Framework/Configurations/SVT/ControlSettings.json
{
"BaselineControls": { "ResourceTypeControlIdMappingList": [ { "ResourceType": "Organization", "ControlIds": [ "ADO_Organization_AuthN_Use_AAD_Auth", "ADO_Organization_AuthN_Disable_Guest_Users", "ADO_Organization_AuthZ_Review_Guest_Members", "ADO_Organization_SI_Review_Installed_Extensions", "ADO_Organization_SI_Review_Shared_Extensions", "ADO_Organization_AuthZ_Review_Extension_Managers", "ADO_Organization_AuthZ_Review_Project_Collection_Service_Accounts", "ADO_Organization_SI_Review_Auto_Injected_Extensions", "ADO_Organization_SI_Limit_Variables_Settable_At_Queue_Time", "ADO_Organization_AuthZ_Limit_Non_Release_Pipeline_Scope", "ADO_Organization_AuthZ_Limit_Release_Pipeline_Scope", "ADO_Organization_AuthZ_Limit_Pipeline_Scope_To_Referenced_Repos", "ADO_Organization_DP_Dont_Allow_Public_Projects", "ADO_Organization_Enable_Audit_Stream", "ADO_Organization_BCDR_Min_Admin_Count", "ADO_Organization_AuthZ_Limit_Admin_Count", "ADO_Organization_AuthN_Use_ALT_Accounts_For_Admin", "ADO_Organization_AuthZ_Disable_OAuth_App_Access", "ADO_Organization_AuthN_Disable_SSH_Access", "ADO_Organization_AuthZ_Revoke_Admin_Access_for_Inactive_Users", "ADO_Organization_AuthZ_Revoke_Admin_Access_for_Guest_Users", "ADO_Organization_AuthZ_Remove_Inactive_Guest_Users", "ADO_Organization_AuthZ_Remove_Disconnected_Accounts", "ADO_Organization_AuthZ_Restrict_Broader_Group_Access_on_Feed", "ADO_Organization_AuthZ_Restrict_Feed_Create_Permission", "ADO_Organization_SI_Protect_Private_Feeds_Impersonation" ] }, { "ResourceType": "Project", "ControlIds": [ "ADO_Project_AuthZ_Set_Visibility_Private_Or_Enterprise", "ADO_Project_SI_Limit_Variables_Settable_At_Queue_Time", "ADO_Project_BCDR_Min_Admin_Count", "ADO_Project_AuthZ_Limit_Admin_Count", "ADO_Project_AuthZ_Limit_Non_Release_Pipeline_Scope", "ADO_Project_AuthZ_Limit_Release_Pipeline_Scope", "ADO_Project_AuthZ_Limit_Pipeline_Scope_To_Referenced_Repos", "ADO_Project_AuthN_Use_ALT_Accounts_For_Admin", "ADO_Project_AuthZ_Revoke_Admin_Access_for_Inactive_Users", "ADO_Project_AuthZ_Revoke_Admin_Access_for_Guest_Users", "ADO_Project_AuthZ_Restrict_Broader_Group_Access_on_Builds", "ADO_Project_AuthZ_Restrict_Broader_Group_Access_on_Releases", "ADO_Project_AuthZ_Restrict_Broader_Group_Access_on_SvcConn", "ADO_Project_AuthZ_Restrict_Broader_Group_Access_on_Agentpool", "ADO_Project_AuthZ_Restrict_Broader_Group_Access_on_VarGrp", "ADO_Project_AuthZ_Restrict_Broader_Group_Access_on_Repo", "ADO_Project_AuthZ_Restrict_Broader_Group_Access_on_SecureFile" ] }, { "ResourceType": "ServiceConnection", "ControlIds": [ "ADO_ServiceConnection_AuthZ_Dont_Use_Classic_Connections", "ADO_ServiceConnection_AuthZ_Dont_Grant_All_Pipelines_Access", "ADO_ServiceConnection_AuthZ_Dont_Allow_Global_Groups", "ADO_ServiceConnection_DP_Review_Inactive_Connection", "ADO_ServiceConnection_SI_Dont_Share_Across_Projects", "ADO_ServiceConnection_AuthZ_Use_Least_Privilege_Access", "ADO_ServiceConnection_AuthZ_Dont_Grant_BuildSvcAcct_Permission", "ADO_ServiceConnection_AuthZ_Restrict_Broader_Group_Access" ] }, { "ResourceType": "Build", "ControlIds": [ "ADO_Build_DP_No_PlainText_Secrets_In_Definition", "ADO_Build_SI_Review_URL_Variables_Settable_At_Queue_Time", "ADO_Build_SI_Dont_Use_Broadly_Editable_Task_Group", "ADO_Build_SI_Dont_Use_Broadly_Editable_Variable_Group", "ADO_Build_AuthZ_Limit_Pipeline_Access", "ADO_Build_AuthZ_Restrict_Broader_Group_Access", "ADO_Build_DP_Dont_Make_Secrets_Available_To_Forked_Builds", "ADO_Build_DP_Review_Inactive_Build" ] }, { "ResourceType": "Release", "ControlIds": [ "ADO_Release_DP_No_PlainText_Secrets_In_Definition", "ADO_Release_SI_Review_URL_Variables_Settable_At_Release_Time", "ADO_Release_SI_Dont_Use_Broadly_Editable_Task_Group", "ADO_Release_SI_Dont_Use_Broadly_Editable_Variable_Group", "ADO_Release_AuthZ_Restrict_Broader_Group_Access", "ADO_Release_DP_Review_Inactive_Release" ] }, { "ResourceType": "AgentPool", "ControlIds": [ "ADO_AgentPool_AuthZ_Dont_Grant_All_Pipelines_Access", "ADO_AgentPool_AuthZ_Dont_Enable_Auto_Provisioning", "ADO_AgentPool_DP_Review_Inactive_Pool", "ADO_AgentPool_DP_Enable_Auto_Update", "ADO_AgentPool_DP_No_Secrets_In_Capabilities", "ADO_AgentPool_AuthZ_Restrict_Broader_Group_Access" ] }, { "ResourceType": "VariableGroup", "ControlIds": [ "ADO_VariableGroup_AuthZ_Dont_Grant_All_Pipelines_Access_On_VG_With_Secrets", "ADO_VariableGroup_DP_No_PlainText_Secrets_In_Variables", "ADO_VariableGroup_AuthZ_Restrict_Broader_Group_Access", "ADO_VariableGroup_AuthZ_Restrict_Broader_Group_Access_On_VG_With_Secrets" ] }, { "ResourceType": "Feed", "ControlIds": [ "ADO_Feed_AuthZ_Restrict_Broader_Group_Access", "ADO_Feed_AuthZ_Dont_Grant_BuildSvcAcct_Permission" ] }, { "ResourceType": "SecureFile", "ControlIds": [ "ADO_SecureFile_AuthZ_Dont_Grant_All_Pipelines_Access", "ADO_SecureFile_AuthZ_Restrict_Broader_Group_Access" ] }, { "ResourceType": "Environment", "ControlIds": [ "ADO_Environment_AuthZ_Dont_Grant_All_Pipelines_Access", "ADO_Environment_AuthZ_Restrict_Broader_Group_Access" ] }, { "ResourceType": "Repository", "ControlIds": [ "ADO_Repository_AuthZ_Dont_Grant_BuildSvcAcct_Permission", "ADO_Repository_AuthZ_Dont_Grant_BuildSvc_Permission_On_Branch" ] } ] }, "PreviewBaselineControls": { "ResourceTypeControlIdMappingList": [] }, "PartialScan": { "ResourceTrackerValidforDays": 3, "StoreResourceTrackerLocally": "True", "LocalScanUpdateFrequency": "100", "DurableScanUpdateFrequency": "200" }, "BatchScan":{ "BatchTrackerValidForDays":10, "BatchTrackerUpdateFrequency":5000 }, "IncrementalScan":{ "IncrementalScanValidForDays":7 }, "DockerImage":{ "ImageName" : "azskado/adosecurityscan" }, "ADOInfoAPI":{ "Enabled" : false, "Endpoint" : "", "Code" : "" }, "AllowAdminControlScanForGroups": [ { "ResourceType": "Organization", "GroupNames": [ "Project Collection Administrators" ] }, { "ResourceType": "Project", "GroupNames": [ "Project Administrators" ] } ], "AttestableResourceTypes": [ "Organization", "Project", "Build", "Release", "ServiceConnection", "AgentPool", "VariableGroup", "Repository", "Feed", "SecureFile", "Environment" ], "AttestationExpiryPeriodInDays": { "Default": 90, "ControlSeverity": { "Critical": 7, "High": 30, "Medium": 60, "Low": 90 } }, "ExtendedAttestationExpiryDuration": 180, "ExtendedAttestationExpiryResources": [ { "ResourceType": "", "ResourceIds": [] } ], "DefaultAttestationPeriodForExemptControl" : 180, "GroupsWithAttestPermission": [ { "ResourceType": "Organization", "GroupNames": [ "Project Collection Administrators" ] }, { "ResourceType": "Project", "GroupNames": [ "Project Collection