildSvcAcctAccessOnRepository",
      "Rationale": "Build service account is default identity used as part every build in project. Configuring these identities with excessive permissions will expose repository details to all build definitions in the project.",
      "Recommendation": "1. Go to Project Settings --> 2. Repositories --> 3. Select your repository from the list --> 4. Select security --> 5. 4. Ensure 'Excessive' permissions of 'Project Collection Build Service(organization)/[Project] Build Service' groups is not set to 'Allow'. Refer to detailed scan log (Repository.LOG) for excessive permissions list.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "MSW",
        "AutomatedFix"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Repository_DP_Enable_Credentials_And_Secrets_Policy",
      "Description": "Enable policy to block pushes that contain credentials and other secrets.",
      "Id": "Repository150",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckCredentialsAndSecretsPolicyOnRepository",
      "Rationale": "Exposed credentials in engineering systems continue to provide easily exploitable opportunities for attackers. To defend against this threat, Microsoft security experts developed the CredScan tool to automatically find exposed secrets. CredScan indexes and scans for credentials & other sensitive content in source code, as well as other data sources. CredScan indexes and scans for credentials & other sensitive content in source code, as well as other data sources. CredScan should be enabled at each repo level to avoid commiting credentials or secrets.",
      "Recommendation": "1. Go to Project Settings --> 2. Repositories --> 3. Select a repository --> 4. Policies --> 5. Enable 'Check for credentials and other secrets' --> 6. Incase you are not able to locate this check, it means that CredScan has not been integrated for the ADO repositories. Make sure it has been integrated in your organization. ",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "Best Practice"
      ],
      "Enabled": true
    }
  ]
}