Framework/Configurations/SVT/AzureDevOps/AzureDevOps.Build.json
{
"FeatureName": "Build", "Reference": "aka.ms/azsktcp/Build", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "AzureDevOps_Build_AuthZ_Grant_Min_RBAC_Access", "Description": "All teams/groups must be granted minimum required permissions on build definition", "Id": "Build110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/devops/pipelines/policies/permissions?view=vsts", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "AzureDevOps_Build_DP_No_PlainText_Secrets_In_Definition", "Description": "Secrets and keys must not be stored as plain text in build variables/task parameters", "Id": "Build120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckCredInVariables", "Rationale": "Keeping secrets such as connection strings, passwords, keys, etc. in clear text can lead to easy compromise. Making them secret type variables ensures that they are protected at rest.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/devops/pipelines/process/variables?view=vsts&tabs=yaml%2Cbatch#secret-variables", "Tags": [ "SDL", "TCP", "Automated", "DP" ], "Enabled": true }, { "ControlID": "AzureDevOps_Build_Config_Add_Static_Code_Analyzer", "Description": "Consider adding static code analysis step in your pipelines.", "Id": "Build130", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Static code analyzer ensure that the code is following all rules for security", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/devops/articles/security-validation-cicd-pipeline?view=vsts#ci-continuous-integration", "Tags": [ "SDL", "TCP", "Manual", "Config" ], "Enabled": true }, { "ControlID": "AzureDevOps_Build_DP_Store_SecretFiles_in_Secure_Library", "Description": " Secure Files library must be used to store secret files such as signing certificates, Apple Provisioning Profiles, Android KeyStore files, and SSH keys", "Id": "Build140", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Keeping secret files such as signing certificates, Apple Provisioning Profiles, Android KeyStore files, SSH keys etc. in repository can lead to easy compromise at various avenues during an application's lifecycle. Storing them in a secure library ensures that they are protected at rest.", "Recommendation": "Refer https://docs.microsoft.com/en-us/azure/devops/pipelines/library/secure-files?view=vsts", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "AzureDevOps_Build_SI_Review_Inactive_Build", "Description": "Inactive build pipelines must be removed if no more required.", "Id": "Build150", "ControlSeverity": "Low", "Automated": "Yes", "MethodName": "CheckInActiveBuild", "Rationale": "Each additional build having access at repositories increases the attack surface. To minimize this risk ensure that only active and legitimate build resources are present in Organization", "Recommendation": "To remove inactive build pipelines follow the steps given here: 1.Navigate to the build pipeline. 2. Select a build pipeline. 3. Select three dots (present at right top). 4. Click on Delete. (https://www.azuredevopslabs.com/labs/devopsserver/build/)", "Tags": [ "SDL", "Best Practice", "Automated", "SI" ], "Enabled": true }, { "ControlID": "AzureDevOps_Build_AuthZ_Disable_Inherited_Permissions", "Description": "Do not allow inherited permission on build definitions", "Id": "Build160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckInheritPermissions", "Rationale": "Disabling inherited permissions lets you finely control access to various operations at the build level for different stakeholders. This ensures that you follow the principle of least privilege and provide access only to the persons that require it.", "Recommendation": "To disable inheritance follow the steps given here: 1.Navigate to the build pipeline. 2. Select three dots (present at right top). 3. Click Manage Security 4. Add the service lead & service owner as Users with Allow permissions for each permission line item. 5. Disable Inheritance. 6. Add users/groups to your build definition and provide only required access. As best practice, All teams/groups must be granted minimum required permissions on build definition.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "AzureDevOps_Build_SI_Review_Variables_Settable_At_Queue_Time", "Description": "Pipeline variables marked settable at queue time should be carefully reviewed.", "Id": "Build170", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSettableAtQueueTime", "Rationale": "Pipeline variables not marked settable at queue time can only be changed by someone with elevated permissions. These variables (reasonably) can be used in ways that make code injection possible.", "Recommendation": "1. Navigate to the build pipeline. 2. Click on Edit. 3. Select variables. 4. Uncheck 'settable at queue time' for such variables. 5. Save the build pipeline.", "Tags": [ "SDL", "TCP", "Automated", "SI" ], "Enabled": true }, { "ControlID": "AzureDevOps_Build_SI_Review_URL_Variables_Settable_At_Queue_Time", "Description": "Pipeline variables marked settable at queue time and containing URLs should be carefully reviewed.", "Id": "Build172", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSettableAtQueueTimeForURL", "Rationale": "Pipeline variables not marked settable at queue time can only be changed by someone with elevated permissions. If these variables contain a URL then someone can change the URL to a server that they control and can intercept any secret used to interact with the intended server by queueing the build..", "Recommendation": "1. Navigate to the build pipeline. 2. Click on Edit. 3. Select variables. 4. Uncheck 'settable at queue time' for such variables. 5. Save the build pipeline.", "Tags": [ "SDL", "TCP", "Automated", "SI" ], "Enabled": true }, { "ControlID": "AzureDevOps_Build_SI_Check_External_Source_Self_Hosted_Build", "Description": "Building code from untrusted external sources is effectively allowing external parties to execute arbitrary code on your computer.", "Id": "Build180", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "ExternalSourceSelfHostedBuild", "Rationale": "Builds execute attacker-controlled code by-design (e.g. solution files contain build command lines to invoke, unit tests compile into DLLs that are loaded and executed by a harness, etc). Building code from untrusted external sources is effectively allowing external parties to execute arbitrary code on your computer.", "Recommendation": "Validate the external source repo and self-hosted agents for vulnerabilities.", "Tags": [ "SDL", "TCP", "Automated", "SI" ], "Enabled": true } ] } |