Administrators", "Project Administrators" ] } ], "AttestationRepo": "", "AttestationBranch": "", "EnableMultiProjectAttestation": false, "ProjectToStoreAttestation": "", "EnforceApprovedException": false, "ApprovedExceptionSettings": { "ControlsList": [], "InvalidatePreviousAttestations": false, "ApprovedExceptionPromptMessage": "", "ByDesignExceptionPromptMessage": "", "DefaultPromptMessage": "Refer the docs https://github.com/azsk/ADOScanner-docs to fetch the exception id." }, "IsAllowLongRunningScan": true, "LongRunningScanCheckPoint": 1000, "DefaultValidAttestationStates": [ "NotAnIssue", "WillFixLater", "WillNotFix", "ApprovedException" ], "NewControlGracePeriodInDays": { "Default": 60, "ControlSeverity": { "Critical": 7, "High": 30, "Medium": 60, "Low": 90 } }, "AttestationPeriodInDays": { "Default": 90, "ControlSeverity": { "Critical": 7, "High": 30, "Medium": 60, "Low": 90 } }, "ControlSeverity": { "Critical": "Critical", "High": "High", "Medium": "Medium", "Low": "Low" }, "GroupResolution": { "GroupResolutionLevel": -1, "UseSIPFeedForAADGroupExpansion": false }, "Build": { "BuildHistoryPeriodInDays": 180, "ExemptedUserIdentities": [ { "Domain": "Build", "DisplayName": [ "OneITVSO Build Service (MicrosoftIT)", "Project Collection Build Service (MicrosoftIT)" ] } ], "ExcludeFromSecretsCheck": [ "system.debug", "BuildConfiguration", "BuildPlatform", "InputFeeds", "Environment", "SolutionName" ], "RestrictedBroaderGroupsForBuild" : { "Contributors":[ "Administer build permissions", "Delete build pipeline", "Delete builds ", "Destroy builds", "Edit build pipeline" ], "Readers":[ "Administer build permissions", "Delete build pipeline", "Delete builds ", "Destroy builds", "Edit build pipeline" ], "Project Collection Valid Users":[ "Administer build permissions", "Delete build pipeline", "Delete builds ", "Destroy builds", "Edit build pipeline" ], "Project Valid Users":[ "Administer build permissions", "Delete build pipeline", "Delete builds ", "Destroy builds", "Edit build pipeline" ] }, "CheckForInheritedPermissions" : false, "RegexForOAuthTokenInYAMLScript" : "\\s*:\\s*\\$\\s*\\(\\s*System\\.AccessToken\\s*\\)", "BranchesToCheckForYAMLScript": ["master","main","develop"] }, "Release": { "ReleaseHistoryPeriodInDays": 180, "ExemptedUserIdentities": [ { "Domain": "Build", "DisplayName": [ "OneITVSO Build Service (MicrosoftIT)", "Project Collection Build Service (MicrosoftIT)" ] } ], "RequirePreDeployApprovals": [ "Production", "Pre-Production", "Prod", "Pre-Prod" ], "ExcludeFromSecretsCheck": [ "Domain", "UserName", "Build", "AgentPath", "BuildNumber", "MachineGroup", "Environment", "System.debug", "BuildConfiguration" ], "RestrictedBroaderGroupsForRelease" : { "Contributors":[ "Administer release permissions", "Delete release pipeline", "Delete releases", "Delete release stage", "Manage release approvers", "Manage releases" ], "Readers":[ "Administer release permissions", "Delete release pipeline", "Delete releases", "Edit release pipeline", "Delete release stage", "Edit release stage", "Manage release approvers", "Manage releases" ], "Project Collection Valid Users":[ "Administer release permissions", "Delete release pipeline", "Delete releases", "Edit release pipeline", "Delete release stage", "Edit release stage", "Manage release