Framework/Configurations/SVT/ControlSettings.json
|
{
"BaselineControls": { "ResourceTypeControlIdMappingList": [ { "ResourceType": "Organization", "ControlIds": [ "ADO_Organization_AuthN_Use_AAD_Auth", "ADO_Organization_AuthN_Disable_External_Guest_Users", "ADO_Organization_AuthZ_Justify_Guest_Identities", "ADO_Organization_SI_Review_Installed_Extensions", "ADO_Organization_SI_Review_Shared_Extensions", "ADO_Organization_AuthZ_Review_Extension_Managers", "ADO_Organization_AuthZ_Review_Project_Collection_Service_Accounts", "ADO_Organization_SI_Review_Auto_Injected_Extensions", "ADO_Organization_SI_Limit_Variables_Settable_At_Queue_Time", "ADO_Organization_AuthZ_Limit_Non_Release_Pipeline_Access", "ADO_Organization_AuthZ_Limit_Release_Pipeline_Access", "ADO_Organization_AuthZ_Limit_Pipeline_Access_To_Referenced_Repos", "ADO_Organization_DP_Dont_Allow_Public_Projects", "ADO_Organization_Enable_Audit_Stream", "ADO_Organization_BCDR_Min_Admin_Count", "ADO_Organization_AuthN_Use_ALT_Accounts_For_Admin", "ADO_Organization_AuthZ_Disable_OAuth_App_Access", "ADO_Organization_AuthN_Disable_SSH_Access" ] }, { "ResourceType": "Project", "ControlIds": [ "ADO_Project_AuthZ_Set_Visibility_Private_Or_Enterprise", "ADO_Project_SI_Limit_Variables_Settable_At_Queue_Time", "ADO_Project_BCDR_Min_Admin_Count", "ADO_Project_AuthZ_Limit_Non_Release_Pipeline_Access", "ADO_Project_AuthZ_Limit_Release_Pipeline_Access", "ADO_Project_AuthZ_Limit_Pipeline_Access_To_Referenced_Repos", "ADO_Project_AuthN_Use_ALT_Accounts_For_Admin", "ADO_Project_AuthZ_Dont_Grant_All_Pipelines_Access_To_Secure_Files", "ADO_Project_AuthZ_Restrict_Feed_Permissions", "ADO_Project_AuthZ_Disable_Inherited_Permissions" ] }, { "ResourceType": "ServiceConnection", "ControlIds": [ "ADO_ServiceConnection_AuthZ_Dont_Use_Classic_Connections", "ADO_ServiceConnection_AuthZ_Disable_Inherited_Permissions", "ADO_ServiceConnection_AuthZ_Dont_Grant_All_Pipelines_Access", "ADO_ServiceConnection_AuthZ_Dont_Allow_Global_Groups", "ADO_ServiceConnection_DP_Review_Inactive_Connection", "ADO_ServiceConnection_SI_Dont_Share_Across_Projects", "ADO_ServiceConnection_AuthZ_Dont_Grant_Subscription_Access", "ADO_ServiceConnection_AuthZ_Dont_Grant_BuildServAcc_Permission" ] }, { "ResourceType": "Build", "ControlIds": [ "ADO_Build_AuthZ_Disable_Inherited_Permissions", "ADO_Build_DP_No_PlainText_Secrets_In_Definition", "ADO_Build_SI_Review_URL_Variables_Settable_At_Queue_Time", "ADO_Build_SI_Limit_Task_Group_Edit_Permission", "ADO_Build_SI_Limit_Variable_Group_Edit_Permission", "ADO_Build_AuthZ_Limit_Pipeline_Access", "ADO_Build_SI_Limit_Pipeline_Edit_Permission", "ADO_Build_SI_Review_External_Sources", "ADO_Build_DP_Dont_Make_Secrets_Available_To_Forked_Builds", "ADO_Build_DP_Review_Inactive_Build" ] }, { "ResourceType": "Release", "ControlIds": [ "ADO_Release_AuthZ_Disable_Inherited_Permissions", "ADO_Release_SI_Review_External_Sources", "ADO_Release_DP_No_PlainText_Secrets_In_Definition", "ADO_Release_SI_Review_URL_Variables_Settable_At_Release_Time", "ADO_Release_SI_Limit_Task_Group_Edit_Permission", "ADO_Release_SI_Limit_Variable_Group_Edit_Permission", "ADO_Release_SI_Limit_Pipeline_Edit_Permission", "ADO_Release_DP_Review_Inactive_Release" ] }, { "ResourceType": "AgentPool", "ControlIds": [ "ADO_AgentPool_AuthZ_Disable_Inherited_Permissions", "ADO_AgentPool_AuthZ_Dont_Grant_All_Pipelines_Access", "ADO_AgentPool_AuthZ_Dont_Enable_Auto_Provisioning", "ADO_AgentPool_DP_Review_Inactive_Pool", "ADO_AgentPool_DP_Enable_Auto_Update", "ADO_AgentPool_DP_No_Secrets_In_Capabilities" ] }, { "ResourceType": "VariableGroup", "ControlIds": [ "ADO_VariableGroup_AuthZ_Dont_Grant_All_Pipelines_Access", "ADO_VariableGroup_AuthZ_Disable_Inherited_Permissions", "ADO_VariableGroup_DP_No_PlainText_Secrets_In_Variables" ] } ] }, "PreviewBaselineControls": { "ResourceTypeControlIdMappingList": [] }, "PartialScan": { "ResourceTrackerValidforDays": 