Framework/Configurations/SVT/ControlSettings.json

{
  "BaselineControls": {
    "ResourceTypeControlIdMappingList": [
      {
        "ResourceType": "Organization",
        "ControlIds": [
          "ADO_Organization_AuthN_Use_AAD_Auth",
          "ADO_Organization_AuthN_Disable_External_Guest_Users",
          "ADO_Organization_AuthZ_Justify_Guest_Identities",
          "ADO_Organization_SI_Review_Installed_Extensions",
          "ADO_Organization_SI_Review_Shared_Extensions",
          "ADO_Organization_AuthZ_Review_Extension_Managers",
          "ADO_Organization_AuthZ_Review_Project_Collection_Service_Accounts",
          "ADO_Organization_SI_Review_Auto_Injected_Extensions",
          "ADO_Organization_SI_Limit_Variables_Settable_At_Queue_Time",
          "ADO_Organization_AuthZ_Limit_Non_Release_Pipeline_Access",
          "ADO_Organization_AuthZ_Limit_Release_Pipeline_Access",
          "ADO_Organization_AuthZ_Limit_Pipeline_Access_To_Referenced_Repos",
          "ADO_Organization_DP_Dont_Allow_Public_Projects",
          "ADO_Organization_Enable_Audit_Stream",
          "ADO_Organization_BCDR_Min_Admin_Count",
          "ADO_Organization_AuthN_Use_ALT_Accounts_For_Admin",
          "ADO_Organization_AuthZ_Disable_OAuth_App_Access",
          "ADO_Organization_AuthN_Disable_SSH_Access"
        ]
      },
      {
        "ResourceType": "Project",
        "ControlIds": [
          "ADO_Project_AuthZ_Set_Visibility_Private_Or_Enterprise",
          "ADO_Project_SI_Limit_Variables_Settable_At_Queue_Time",
          "ADO_Project_BCDR_Min_Admin_Count",
          "ADO_Project_AuthZ_Limit_Non_Release_Pipeline_Access",
          "ADO_Project_AuthZ_Limit_Release_Pipeline_Access",
          "ADO_Project_AuthZ_Limit_Pipeline_Access_To_Referenced_Repos",
          "ADO_Project_AuthN_Use_ALT_Accounts_For_Admin",
          "ADO_Project_AuthZ_Dont_Grant_All_Pipelines_Access_To_Secure_Files",
          "ADO_Project_AuthZ_Restrict_Feed_Permissions",
          "ADO_Project_AuthZ_Disable_Inherited_Permissions"
        ]
      },
      {
        "ResourceType": "ServiceConnection",
        "ControlIds": [
          "ADO_ServiceConnection_AuthZ_Dont_Use_Classic_Connections",
          "ADO_ServiceConnection_AuthZ_Disable_Inherited_Permissions",
          "ADO_ServiceConnection_AuthZ_Dont_Grant_All_Pipelines_Access",
          "ADO_ServiceConnection_AuthZ_Dont_Allow_Global_Groups",
          "ADO_ServiceConnection_DP_Review_Inactive_Connection",
          "ADO_ServiceConnection_SI_Dont_Share_Across_Projects",
          "ADO_ServiceConnection_AuthZ_Dont_Grant_Subscription_Access",
          "ADO_ServiceConnection_AuthZ_Dont_Grant_BuildServAcc_Permission"
        ]
      },
      {
        "ResourceType": "Build",
        "ControlIds": [
          "ADO_Build_AuthZ_Disable_Inherited_Permissions",
          "ADO_Build_DP_No_PlainText_Secrets_In_Definition",
          "ADO_Build_SI_Review_URL_Variables_Settable_At_Queue_Time",
          "ADO_Build_SI_Limit_Task_Group_Edit_Permission",
          "ADO_Build_SI_Limit_Variable_Group_Edit_Permission",
          "ADO_Build_AuthZ_Limit_Pipeline_Access",
          "ADO_Build_SI_Limit_Pipeline_Edit_Permission",
          "ADO_Build_SI_Review_External_Sources",
          "ADO_Build_DP_Dont_Make_Secrets_Available_To_Forked_Builds",
          "ADO_Build_DP_Review_Inactive_Build"
        ]
      },
      {
        "ResourceType": "Release",
        "ControlIds": [
          "ADO_Release_AuthZ_Disable_Inherited_Permissions",
          "ADO_Release_SI_Review_External_Sources",
          "ADO_Release_DP_No_PlainText_Secrets_In_Definition",
          "ADO_Release_SI_Review_URL_Variables_Settable_At_Release_Time",
          "ADO_Release_SI_Limit_Task_Group_Edit_Permission",