approvers", "Manage releases" ], "Project Valid Users":[ "Administer release permissions", "Delete release pipeline", "Delete releases", "Edit release pipeline", "Delete release stage", "Edit release stage", "Manage release approvers", "Manage releases" ] }, "CheckForInheritedPermissions": false }, "AgentPool": { "AgentPoolHistoryPeriodInDays": 180 , "RestrictedBroaderGroupsForAgentPool" : { "Contributors":[ "Administrator", "User" ], "Readers":[ "Administrator", "User" ], "Project Collection Valid Users":[ "Administrator", "User" ], "Project Valid Users":[ "Administrator", "User" ] }, "CheckForInheritedPermissions": false }, "VariableGroup": { "RestrictedBroaderGroupsForVariableGroup" : { "Contributors":[ "Administrator", "User" ], "Readers":[ "Administrator", "User" ], "Project Collection Valid Users":[ "Administrator", "User" ], "Project Valid Users":[ "Administrator", "User" ] }, "RestrictedRolesForBroaderGroupsInVariableGroupContainingSecrets": [ "Administrator", "User" ], "CheckForInheritedPermissions": false }, "WorkItems":{ "ThreshHoldDaysForWorkItemInactivity":180 }, "FeedsAndPackages":{ "ThreshHoldDaysForFeedsAndPackagesInactivity":180, "ThresholdPackagesPerFeed":5 }, "TestPlans":{ "ThreshHoldDaysForTestPlansInactivity":180 }, "Wikis":{ "ThreshHoldDaysForWikisInactivity":180 } , "BroaderGroupsToExpand":[ "Contributors" ], "VeryLargeGroups":[], "CheckForBroadGroupMemberCount": false, "AllowedMemberCountPerBroadGroup": { "Contributors": 50 }, "AlernateAccountRegularExpressionForOrg": "^sc-\\w+@(?:\\w+\\.)*microsoft\\.com$|^\\w+.*@gme\\.gbl$", "ALTControlEvaluationMethod": "GraphThenRegEx", "Organization": { "DisallowedEnvironments" : [], "InactiveUserActivityLogsPeriodInDays": 90, "GuestUserInactivePeriodInDays": 90, "TopInactiveUserCount": 100, "KnownExtensionPublishers": [ "Microsoft", "Microsoft DevLabs" ], "KnownExtensionPublisherIds":[""], "NonProductionExtensionIndicators":["DevTest", "Demo", "Preview", "Deprecated"], "ExtensionsLastUpdatedInYears": 2, "ExtensionCriticalScopes":["vso.agentpools_manage","vso.build_execute","vso.code_write","vso.code_manage","vso.code_full", "vso.code_status","vso.extension_manage", "vso.extension.data_write","vso.graph_manage","vso.identity_manage","vso.loadtest_write", "vso.machinegroup_manage","vso.memberentitlementmanagement_write","vso.gallery_manage","vso.notification_write","vso.notification_manage", "vso.packaging_write","vso.packaging_manage","vso.project_write","vso.project_manage","vso.release_execute", "vso.release_manage","vso.security_manage","vso.serviceendpoint_manage","vso.settings_write", "vso.symbols_write","vso.symbols_manage","vso.taskgroups_write","vso.taskgroups_manage", "vso.dashboards_manage","vso.test_write","vso.tokenadministration","vso.profile_write", "vso.variablegroups_write","vso.variablegroups_manage","vso.wiki_write","vso.work_write","vso.work_full"], "ExemptedExtensionNames":["Azure DevTest Labs Tasks"], "MaxPCAMembersPermissible": 6, "MinPCAMembersPermissible": 2, "GroupsToCheckForSCAltMembers": [ "Project Collection Administrators" ], "AdminGroupsToCheckForGuestUser":[ "Project Collection Administrators", "Project Collection Build Administrators", "Project Collection Service Accounts" ], "AdminGroupsToCheckForInactiveUser":[ "Project Collection Administrators", "Project