3, "StoreResourceTrackerLocally": "True", "LocalScanUpdateFrequency": "100", "DurableScanUpdateFrequency": "200" }, "DockerImage":{ "ImageName" : "azskado/adosecurityscan" }, "ADOInfoAPI":{ "Enabled" : false, "Endpoint" : "", "Code" : "" }, "AllowAdminControlScanForGroups": [ { "ResourceType": "Organization", "GroupNames": [ "Project Collection Administrators" ] }, { "ResourceType": "Project", "GroupNames": [ "Project Administrators" ] } ], "AttestableResourceTypes": [ "Organization", "Project", "Build", "Release", "ServiceConnection", "AgentPool", "VariableGroup" ], "AttestationExpiryPeriodInDays": { "Default": 90, "ControlSeverity": { "Critical": 7, "High": 30, "Medium": 60, "Low": 90 } }, "DefaultAttestationPeriodForExemptControl" : 180, "GroupsWithAttestPermission": [ { "ResourceType": "Organization", "GroupNames": [ "Project Collection Administrators" ] }, { "ResourceType": "Project", "GroupNames": [ "Project Collection Administrators", "Project Administrators" ] } ], "AttestationRepo": "", "AttestationBranch": "", "EnableMultiProjectAttestation": false, "ProjectToStoreAttestation": "", "IsAllowLongRunningScan": true, "LongRunningScanCheckPoint": 1000, "DefaultValidAttestationStates": [ "NotAnIssue", "WillFixLater", "WillNotFix" ], "NewControlGracePeriodInDays": { "Default": 60, "ControlSeverity": { "Critical": 7, "High": 30, "Medium": 60, "Low": 90 } }, "AttestationPeriodInDays": { "Default": 90, "ControlSeverity": { "Critical": 7, "High": 30, "Medium": 60, "Low": 90 } }, "ControlSeverity": { "Critical": "Critical", "High": "High", "Medium": "Medium", "Low": "Low" }, "Build": { "BuildHistoryPeriodInDays": 180, "ExemptedUserIdentities": [ { "Domain": "Build", "DisplayName": [ "OneITVSO Build Service (MicrosoftIT)", "Project Collection Build Service (MicrosoftIT)" ] } ], "ExcludeFromSecretsCheck": [ "system.debug", "BuildConfiguration", "BuildPlatform", "InputFeeds", "Environment", "SolutionName" ] }, "Release": { "ReleaseHistoryPeriodInDays": 180, "ExemptedUserIdentities": [ { "Domain": "Build", "DisplayName": [ "OneITVSO Build Service (MicrosoftIT)", "Project Collection Build Service (MicrosoftIT)" ] } ], "RequirePreDeployApprovals": [ "Production", "Pre-Production", "Prod", "Pre-Prod" ], "ExcludeFromSecretsCheck": [ "Domain", "UserName", "Build", "AgentPath", "BuildNumber", "MachineGroup", "Environment", "System.debug", "BuildConfiguration" ] }, "AgentPool": { "AgentPoolHistoryPeriodInDays": 180 }, "AlernateAccountRegularExpressionForOrg": "^SC-.*@.*microsoft.com$", "Organization": { "InactiveUserActivityLogsPeriodInDays": 90, "TopInactiveUserCount": 100, "KnownExtensionPublishers": [ "Microsoft", "Microsoft DevLabs" ], "KnownExtensionPublisherIds":[""], "NonProductionExtensionIndicators":["DevTest", "Demo", "Preview", "Deprecated"], "ExtensionsLastUpdatedInYears": 2, "ExtensionCriticalScopes":["vso.agentpools_manage","vso.build_execute","vso.code_write","vso.code_manage","vso.code_full", "vso.code_status","vso.extension_manage", "vso.extension.data_write","vso.graph_manage","vso.identity_manage","vso.loadtest_write", "vso.machinegroup_manage","vso.memberentitlementmanagement_write","vso.gallery_manage","vso.notification_write","vso.notification_manage", "vso.packaging_write","vso.packaging_manage","vso.project_write","vso.project_manage","vso.release_execute", "vso.release_manage","vso.security_manage","vso.serviceendpoint_manage","vso.settings_write", "vso.symbols_write","vso.symbols_manage","vso.taskgroups_write","vso.taskgroups_manage", "vso.dashboards_manage","vso.test_write","vso.tokenadministration","vso.profile_write", "vso.variablegroups_write","vso.variablegroups_manage","vso.wiki_write","vso.work_write","vso.work_full"], "ExemptedExtensionNames":["Azure