          "ADO_Release_SI_Limit_Variable_Group_Edit_Permission",
          "ADO_Release_SI_Limit_Pipeline_Edit_Permission",
          "ADO_Release_DP_Review_Inactive_Release"
        ]
      },
      {
        "ResourceType": "AgentPool",
        "ControlIds": [
          "ADO_AgentPool_AuthZ_Disable_Inherited_Permissions",
          "ADO_AgentPool_AuthZ_Dont_Grant_All_Pipelines_Access",
          "ADO_AgentPool_AuthZ_Dont_Enable_Auto_Provisioning",
          "ADO_AgentPool_DP_Review_Inactive_Pool",
          "ADO_AgentPool_DP_Enable_Auto_Update",
          "ADO_AgentPool_DP_No_Secrets_In_Capabilities"
        ]
      },
      {
        "ResourceType": "VariableGroup",
        "ControlIds": [
          "ADO_VariableGroup_AuthZ_Dont_Grant_All_Pipelines_Access",
          "ADO_VariableGroup_AuthZ_Disable_Inherited_Permissions",
          "ADO_VariableGroup_DP_No_PlainText_Secrets_In_Variables"
        ]
      }
    ]
  },
  "PreviewBaselineControls": {
    "ResourceTypeControlIdMappingList": []
  },
  "PartialScan": {
    "ResourceTrackerValidforDays": 3,
    "StoreResourceTrackerLocally": "True",
    "LocalScanUpdateFrequency": "100",
    "DurableScanUpdateFrequency": "200"
  },
  "DockerImage":{
    "ImageName" : "azskado/adosecurityscan"
  },
  "ADOInfoAPI":{
    "Enabled" : false,
    "Endpoint" : "",
    "Code" : ""
  },
  "AllowAdminControlScanForGroups": [
    {
      "ResourceType": "Organization",
      "GroupNames": [
        "Project Collection Administrators"
      ]
    },
    {
      "ResourceType": "Project",
      "GroupNames": [
        "Project Administrators"
      ]
    }
  ],
  "AttestableResourceTypes": [
    "Organization",
    "Project",
    "Build",
    "Release",
    "ServiceConnection",
    "AgentPool",
    "VariableGroup"
  ],
  "AttestationExpiryPeriodInDays": {
    "Default": 90,
    "ControlSeverity": {
      "Critical": 7,
      "High": 30,
      "Medium": 60,
      "Low": 90
    }
  },
  "DefaultAttestationPeriodForExemptControl" : 180,
  "GroupsWithAttestPermission": [
    {
      "ResourceType": "Organization",
      "GroupNames": [
        "Project Collection Administrators"
      ]
    },
    {
      "ResourceType": "Project",
      "GroupNames": [
        "Project Collection Administrators",
        "Project Administrators"
      ]
    }
  ],
  "AttestationRepo": "",
  "AttestationBranch": "",
  "EnableMultiProjectAttestation": false,
  "ProjectToStoreAttestation": "",
  "IsAllowLongRunningScan": true,
  "LongRunningScanCheckPoint": 1000,
  "DefaultValidAttestationStates": [
    "NotAnIssue",
    "WillFixLater",
    "WillNotFix"
  ],
  "NewControlGracePeriodInDays": {
    "Default": 60,
    "ControlSeverity": {
      "Critical": 7,
      "High": 30,
      "Medium": 60,
      "Low": 90
    }
  },
  "AttestationPeriodInDays": {
    "Default": 90,
    "ControlSeverity": {
      "Critical": 7,
      "High": 30,
      "Medium": 60,
      "Low": 90
    }
  },
  "ControlSeverity": {
    "Critical": "Critical",
    "High": "High",
    "Medium": "Medium",
    "Low": "Low"
  },
  "Build": {
    "BuildHistoryPeriodInDays": 180,
    "ExemptedUserIdentities": [
      {
        "Domain": "Build",
        "DisplayName": [
          "OneITVSO Build Service (MicrosoftIT)",
          "Project Collection Build Service (MicrosoftIT)"
        ]
      }
    ],
    "ExcludeFromSecretsCheck": [
        "system.debug",
        "BuildConfiguration",
        "BuildPlatform",
        "InputFeeds",
        "Environment",
        "SolutionName"
    ]
  },
  "Release": {
    "ReleaseHistoryPeriodInDays": 180,
    "ExemptedUserIdentities": [
      {
        "Domain": "Build",
        "DisplayName": [
          "OneITVSO Build Service (MicrosoftIT)",
