Framework/Configurations/SVT/AzureDevOps/AzureDevOps.Project.json

{
  "FeatureName": "Project",
  "Reference": "aka.ms/azsktcp/project",
  "IsMaintenanceMode": false,
  "Controls": [
    {
      "ControlID": "AzureDevOps_Project_AuthZ_Set_Visibility_Private",
      "Description": "Ensure that project visibility is set to private",
      "Id": "Project110",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckPublicProjects",
      "Rationale": "Data/content in projects that have public visibility can be downloaded by anyone on the internet without authentication. This can lead to a compromise of corporate data.",
      "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/devops/organizations/public/make-project-public?view=vsts&tabs=new-nav",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "AzureDevOps_Project_AuthZ_Min_RBAC_Access",
      "Description": "All teams/groups must be granted minimum required permissions on the project",
      "Id": "Project120",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "CheckRBACAccess",
      "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",
      "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/devops/organizations/security/set-project-collection-level-permissions?view=vsts&tabs=new-nav",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "AzureDevOps_Project_AuthZ_Review_Group_Members",
      "Description": "Justify all identities that are granted with member access on group and teams.",
      "Id": "Project130",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "JustifyGroupMember",
      "Rationale": "Accounts that are a member of these groups without a legitimate business reason increase the risk for your Organization. By carefully reviewing and removing accounts that shouldn't be there in the first place, you can avoid attacks if those accounts are compromised.",
      "Recommendation": "Go to Project Settings --> Security --> Select Teams/Group --> Verify Members",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "AzureDevOps_Project_DP_Disable_Anonymous_Access_To_Badges",
      "Description": "Anonymous access to status badge API for parallel pipelines should be disabled.",
      "Id": "Project140",
      "ControlSeverity": "Low",
      "Automated": "Yes",
      "MethodName": "CheckBadgeAnonAccess",
      "Rationale": "TBD",
      "Recommendation": "Go to Project Settings --> Pipelines --> Settings --> Enable 'Disable anonymous access to badges'.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "DP"
      ],
      "Enabled": true
    },
    {
      "ControlID": "AzureDevOps_Project_SI_Limit_Variables_Settable_At_Queue_Time",
      "Description": "Do not permit all pipeline variables to be settable by default.",
      "Id": "Project150",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckSetQueueTime",
      "Rationale": "TBD",
      "Recommendation": "Go to Project Settings --> Pipelines --> Settings --> Enable 'Limit variables that can be set at queue time.'.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "SI"
      ],
      "Enabled": true
    },
    {
      "ControlID": "AzureDevOps_Project_AuthZ_Limit_Job_Scope_To_Current_Project",
      "Description": "Scope of access of all pipelines should be restricted to current project.",
      "Id": "Project160",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckJobAuthnScope",
      "Rationale": "This ensures pipeline execution happens using a token scoped to the current project abiding with principle of least privilege.",
      "Recommendation": "Go to Project Settings --> Pipelines --> Settings --> Enable 'Limit job authorization scope to current project.'.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "AzureDevOps_Project_DP_Publish_Metadata_From_Pipeline",
      "Description": "Consider using artifact evaluation for fine-grained control over pipeline stages",
      "Id": "Project170",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckPublishMetadata",
      "Rationale": "Allows pipelines to record metadata. Evaluate artifact check can be configured to define policies using the metadata recorded.",
      "Recommendation": "Go to Project Settings --> Pipelines --> Settings --> Enable 'Publish metadata from pipelines'.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "DP"
      ],
      "Enabled": true
    }
  ]
}