DevTest Labs Tasks"], "MaxPCAMembersPermissible": 5, "MinPCAMembersPermissible": 2, "GroupsToCheckForSCAltMembers": [ "Project Collection Administrators" ] }, "Project": { "MaxPAMembersPermissible": 5, "MinPAMembersPermissible": 2, "GroupsToCheckForSCAltMembers": [ "Project Administrators" ], "GroupsToCheckForFeedPermission": [ "Contributors" ] }, "Repo": { "RepoHistoryPeriodInDays": 180, "AuthorEmailValidationPolicyID": "77ed4bd3-b063-4689-934a-175e4d0a78d7", "CredScanPolicyID": "e67ae10f-cf9a-40bc-8e66-6b3a8216956e", "CommitAuthorEmailPattern": [ "*@microsoft.com", "*@exchange.microsoft.com", "*@ntdev.microsoft.com", "*@microsoftfederal.com" ] }, "ServiceConnection": { "ServiceConnectionHistoryPeriodInDays": 180, "ExemptedGroupIdentities": [ "Endpoint Administrators" ], "RestrictedGlobalGroupsForSerConn": [ "Microsoft IT Build Admins (msitbuildadm@microsoft.com)", "Everyone Microsoft FTE", "Project Collection Administrators", "Project Collection Build Administrators", "Project Collection Proxy Service Accounts", "Project Collection Service Accounts", "Project Collection Valid Users", "Security Service Group", "Project Administrators", "Build Administrators", "Release Administrators", "CSEOPipelineContributors", "Endpoint Creators", "Contributors", "Readers" ] }, "Patterns": [ { "RegexCode": "SecretsInBuild", "RegexList": [ "(?# To match general passwords.)^(?=\\D*\\d)(?=[^a-z]*[a-z])(?=[^A-Z]*[A-Z])(?=(\\w*\\W|\\w*))[0-9\\Wa-zA-Z]{7,20}$", "(?# To match SQL/MySQL conn strings.)((P|p)assword|pwd)\\s*=\\s*\\w+;?", "(?# To match Azure storage keys.)^[A-Za-z0-9/+]{86}==$", "(?# To match storage SAS.)([^?]*\\?sv=)[^&]+(&s[a-z]=[^&]+){4}", "(?# To match ADO PATs.)^[a-z2-7]{52}$" ] }, { "RegexCode": "SecretsInRelease", "RegexList": [ "(?# To match general passwords.)^(?=\\D*\\d)(?=[^a-z]*[a-z])(?=[^A-Z]*[A-Z])(?=(\\w*\\W|\\w*))[0-9\\Wa-zA-Z]{7,20}$", "(?# To match SQL/MySQL conn strings.)((P|p)assword|pwd)\\s*=\\s*\\w+;?", "(?# To match Azure storage keys.)^[A-Za-z0-9/+]{86}==$", "(?# To match storage SAS.)([^?]*\\?sv=)[^&]+(&s[a-z]=[^&]+){4}", "(?# To match ADO PATs.)^[a-z2-7]{52}$" ] }, { "RegexCode": "URLs", "RegexList": [ "(?# To match any URL.)(www.|http:|https:)+[^\\s]+[\\w]" ] } ], "BugLogging": { "BugLogAreaPath": "RootDefaultProject", "BugLogIterationPath": "RootDefaultProject", "ResolvedBugLogBehaviour": "ReactiveOldBug", "MaxKeyWordsToQueryForBugClose": 30, "AutoCloseProjectBug": true, "AutoCloseOrgBug": true, "BugAssigneeAndPathCustomFlow": false, "BuildSTData": "BuildSTData.json", "ReleaseSTData": "ReleaseSTData.json", "ServiceTreeData": "ServiceTreeData.json", "DomainName": "microsoft.com", "BugDescriptionField" : "", "ShowBugsInS360" : false, "HowFound": "ADO Scanner", "ComplianceArea": "Security", "ServiceTreeIdType": "Service", "UseAzureStorageAccount": false, "LogBugsForInactiveResources": true, "CustomControlList": [], "LogBugsForUnmappedResource": true, "Description":"Control failure - {0} for resource {1} {2} </br></br> <b>Control Description: </b> {3} </br></br> <b> Control Result: </b> {4} </br> </br> <b> Rationale:</b> {5} </br></br> <b> Recommendation:</b> {6} </br></br> <b> Resource Link: </b> <a href='{7}' target='_blank'>{8}</a> </br></br> <b>Scan command (you can use to verify fix):</b></br>{9} </br></br><b>Reference: </b> <a href='https://github.com/azsk/ADOScanner-docs' target='_blank'>ADO Scanner Documentation</a> </br>" }, "GenerateSecurityEvaluationJsonFile" : false, "ResourceProviders": [ "Microsoft.Storage", "Microsoft.Keyvault", "Microsoft.Resources", "Microsoft.OperationalInsights" ], "CriticalPATPermissions": [ "vso.build_execute", "vso.release_execute", "vso.release_manage" ] } |