Framework/Configurations/SVT/ADO/ADO.Project.json
{
"FeatureName": "Project", "Reference": "aka.ms/azsktcp/project", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "ADO_Project_AuthZ_Set_Visibility_Private_Or_Enterprise", "Description": "Ensure that project visibility is set to either private or enterprise.", "Id": "Project110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPublicProjects", "Rationale": "Data/content in projects that have public visibility can be downloaded by anyone on the internet without authentication. This can lead to a compromise of corporate data.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/devops/organizations/public/make-project-public?view=vsts&tabs=new-nav", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "ADO_Project_AuthZ_Min_RBAC_Access", "Description": "All teams/groups must be granted minimum required permissions on the project.", "Id": "Project120", "ControlSeverity": "High", "Automated": "No", "MethodName": "CheckRBACAccess", "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/devops/organizations/security/set-project-collection-level-permissions?view=vsts&tabs=new-nav", "Tags": [ "SDL", "TCP", "Manual", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "ADO_Project_AuthZ_Review_Group_Members", "Description": "Review membership of all project level privileged groups and teams.", "Id": "Project130", "ControlSeverity": "High", "Automated": "No", "MethodName": "JustifyGroupMember", "Rationale": "Accounts that are a member of these groups without a legitimate business reason increase the risk for your Organization. By carefully reviewing and removing accounts that shouldn't be there in the first place, you can avoid attacks if those accounts are compromised.", "Recommendation": "Go to Project Settings --> Security --> Select Teams/Group --> Verify Members", "Tags": [ "SDL", "TCP", "Manual", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "ADO_Project_DP_Disable_Anonymous_Access_To_Badges", "Description": "Disable anonymous access to status badge API for parallel pipelines.", "Id": "Project140", "ControlSeverity": "Low", "Automated": "Yes", "MethodName": "CheckBadgeAnonAccess", "Rationale": "Information that appears in the status badge API response should be hidden from external users.", "Recommendation": "Go to Project Settings --> Pipelines --> Settings --> Turn on 'Disable anonymous access to badges'.", "Tags": [ "SDL", "TCP", "Automated", "DP" ], "Enabled": true }, { "ControlID": "ADO_Project_SI_Limit_Variables_Settable_At_Queue_Time", "Description": "Limit pipeline variables marked settable at queue time.", "Id": "Project150", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckSettableQueueTime", "Rationale": "Pipeline variables not marked settable at queue time can only be changed by someone with elevated permissions. These variables (reasonably) can be used in ways that make code injection possible.", "Recommendation": "Go to Project Settings --> Pipelines --> Settings --> Enable 'Limit variables that can be set at queue time'.", "Tags": [ "SDL", "TCP", "Automated", "SI" ], "Enabled": true }, { "ControlID": "ADO_Project_AuthZ_Limit_Non_Release_Pipeline_Access", "Description": "Limit scope of access for non-release pipelines to the current project.", "Id": "Project160", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckJobAuthZScope", "Rationale": "If pipelines use project collection level tokens, a vulnerability in components used by one project can be leveraged by an attacker to attack all other projects. This is also in keeping with the principle of least privilege.", "Recommendation": "Go to Project Settings --> Pipelines --> Settings --> Enable 'Limit job authorization scope to current project for non-release pipelines.'.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "ADO_Project_AuthZ_Limit_Release_Pipeline_Access", "Description": "Limit scope of access for release pipelines to the current project.", "Id": "Project170", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckJobAuthZReleaseScope", "Rationale": "If pipelines use project collection level tokens, a vulnerability in components used by one project can be leveraged by an attacker to attack all other projects. This is also in keeping with the principle of least privilege.", "Recommendation": "Go to Project Settings --> Pipelines --> Settings --> Enable 'Limit job authorization scope to current project for release pipelines.'.