Collection Build Administrators", "Project Collection Service Accounts" ], "AdminInactivityThresholdInDays": 90 }, "Project": { "MaxPAMembersPermissible": 6, "MinPAMembersPermissible": 2, "MaxBAMembersPermissible":100, "CheckExtendedGroupsForSCALTMembers":false, "ExtendedGroupsToCheckForSCALTMembers":[ "Endpoint Administrators", "Build Administrators", "Release Administrators" ], "GroupsToCheckForSCAltMembers": [ "Project Administrators" ], "AdminGroupsToCheckForGuestUser":[ "Endpoint Administrators", "Project Administrators" ], "AdminGroupsToCheckForInactiveUser":[ "Endpoint Administrators", "Project Administrators" ], "CheckExtendedGroupsForInactiveUser":false, "ExtendedGroupsToCheckForInactiveUser":[ "Build Administrators", "Release Administrators" ], "AdminInactivityThresholdInDays": 90 }, "Feed":{ "RestrictedBroaderGroupsForFeeds" : { "Contributors":[ "Administrator", "Contributor" ], "Readers":[ "Administrator", "Collaborator", "Contributor" ], "Project Collection Valid Users":[ "Administrator", "Contributor" ], "Project Valid Users":[ "Administrator", "Contributor" ] }, "RestrictedRolesForBuildSvcAccountsInFeed" : [ "Administrator", "Contributor" ], "CheckForInheritedPermissions": false, "RoleToChangeInFix":"Collaborator" }, "SecureFile":{ "RestrictedBroaderGroupsForSecureFile" : { "Contributors":[ "Administrator", "User" ], "Readers":[ "Administrator", "User" ], "Project Collection Valid Users":[ "Administrator", "User" ], "Project Valid Users":[ "Administrator", "User" ] }, "CheckForInheritedPermissions": false }, "Environment":{ "RestrictedBroaderGroupsForEnvironment" : { "Contributors":[ "Administrator", "User" ], "Readers":[ "Administrator", "User" ], "Project Collection Valid Users":[ "Administrator", "User" ], "Project Valid Users":[ "Administrator", "User" ] }, "CheckForInheritedPermissions": false }, "Repo": { "RepoHistoryPeriodInDays": 180, "AuthorEmailValidationPolicyID": "77ed4bd3-b063-4689-934a-175e4d0a78d7", "CredScanPolicyID": "e67ae10f-cf9a-40bc-8e66-6b3a8216956e", "CommitAuthorEmailPattern": [ "*@microsoft.com", "*@exchange.microsoft.com", "*@ntdev.microsoft.com", "*@microsoftfederal.com" ], "RestrictedBroaderGroupsForRepo" : { "Contributors":[ "Delete repository", "Manage permissions", "Bypass policies when completing pull requests", "Bypass policies when pushing", "Edit policies", "Force push (rewrite history, delete branches and tags)" ], "Readers":[ "Contribute", "Delete repository", "Manage permissions", "Bypass policies when completing pull requests", "Bypass policies when pushing", "Edit policies", "Force push (rewrite history, delete branches and tags)", "Rename repository" ], "Project Collection Valid Users":[ "Contribute", "Delete repository", "Manage permissions", "Bypass policies when completing pull requests", "Bypass policies when pushing", "Edit policies", "Force push (rewrite history, delete branches and tags)", "Rename repository" ], "Project Valid Users":[ "Contribute", "Delete repository", "Manage permissions", "Bypass policies when completing pull requests", "Bypass policies when pushing", "Edit policies", "Force push (rewrite history, delete branches and tags)", "Rename repository" ] }, "BranchesToCheckForExcessivePermissions":[ "main", "master", "develop" ], "ExcessivePermissionsForBranch":[ "Contribute", "Bypass policies when pushing", "Force push (rewrite history, delete branches and tags)", "Bypass policies when completing pull requests", "Create branch", "Edit policies", "Manage permissions", "Remove others' locks" ], "RestrictedRolesForBuildSvcAccountsInRepo": [ "Bypass policies when completing pull requests", "Bypass policies when pushing", "Contribute", "Contribute to pull requests", "Create branch", "Delete repository", "Edit policies", "Force push (rewrite history, delete branches and tags)", "Manage permissions", "Remove others' locks", "Rename repository" ], "CheckForInheritedPermissions": false }, "ServiceConnection": { "ServiceConnectionHistoryPeriodInDays": 180, "ExemptedGroupIdentities": [ "Endpoint Administrators" ], "RestrictedGlobalGroupsForSerConn": [ "Microsoft IT Build Admins (msitbuildadm@microsoft.com)", "Everyone Microsoft FTE", "Project Collection Administrators", "Project Collection Build Administrators", "Project Collection Proxy Service Accounts", "Project Collection Service Accounts", "Project Collection Valid Users", "Security Service Group", "Project Administrators", "Build Administrators", "Release Administrators", "CSEOPipelineContributors", "Endpoint Creators", "Contributors", "Readers" ], "RestrictedBroaderGroupsForSvcConn" : { "Contributors":[ "Administrator", "User" ], "Readers":[ "Administrator", "User" ], "Project Collection Valid Users":[ "Administrator", "User" ], "Project Valid Users":[ "Administrator", "User" ] }, "CheckForInheritedPermissions": false }, "Patterns": [ { "RegexCode": "SecretsInBuild", "RegexList": [ "(?# To match general passwords.)^(?=\\D*\\d)(?=[^a-z]*[a-z])(?=[^A-Z]*[A-Z])(?=(\\w*\\W|\\w*))[0-9\\Wa-zA-Z]{7,20}$", "(?# To match SQL/MySQL conn strings.)((P|p)assword|pwd)\\s*=\\s*\\w+;?", "(?# To match Azure storage keys.)^[A-Za-z0-9/+]{86}==$", "(?# To match storage SAS.)([^?]*\\?sv=)[^&]+(&s[a-z]=[^&]+){4}", "(?# To match ADO PATs.)^[a-z2-7]{52}$" ] }, { "RegexCode": "SecretsInRelease", "RegexList": [ "(?# To match general passwords.)^(?=\\D*\\d)(?=[^a-z]*[a-z])(?=[^A-Z]*[A-Z])(?=(\\w*\\W|\\w*))[0-9\\Wa-zA-Z]{7,20}$", "(?# To match SQL/MySQL conn strings.)((P|p)assword|pwd)\\s*=\\s*\\w+;?", "(?# To match Azure storage keys.)^[A-Za-z0-9/+]{86}==$", "(?# To match storage SAS.)([^?]*\\?sv=)[^&]+(&s[a-z]=[^&]+){4}", "(?# To match ADO PATs.)^[a-z2-7]{52}$" ] }, { "RegexCode": "SecretsInVariables", "RegexList": [ "(?# To match general passwords.)^(?=\\D*\\d)(?=[^a-z]*[a-z])(?=[^A-Z]*[A-Z])(?=(\\w*\\W|\\w*))[0-9\\Wa-zA-Z]{7,20}$", "(?# To match SQL/MySQL conn strings.)((P|p)assword|pwd)\\s*=\\s*\\w+;?", "(?# To match Azure storage keys.)^[A-Za-z0-9/+]{86}==$", "(?# To match storage SAS.)([^?]*\\?sv=)[^&]+(&s[a-z]=[^&]+){4}", "(?# To match ADO PATs.)^[a-z2-7]{52}$" ] }, { "RegexCode": "URLs", "RegexList": [ "(?# To match regular URL.)(www.|http:|https:)+[^\\s]+[\\w]", "(?# To match ftp URL.)(ftp:)+[^\\s]+[\\w]" ] }, { "RegexCode": "Email", "RegexList": ["[a-z0-9!#\\$%&'*+/=?^_`{|}~-]+(?:\\.[a-z0-9!