Framework/Configurations/SVT/ADO/ADO.CommonSVTControls.json

{
  "FeatureName": "CommonSVTControls",
  "Reference": "aka.ms/azsktcp/commonsvtcontrols",
  "IsMaintenanceMode": false,
  "Controls": [
    {
      "ControlID": "ADO_Repository_DP_Inactive_Repos",
      "Description": "Inactive repositories must be removed if no more required.",
      "Id": "Repository100",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckInactiveRepo",
      "Rationale": "Each additional repository being accessed by pipelines increases the attack surface. To minimize this risk ensure that only active and legitimate repositories are present in project.",
      "Recommendation": "To remove inactive repository, follow the steps given here: 1. Navigate to the project settings -> 2. Repositories -> 3. Select the repository and delete.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "DP",
        "Repository"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Repository_AuthZ_Dont_Grant_All_Pipelines_Access",
      "Description": "Do not make repository accessible to all pipelines.",
      "Id": "Repository110",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckRepositoryPipelinePermission",
      "Rationale": "If a repository is granted access to all pipelines, an unauthorized user can steal information from the repository by building a pipeline and accessing the repository.",
      "Recommendation": "1. Go to Project --> 2. Repositories --> 3. Select the repository --> 4. Security --> 5. Under 'Pipeline Permissions', remove pipelines that repository no more requires access to or click 'Restrict Permission' to avoid granting access to all pipelines.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Feed_AuthZ_Restrict_Broader_Group_Access",
      "Description": "Do not allow a broad group of users to upload packages to feed.",
      "Id": "Feed100",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckBroaderGroupAccessOnFeeds",
      "Rationale": "If a broad group of users (e.g., Contributors) have permissions to upload package to feed, then integrity of your pipeline can be compromised by a malicious user who uploads a package.",
      "Recommendation": "1. Go to Project --> 2. Artifacts --> 3. Select Feed --> 4. Feed Settings --> 5. Permissions --> 6. Groups --> 7. Review users/groups which have administrator and contributor roles. Ensure broader groups have read-only access. Refer to detailed scan log (Feed.LOG) for broader group list.",
      "Tags": [
        "SDL",
        "TCP",
        "AuthZ",
        "RBAC",
        "MSW",
        "AutomatedFix"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_SecureFile_AuthZ_Dont_Grant_All_Pipelines_Access",
      "Description": "Do not make secure files accessible to all pipelines.",
      "Id": "SecureFile100",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckSecureFilesPermission",
      "Rationale": "If a secure file is granted access to all pipelines, an unauthorized user can steal information from the secure files by building a pipeline and accessing the secure file.",
      "Recommendation": "1. Go to Project --> 2. Pipelines --> 3. Library --> 4. Secure Files --> 5. Select your secure file from the list --> 6. Click 'Pipeline Permissions', remove pipelines that secure file no more requires access to or click 'Restrict Permission' to avoid granting access to all pipelines.",
      "Tags": [
        "SDL",
        "AuthZ",
        "Automated",
        "Best Practice",
        "MSW"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_SecureFile_AuthZ_Restrict_Broader_Group_Access",
      "Description": "Do not allow secure file to have excessive permissions for a broad group of users.",
      "Id": "SecureFile110",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckBroaderGroupAccessOnSecureFile",
      "Rationale": "If a broad group of users (e.g. Contributors) have excessive permissions on a secure file, A malicious user may gain access of stored secret/certificate which may open the door to malicious attack (e.g. SSH for accessing machine/server using these secret/certifcate).",
      "Recommendation": "1. Go to Project --> 2. Pipelines --> 3. Library --> 4. Secure Files --> 5. Select your secure file from the list --> 6. Click 'Security' --> 7. Review users/groups which have administrator and user roles. Ensure broader groups have read-only access. Refer to detailed scan log (SecureFile.LOG) for broader group list.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "MSW"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Environment_AuthZ_Dont_Grant_All_Pipelines_Access",
      "Description": "Do not make environment accessible to all pipelines.",
      "Id": "Environment100",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckEnviornmentAccess",
      "Rationale": "To support security of the pipeline operations, environments must not be granted access to all pipelines. This is in keeping with the principle of least privilege because a vulnerability in components used by one pipeline can be leveraged by an attacker to attack other pipelines having access to critical resources.",
      "Recommendation": "1. Go to Pipelines --> 2. Environments --> 3. Select your environment from the list --> 4. Click Security --> 5. Under 'Pipeline Permissions', remove pipelines that environment no more requires access to or click 'Restrict Permission' to avoid granting access to all pipelines.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "MSW"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_Environment_AuthZ_Restrict_Broader_Group_Access",
      "Description": "Do not allow environment to have excessive permissions for a broad group of users.",
      "Id": "Environment110",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckBroaderGroupAccessOnEnvironment",
      "Rationale": "If a broad group of users (e.g., Contributors) have excessive permissions on an environment, a malicious user can abuse these permissions to compromise integrity of the environment.",
      "Recommendation": "1. Go to Project --> 2. Pipelines --> 3. Environments --> 4. Select your environment from the list --> 5. Click 'Security' --> 6. Review users/groups which have administrator and user roles. Ensure broader groups have read-only access. Refer to detailed scan log (Environment.LOG) for broader group list.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ"
      ],
      "Enabled": true
    }
  ]
}