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "ADO_Project_AuthZ_Limit_Pipeline_Access_To_Referenced_Repos", "Description": "Limit scope of access for pipelines to explicitly referenced Azure DevOps repositories.", "Id": "Project180", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckAuthZRepoScope", "Rationale": "If pipelines use tokens having access to all Azure DevOps repositories in authorized projects, a vulnerability in components linked to one repo can be leveraged by an attacker to attack all other repos. This is also in keeping with the principle of least privilege.", "Recommendation": "Go to Project Settings --> Pipelines --> Settings --> Enable 'Limit job authorization scope to referenced Azure DevOps repositories'.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "ADO_Project_DP_Publish_Metadata_From_Pipeline", "Description": "Consider using artifact evaluation for fine-grained control over pipeline stages.", "Id": "Project190", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckPublishMetadata", "Rationale": "Allow pipelines to record metadata. Evaluate artifact check can be configured to define policies using the metadata recorded.", "Recommendation": "Go to Project Settings --> Pipelines --> Settings --> Enable 'Publish metadata from pipelines'.", "Tags": [ "SDL", "TCP", "Automated", "DP" ], "Enabled": true }, { "ControlID": "ADO_Project_AuthZ_Limit_Admin_Count", "Description": "Ensure that there are at most $($this.ControlSettings.Project.MaxPAMembersPermissible) project administrators in your project.", "Id": "Project200", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckMaxPACount", "Rationale": "Each additional person in the administrator role increases the attack surface for the entire project. The number of members in these roles should be kept to as low as possible.", "Recommendation": "Go to Project settings --> General --> Permissions --> Groups --> Select the group : Project Administrators --> Review the members of this group", "Tags": [ "SDL", "AuthZ", "Automated", "Best Practice" ], "Enabled": true }, { "ControlID": "ADO_Project_BCDR_Min_Admin_Count", "Description": "Ensure that there are at least $($this.ControlSettings.Project.MinPAMembersPermissible) project administrators in your project.", "Id": "Project210", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckMinPACount", "Rationale": "Having the minimum required number of administrators reduces the risk of losing admin access. This is useful in case of breakglass account scenarios.", "Recommendation": "Go to Project settings --> General --> Permissions --> Groups --> Select the group : Project Administrators --> Review the members of this group", "Tags": [ "SDL", "BCDR", "Automated", "Best Practice" ], "Enabled": true }, { "ControlID": "ADO_Project_AuthN_Use_ALT_Accounts_For_Admin", "Description": "Alternate (ALT) accounts must be used for administrative activity at project scope.", "Id": "Project220", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSCALTForAdminMembers", "Rationale": "Corporate accounts are subject to a lot of credential theft attacks due to various activities that a user conducts using such accounts (e.g., browsing the web, clicking on email links, etc.). A user account that gets compromised (say via a phishing attack) immediately subjects the entire Azure DevOps organization to risk if it is privileged with critical roles in the organization. Use of smartcard-backed alternate (SC-ALT) accounts instead protects the organization from this risk.", "Recommendation": "Go to Project settings --> General --> Permissions --> Groups --> Review whether each user in administrator groups is added via SC-ALT account.", "Tags": [ "SDL", "AuthN", "Automated", "Best Practice" ], "Enabled": true }, { "ControlID": "ADO_Project_AuthZ_Restrict_Feed_Permissions", "Description": "Do not allow a broad pool of users to upload packages to feed.", "Id": "Project230", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckFeedAccess", "Rationale": "If a broad pool of users (e.g., Contributors) have permissions to upload package to feed, then integrity of your pipeline can be compromised by a malicious user who uploads a package.", "Recommendation": "Go to Project --> Artifacts --> Select Feed --> Feed Settings --> Permissions --> Groups --> Review users/groups which have administrator and contributor roles.", "Tags": [ "SDL", "TCP", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "ADO_Project_AuthZ_Dont_Grant_All_Pipelines_Access_To_Environment", "Description": "Do not make environment accessible to all pipelines.", "Id": "Project240", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckEnviornmentAccess", "Rationale": "To support security of the pipeline operations, environments must not be granted access to all pipelines. This is in keeping with the principle of least privilege because a vulnerability in components used by one pipeline can be leveraged by an attacker to attack other pipelines having access to critical resources.", "Recommendation": "To remediate this, go to Project -> Pipelines -> Environments -> select your environment from the list -> click Security -> Under 'Pipeline Permissions', remove pipelines that environment no more requires access to or click 'Restrict Permission' to avoid granting access to all pipelines.