rules/AzureDevOps.Repos.Rule.ps1
|
# PSRule rule definitions for Azure DevOps Repos # Synopsis: The default branch should have a branch policy Rule 'Azure.DevOps.Repos.HasBranchPolicy' ` -Ref 'ADO-RP-001' ` -Type 'Azure.DevOps.Repo' ` -Tag @{ release = 'GA'} ` -Level Warning { # Description: The default branch should have a branch policy # Reason: The default branch does not have a branch policy # Recommendation: Protect your main branch with a branch policy # Links: https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#secure-azure-repos $Assert.HasField($TargetObject, "MainBranchPolicy", $true) $Assert.NotNull($TargetObject, "MainBranchPolicy") } # Synopsis: The default branch should have its branch policy enabled Rule 'Azure.DevOps.Repos.BranchPolicyIsEnabled' ` -Ref 'ADO-RP-001a' ` -Type 'Azure.DevOps.Repo' ` -Tag @{ release = 'GA'} ` -Level Warning { # Description: The default branch should have its branch policy enabled # Reason: The default branch does not have its branch policy enabled # Recommendation: Protect your main branch with a branch policy # Links: https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#secure-azure-repos $Assert.HasField($TargetObject, "MainBranchPolicy.isEnabled", $true) $Assert.HasFieldValue($TargetObject, "MainBranchPolicy.isEnabled", $true) } # Synopsis: The branch policy should require a minimum number of reviewers Rule 'Azure.DevOps.Repos.BranchPolicyMinimumReviewers' ` -Ref 'ADO-RP-002' ` -Type 'Azure.DevOps.Repo' ` -Tag @{ release = 'GA'} ` -Level Warning { # Description: The branch policy should require a minimum number of reviewers # Reason: The branch policy does not require any reviewers # Recommendation: Require a minimum number of reviewers to approve pull requests # Links: https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#repositories-and-branches $Assert.HasField($TargetObject, "MainBranchPolicy.settings.minimumApproverCount", $true) $Assert.Greater($TargetObject, "MainBranchPolicy.settings.minimumApproverCount", 0) } # Synopsis: The branch policy should not allow creators to approve their own changes Rule 'Azure.DevOps.Repos.BranchPolicyAllowSelfApproval' ` -Ref 'ADO-RP-003' ` -Type 'Azure.DevOps.Repo' ` -Tag @{ release = 'GA'} ` -Level Warning { # Description: The branch policy should not allow creators to approve their own changes # Reason: The branch policy allows creators to approve their own changes # Recommendation: Require a minimum number of reviewers to approve pull requests # Links: https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#policies $Assert.HasField($TargetObject, "MainBranchPolicy.settings.creatorVoteCounts", $true) $Assert.HasFieldValue($TargetObject, "MainBranchPolicy.settings.creatorVoteCounts", $false) } # Synopsis: The branch policy should reset code reviewer votes when new changes are pushed Rule 'Azure.DevOps.Repos.BranchPolicyResetVotes' ` -Ref 'ADO-RP-004' ` -Type 'Azure.DevOps.Repo' ` -Tag @{ release = 'GA'} ` -Level Warning { # Description: The branch policy should reset code reviewer votes when new changes are pushed # Reason: The branch policy does not reset code reviewer votes when new changes are pushed # Recommendation: Reset code reviewer votes when new changes are pushed # Links: https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#policies $Assert.HasField($TargetObject, "MainBranchPolicy.settings.resetOnSourcePush", $true) $Assert.HasFieldValue($TargetObject, "MainBranchPolicy.settings.resetOnSourcePush", $true) } # Synopsis: The repository should contain a README file Rule 'Azure.DevOps.Repos.Readme' ` -Ref 'ADO-RP-005' ` -Type 'Azure.DevOps.Repo' ` -Tag @{ release = 'GA'} ` -Level Warning { # Description: The repository should contain a README file # Reason: The repository does not contain a README or README.md file # Recommendation: Add a README or README.md file to the repository to explain its purpose $Assert.HasField($TargetObject, "ReadmeExists", $true) $Assert.HasFieldValue($TargetObject, "ReadmeExists", $true) } # Synopsis: The repository should contain a LICENSE file Rule 'Azure.DevOps.Repos.License' ` -Ref 'ADO-RP-006' ` -Type 'Azure.DevOps.Repo' ` -Tag @{ release = 'GA'} ` -Level Warning { # Description: The repository should contain a LICENSE file # Reason: The repository does not contain a LICENSE file # Recommendation: Add a LICENSE file to the repository to explain its purpose $Assert.HasField($TargetObject, "LicenseExists", $true) $Assert.HasFieldValue($TargetObject, "LicenseExists", $true) } |