#\\$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?"] } ], "BugLogging": { "BugLogAreaPath": "RootDefaultProject", "BugLogIterationPath": "RootDefaultProject", "ResolvedBugLogBehaviour": "ReactiveOldBug", "MaxKeyWordsToQueryForBugClose": 30, "AutoCloseProjectBug": true, "AutoCloseOrgBug": true, "BugAssigneeAndPathCustomFlow": false, "BuildSTData": "BuildSTData.json", "ReleaseSTData": "ReleaseSTData.json", "ServiceTreeData": "ServiceTreeData.json", "DomainName": "microsoft.com", "BugDescriptionField" : "", "ShowBugsInS360" : false, "HowFound": "ADO Scanner", "ComplianceArea": "Security", "ServiceTreeIdType": "Service", "UseAzureStorageAccount": false, "LogBugsForInactiveResources": true, "CustomControlList": [], "LogBugsForUnmappedResource": true, "Description":"Control failure - {0} for resource {1} {2} </br></br> <b>Control Description: </b> {3} </br></br> <b> Control Result: </b> {4} </br> </br> <b> Rationale:</b> {5} </br></br> <b> Recommendation:</b> {6} </br></br> <b> Resource Link: </b> <a href='{7}' target='_blank'>{8}</a> </br></br> <b> Resource Owner/Last Modified By: </b> {10} {11} </br></br> <b>Scan command (you can use to verify fix):</b></br>{9} </br></br><b>Note: </b> In case the resource has been deleted or you decide to delete it as a bug fix, ADO scanner does not close bugs for deleted resources. You need to close the bug manually. </br> </br> <b>Reference: </b> <a href='https://github.com/azsk/ADOScanner-docs' target='_blank'>ADO Scanner Documentation</a> </br>", "UpdateBug": [] }, "GenerateSecurityEvaluationJsonFile" : false, "ResourceProviders": [ "Microsoft.Storage", "Microsoft.Keyvault", "Microsoft.Resources", "Microsoft.OperationalInsights" ], "CriticalPATPermissions": [ "vso.build_execute", "vso.release_execute", "vso.release_manage" ], "DisableWarningMessage" : false, "ResourceTypesForCommonSVT": [ "Repository", "SecureFile", "Feed", "Environment" ], "DisableInheritedPermControls" : true, "AutomatedFix" : { "RevertDeletedResourcesControlList" : [ "ADO_Build_DP_Review_Inactive_Build", "ADO_Release_DP_Review_Inactive_Release", "ADO_Feed_SI_Review_Inactive_Feeds" ], "BackupLimitInDays" : 7 }, "CleanProcessedResources" : false, "BaselineConfigurationsControls":{ "ResourceTypeControlIdMappingList":[ { "ResourceType":"Organization", "ControlIds":[ "ADO_Organization_AuthZ_Limit_Non_Release_Pipeline_Scope", "ADO_Organization_AuthZ_Limit_Pipeline_Scope_To_Referenced_Repos", "ADO_Organization_AuthZ_Limit_Release_Pipeline_Scope", "ADO_Organization_SI_Limit_Variables_Settable_At_Queue_Time", "ADO_Organization_DP_Dont_Allow_Public_Projects", "ADO_Organization_AuthN_Disable_Guest_Users", "ADO_Organization_AuthZ_Restrict_Broader_Group_Access_on_Feed", "ADO_Organization_Enable_Audit_Stream" ] }, { "ResourceType":"Project", "ControlIds":[ "ADO_Project_AuthZ_Limit_Non_Release_Pipeline_Scope", "ADO_Project_AuthZ_Limit_Pipeline_Scope_To_Referenced_Repos", "ADO_Project_AuthZ_Limit_Release_Pipeline_Scope", "ADO_Project_SI_Limit_Variables_Settable_At_Queue_Time", "ADO_Project_AuthZ_Set_Visibility_Private_Or_Enterprise", "ADO_Project_AuthZ_Restrict_Broader_Group_Access_on_Builds", "ADO_Project_AuthZ_Restrict_Broader_Group_Access_on_Releases", "ADO_Project_AuthZ_Restrict_Broader_Group_Access_on_SvcConn", "ADO_Project_AuthZ_Restrict_Broader_Group_Access_on_AgentPool", "ADO_Project_AuthZ_Restrict_Broader_Group_Access_on_VarGrp", "ADO_Project_AuthZ_Restrict_Broader_Group_Access_on_Repo", "ADO_Project_AuthZ_Restrict_Broader_Group_Access_on_SecureFile" ] } ] }, "RateLimiter":{ "MaxAllowedDelay":300, "MaxAPIThrottledBeforeSleep":10 } } |