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "ADO_Project_AuthZ_Dont_Grant_All_Pipelines_Access_To_Secure_Files", "Description": "Do not make secure files accessible to all pipelines.", "Id": "Project250", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSecureFilesPermission", "Rationale": "To support security of the pipeline operations, secure files must not be granted access to all pipelines. This is in keeping with the principle of least privilege because a vulnerability in components used by one pipeline can be leveraged by an attacker to attack other pipelines having access to critical resources.", "Recommendation": "To remediate this, go to Project -> Pipelines -> Library -> Secure Files -> select your secure file from the list -> click Security -> Under 'Pipeline Permissions', remove pipelines that secure file no more requires access to or click 'Restrict Permission' to avoid granting access to all pipelines.", "Tags": [ "SDL", "AuthZ", "Automated", "Best Practice" ], "Enabled": true }, { "ControlID": "ADO_Project_SI_Review_Author_Email_Validation_Policy", "Description": "Enable commit author email validation to restrict commits to repositories from untrusted users.", "Id": "Project260", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckAuthorEmailValidationPolicy", "Rationale": "Allowing commits from untrusted users can be dangerous as any malicious actor can push changes that can expose secrets/vulnerabilities outside the organization.", "Recommendation": "Go to Project Settings --> Repositories --> Policies --> Enable 'Commit author email validation' and specify exact emails or wildcards for identities who can commit code.", "Tags": [ "SDL", "SI", "Automated", "Best Practice" ], "Enabled": true }, { "ControlID": "ADO_Project_DP_Enable_Credentials_And_Secrets_Policy", "Description": "Enable credential scanner to block pushes that contain credentials and other secrets.", "Id": "Project270", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckCredentialsAndSecretsPolicy", "Rationale": "Exposed credentials in engineering systems continue to provide easily exploitable opportunities for attackers. To defend against this threat, Microsoft security experts developed the CredScan tool to automatically find exposed secrets. CredScan indexes and scans for credentials & other sensitive content in source code, as well as other data sources.", "Recommendation": "Go to Project Settings --> Repositories --> Policies --> Enable 'Check for credentials and other secrets'.", "Tags": [ "SDL", "DP", "Automated", "Best Practice" ], "Enabled": false }, { "ControlID": "ADO_Project_DP_Inactive_Repos", "Description": "Inactive repositories must be removed if no more required.", "Id": "Project280", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckInactiveRepo", "Rationale": "Each additional repository being accessed by pipelines increases the attack surface. To minimize this risk ensure that only active and legitimate repositories are present in project.", "Recommendation": "To remove inactive repository, follow the steps given here: 1. Navigate to the project settings -> 2. Repositories -> 3. Select the repository and delete.", "Tags": [ "SDL", "TCP", "Automated", "DP" ], "Enabled": true }, { "ControlID": "ADO_Project_AuthZ_Repo_Grant_Min_RBAC_Access", "Description": "All teams/groups must be granted minimum required permissions on repositories.", "Id": "Project290", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckRepoRBACAccess", "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.", "Recommendation": "Go to Project Settings --> Repositories --> Permissions --> Validate whether each user/group is granted minimum required access to repositories.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "ADO_Project_AuthZ_Disable_Repo_Inherited_Permissions", "Description": "Do not allow inherited permission on repositories.", "Id": "Project300", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckInheritedPermissions", "Rationale": "Disabling inherited permissions lets you finely control access to various operations at the repository level for different stakeholders. This ensures that you follow the principle of least privilege and provide access only to the persons that require it.", "Recommendation": "Go to Project Settings --> Repositories --> Select a repository --> Permissions --> Disable 'Inheritance'.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true } ] } |