Framework/Configurations/SVT/ADO/ADO.CommonSVTControls.json
|
{
"FeatureName": "CommonSVTControls", "Reference": "aka.ms/azsktcp/commonsvtcontrols", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "ADO_Repository_DP_Inactive_Repos", "Description": "Inactive repositories must be removed if no more required.", "Id": "Repository100", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckInactiveRepo", "Rationale": "Each additional repository being accessed by pipelines increases the attack surface. To minimize this risk ensure that only active and legitimate repositories are present in project.", "Recommendation": "To remove inactive repository, follow the steps given here: 1. Navigate to the project settings -> 2. Repositories -> 3. Select the repository and delete.", "Tags": [ "SDL", "TCP", "Automated", "DP", "Repository" ], "Enabled": true }, { "ControlID": "ADO_Repository_AuthZ_Dont_Grant_All_Pipelines_Access", "Description": "Do not make repository accessible to all pipelines.", "Id": "Repository110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRepositoryPipelinePermission", "Rationale": "If a repository is granted access to all pipelines, an unauthorized user can steal information from the repository by building a pipeline and accessing the repository.", "Recommendation": "1. Go to Project --> 2. Repositories --> 3. Select the repository --> 4. Security --> 5. Under 'Pipeline Permissions', remove pipelines that repository no more requires access to or click 'Restrict Permission' to avoid granting access to all pipelines.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "ADO_Feed_AuthZ_Restrict_Broader_Group_Access", "Description": "Do not allow a broad group of users to upload packages to feed.", "Id": "Feed100", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckBroaderGroupAccessOnFeeds", "Rationale": "If a broad group of users (e.g., Contributors) have permissions to upload package to feed, then integrity of your pipeline can be compromised by a malicious user who uploads a package.", "Recommendation": "1. Go to Project --> 2. Artifacts --> 3. Select Feed --> 4. Feed Settings --> 5. Permissions --> 6. Groups --> 7. Review users/groups which have administrator and contributor roles. Ensure broader groups have read-only access. Refer to detailed scan log (Feed.LOG) for broader group list.", "Tags": [ "SDL", "TCP", "AuthZ", "RBAC", "MSW", "AutomatedFix" ], "Enabled": true }, { "ControlID": "ADO_SecureFile_AuthZ_Dont_Grant_All_Pipelines_Access", "Description": "Do not make secure files accessible to all pipelines.", "Id": "SecureFile100", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSecureFilesPermission", "Rationale": "If a secure file is granted access to all pipelines, an unauthorized user can steal information from the secure files by building a pipeline and accessing the secure file.", "Recommendation": "1. Go to Project --> 2. Pipelines --> 3. Library --> 4. Secure Files --> 5. Select your secure file from the list --> 6. Click 'Pipeline Permissions', remove pipelines that secure file no more requires access to or click 'Restrict Permission' to avoid granting access to all pipelines.", "Tags": [ "SDL", "AuthZ", "Automated", "Best Practice", "MSW" ], "Enabled": true }, { "ControlID": "ADO_SecureFile_AuthZ_Restrict_Broader_Group_Access", "Description": "Do not allow secure file to have excessive permissions for a broad group of users.", "Id": "SecureFile110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckBroaderGroupAccessOnSecureFile", "Rationale": "If a broad group of users (e.g. Contributors) have excessive permissions on a secure file, A malicious user may gain access of stored secret/certificate which may open the door to malicious attack (e.g. SSH for accessing machine/server using these secret/certifcate).", "Recommendation": "1. Go to Project --> 2. Pipelines --> 3. Library --> 4. Secure Files --> 5. Select your secure file from the list --> 6. Click 'Security' --> 7. Review users/groups which have administrator and user roles. Ensure broader groups have read-only access. Refer to detailed scan log (SecureFile.LOG) for broader group list.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "MSW" ], "Enabled": true }, { "ControlID": "ADO_Environment_AuthZ_Dont_Grant_All_Pipelines_Access", "Description": "Do not make environment accessible to all pipelines.", "Id": "Environment100", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckEnviornmentAccess", "Rationale": "To support security of the pipeline operations, environments must not be granted access to all pipelines. This is in keeping with the principle of least privilege because a vulnerability in components used by one pipeline can be leveraged by an attacker to attack other pipelines having access to critical resources.", "Recommendation": "1. Go to Pipelines --> 2. Environments --> 3. Select your environment from the list --> 4. Click Security --> 5. Under 'Pipeline Permissions', remove pipelines that environment no more requires access to or click 'Restrict Permission' to avoid granting access to all pipelines.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "MSW" ], "Enabled": true }, { "ControlID": "ADO_Environment_AuthZ_Restrict_Broader_Group_Access", "Description": "Do not allow environment to have excessive permissions for a broad group of users.", "Id": "Environment110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckBroaderGroupAccessOnEnvironment", "Rationale": "If a broad group of users (e.g., Contributors) have excessive permissions on an environment, a malicious user can abuse these permissions to compromise integrity of the environment.", "Recommendation": "1. Go to Project --> 2. Pipelines --> 3. Environments --> 4. Select your environment from the list --> 5. Click 'Security' --> 6. Review users/groups which have administrator and user roles. Ensure broader groups have read-only access. Refer to detailed scan log (Environment.LOG) for broader group list.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true } ] } |