Framework/Configurations/SVT/ControlSettings.json
|
{
"BaselineControls": { "ResourceTypeControlIdMappingList": [ { "ResourceType": "Organization", "ControlIds": [ "AzureDevOps_Organization_AuthN_Use_AAD_Auth", "AzureDevOps_Organization_AuthN_Disable_External_Guest_Users", "AzureDevOps_Organization_AuthZ_Justify_Guest_Identities", "AzureDevOps_Organization_SI_Review_Installed_Extensions", "AzureDevOps_Organization_SI_Review_Shared_Extensions", "AzureDevOps_Organization_AuthZ_Review_Extension_Managers", "AzureDevOps_Organization_AuthZ_Review_Project_Collection_Service_Accounts", "AzureDevOps_Organization_SI_Review_Auto_Injected_Extensions", "AzureDevOps_Organization_AuthZ_Limit_Non_Release_Scope_To_Project", "AzureDevOps_Organization_AuthZ_Limit_Release_Scope_To_Project", "AzureDevOps_Organization_AuthZ_Limit_Pipeline_Scope_To_Referenced_Repos", "AzureDevOps_Organization_DP_Dont_Allow_Public_Projects", "AzureDevOps_Organization_AuthZ_Min_Admin_Count", "AzureDevOps_Organization_AuthZ_Use_SC_ALT_Account_For_Admin" ] }, { "ResourceType": "Project", "ControlIds": [ "AzureDevOps_Project_AuthZ_Set_Visibility_Private_Or_Enterprise", "AzureDevOps_Project_AuthZ_Min_Admin_Count", "AzureDevOps_Project_AuthZ_Limit_Non_Release_Scope_To_Project", "AzureDevOps_Project_AuthZ_Limit_Release_Scope_To_Project", "AzureDevOps_Project_AuthZ_Limit_Pipeline_Scope_To_Referenced_Repos", "AzureDevOps_Project_AuthZ_Use_SC_ALT_Account_For_Admin" ] }, { "ResourceType": "ServiceConnection", "ControlIds": [ "AzureDevOps_ServiceConnection_AuthZ_Dont_Use_Classic_Connections", "AzureDevOps_ServiceConnection_AuthZ_Disable_Inherited_Permissions", "AzureDevOps_ServiceConnection_AuthZ_Dont_Grant_All_Pipelines_Access", "AzureDevOps_ServiceConnection_AuthZ_Dont_Allow_Global_Groups", "AzureDevOps_ServiceConnection_SI_Review_Inactive_Connection", "AzureDevOps_ServiceConnection_SI_Dont_Allow_Project_Sharing", "AzureDevOps_ServiceConnection_AuthZ_Dont_Grant_Subscription_Access" ] }, { "ResourceType": "Build", "ControlIds": [ "AzureDevOps_Build_AuthZ_Disable_Inherited_Permissions", "AzureDevOps_Build_DP_No_PlainText_Secrets_In_Definition", "AzureDevOps_Build_SI_Review_URL_Variables_Settable_At_Queue_Time" ] }, { "ResourceType": "Release", "ControlIds": [ "AzureDevOps_Release_AuthZ_Disable_Inherited_Permissions", "AzureDevOps_Release_SI_Review_External_Sources", "AzureDevOps_Release_DP_No_PlainText_Secrets_In_Definition", "AzureDevOps_Release_SI_Review_URL_Variables_Settable_At_Release_Time" ] }, { "ResourceType": "AgentPool", "ControlIds": [ "AzureDevOps_AgentPool_AuthZ_Disable_Inherited_Permissions", "AzureDevOps_AgentPool_AuthZ_Project_Dont_Grant_All_Pipeline_Access", "AzureDevOps_AgentPool_AuthZ_Dont_Enable_Auto_Provisioning", "AzureDevOps_AgentPool_SI_Review_Inactive_Pool" ] } ] }, "PreviewBaselineControls": { "ResourceTypeControlIdMappingList": [] }, "PartialScan": { "ResourceTrackerValidforDays": 3, "StoreResourceTrackerLocally": "True" }, "DockerImage":{ "ImageName" : "azskado/adosecurityscan" }, "AllowAttestationResourceType": [ "Organization", "Project", "Build", "Release", "ServiceConnection", "AgentPool" ], "AttestationExpiryPeriodInDays": { "Default": 90, "ControlSeverity": { "Critical": 7, "High": 30, "Medium": 60, "Low": 90 } }, "AllowAttestationByGroups": [ { "ResourceType": "Organization", "GroupNames": [ "Project Collection Administrators" ] }, { "ResourceType": "Project", "GroupNames": [ "Project Collection Administrators", "Project Administrators" ] } ], "IsAllowLongRunningScan": true, "LongRunningScanCheckPoint": 1000, "DefaultValidAttestationStates": [ "NotAnIssue", "WillFixLater", "WillNotFix" ], "NewControlGracePeriodInDays": { "Default": 60, "ControlSeverity": { "Critical": 7, "High": 30, "Medium": 60, "Low": 90 } }, "AttestationPeriodInDays": { "Default": 90, "ControlSeverity": { "Critical": 7, "High": 30, "Medium": 60, "Low": 90 } }, "ControlSeverity": { "Critical": "Critical", "High": "High", "Medium": "Medium", "Low": "Low" }, "Build": { "BuildHistoryPeriodInDays": 180, "ExemptedUserIdentities": [ { "Domain": "Build", "DisplayName": [ "OneITVSO Build Service (MicrosoftIT)", "Project Collection Build Service (MicrosoftIT)" ] } ] }, "Release": { "ReleaseHistoryPeriodInDays": 180, "ExemptedUserIdentities": [ { "Domain": "Build", "DisplayName": [ "OneITVSO Build Service (MicrosoftIT)", "Project Collection Build Service (MicrosoftIT)" ] } ], "RequirePreDeployApprovals": [ "Production", "Pre-Production", "Prod", "Pre-Prod" ] }, "AgentPool": { "AgentPoolHistoryPeriodInDays": 180 }, "AlernateAccountRegularExpressionForOrg": "^SC-.*@.*microsoft.com$", "Organization": { "InActiveUserActivityLogsPeriodInDays": 90, "TopInActiveUserCount": 500, "TrustedExtensionPublishers": [ "Microsoft", "Microsoft DevLabs" ], "MaxPCAMembersPermissible": 5, "MinPCAMembersPermissible": 2, "GroupsToCheckForSCAltMembers": [ "Project Collection Administrators" ] }, "Project": { "MaxPAMembersPermissible": 5, "MinPAMembersPermissible": 2, "GroupsToCheckForSCAltMembers": [ "Project Administrators" ] }, "ServiceConnection": { "ServiceConnectionHistoryPeriodInDays": 180, "ExemptedGroupIdentities": [ "Endpoint Administrators" ], "RestrictedGlobalGroupsForSerConn": [ "Microsoft IT Build Admins (msitbuildadm@microsoft.com)", "Everyone Microsoft FTE", "Project Collection Administrators", "Project Collection Build Administrators", "Project Collection Proxy Service Accounts", "Project Collection Service Accounts", "Project Collection Valid Users", "Security Service Group", "Project Administrators", "Build Administrators", "Release Administrators", "CSEOPipelineContributors", "Endpoint Creators", "Contributors", "Readers" ] }, "Patterns": [ { "RegexCode": "Build", "RegexList": [ "(?=^.{6,12}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])&(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])&(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", "(pwd|password)\\s*=\\s*(?<pwd>('(([^'])|(''))+'|[^';]+))", "^(?=.*\\d)(?=.*[a-z])(?=.*[A-Z])(?!.*\\s).{6,18}$", "^(?=.*\\d)(?=.*[a-z])(?=.*[A-Z]).{4,8}$", "(?=^.{6,10}$)(?=.*\\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{":;'?/>.<,])(?!.*\\s).*$", "(?=^.{7,20}$)(?=.*\\d)(?=.*[a-zA-Z])(?!.*\\s)[0-9a-zA-Z*$-+?_&=!%{}/'.]*$" ] }, { "RegexCode": "Release", "RegexList": [ "(?=^.{6,12}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])&(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])&(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", "(pwd|password)\\s*=\\s*(?<pwd>('(([^'])|(''))+'|[^';]+))", "^(?=.*\\d)(?=.*[a-z])(?=.*[A-Z])(?!.*\\s).{6,18}$", "^(?=.*\\d)(?=.*[a-z])(?=.*[A-Z]).{4,8}$", "(?=^.{6,10}$)(?=.*\\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{":;'?/>.<,])(?!.*\\s).*$", "(?=^.{7,20}$)(?=.*\\d)(?=.*[a-zA-Z])(?!.*\\s)[0-9a-zA-Z*$-+?_&=!%{}/'.]*$" ] }, { "RegexCode": "URLs", "RegexList": [ "(www.|http:|https:)+[^\\s]+[\\w]" ] } ], "BugLogging": { "BugLogAreaPath": "RootDefaultProject", "BugLogIterationPath": "RootDefaultProject", "ResolvedBugLogBehaviour": "ReactiveOldBug", "MaxKeyWordsToQueryForBugClose": 30, "AutoCloseProjectBug": true, "AutoCloseOrgBug": true }, "GenerateSecurityEvaluationJsonFile" : false } |