          "Project Collection Build Service (MicrosoftIT)"
        ]
      }
    ],
    "RequirePreDeployApprovals": [
      "Production",
      "Pre-Production",
      "Prod",
      "Pre-Prod"
    ],
    "ExcludeFromSecretsCheck": [
        "Domain",
        "UserName",
        "Build",
        "AgentPath",
        "BuildNumber",
        "MachineGroup",
        "Environment",
        "System.debug",
        "BuildConfiguration"
    ]
  },
  "AgentPool": {
    "AgentPoolHistoryPeriodInDays": 180
  },
  "AlernateAccountRegularExpressionForOrg": "^SC-.*@.*microsoft.com$",
  "Organization": {
    "InactiveUserActivityLogsPeriodInDays": 90,
    "TopInactiveUserCount": 100,
    "KnownExtensionPublishers": [
      "Microsoft",
      "Microsoft DevLabs"
    ],
    "KnownExtensionPublisherIds":[""],
    "NonProductionExtensionIndicators":["DevTest", "Demo", "Preview", "Deprecated"],
    "ExtensionsLastUpdatedInYears": 2,
    "ExtensionCriticalScopes":["vso.agentpools_manage","vso.build_execute","vso.code_write","vso.code_manage","vso.code_full",
                      "vso.code_status","vso.extension_manage",
                      "vso.extension.data_write","vso.graph_manage","vso.identity_manage","vso.loadtest_write",
                      "vso.machinegroup_manage","vso.memberentitlementmanagement_write","vso.gallery_manage","vso.notification_write","vso.notification_manage",
                      "vso.packaging_write","vso.packaging_manage","vso.project_write","vso.project_manage","vso.release_execute",
                      "vso.release_manage","vso.security_manage","vso.serviceendpoint_manage","vso.settings_write",
                      "vso.symbols_write","vso.symbols_manage","vso.taskgroups_write","vso.taskgroups_manage",
                      "vso.dashboards_manage","vso.test_write","vso.tokenadministration","vso.profile_write",
                      "vso.variablegroups_write","vso.variablegroups_manage","vso.wiki_write","vso.work_write","vso.work_full"],
    "ExemptedExtensionNames":["Azure DevTest Labs Tasks"],
    "MaxPCAMembersPermissible": 5,
    "MinPCAMembersPermissible": 2,
    "GroupsToCheckForSCAltMembers": [
      "Project Collection Administrators"
    ]
  },
  "Project": {
    "MaxPAMembersPermissible": 5,
    "MinPAMembersPermissible": 2,
    "GroupsToCheckForSCAltMembers": [
      "Project Administrators"
    ],
    "GroupsToCheckForFeedPermission": [
      "Contributors"
    ]
  },
  "Repo": {
    "RepoHistoryPeriodInDays": 180,
    "AuthorEmailValidationPolicyID": "77ed4bd3-b063-4689-934a-175e4d0a78d7",
    "CredScanPolicyID": "e67ae10f-cf9a-40bc-8e66-6b3a8216956e",
    "CommitAuthorEmailPattern": [
      "*@microsoft.com",
      "*@exchange.microsoft.com",
      "*@ntdev.microsoft.com",
      "*@microsoftfederal.com"
    ]
  },
  "ServiceConnection": {
    "ServiceConnectionHistoryPeriodInDays": 180,
    "ExemptedGroupIdentities": [
      "Endpoint Administrators"
    ],
    "RestrictedGlobalGroupsForSerConn": [
      "Microsoft IT Build Admins (msitbuildadm@microsoft.com)",
      "Everyone Microsoft FTE",
      "Project Collection Administrators",
      "Project Collection Build Administrators",
      "Project Collection Proxy Service Accounts",
      "Project Collection Service Accounts",
      "Project Collection Valid Users",
      "Security Service Group",
      "Project Administrators",
      "Build Administrators",
      "Release Administrators",
      "CSEOPipelineContributors",
      "Endpoint Creators",
      "Contributors",
      "Readers"
    ]
  },
  "Patterns": [
    {
      "RegexCode": "SecretsInBuild",
      "RegexList": [
        "(?# To match general passwords.)^(?=\\D*\\d)(?=[^a-z]*[a-z])(?=[^A-Z]*[A-Z])(?=(\\w*\\W|\\w*))[0-9\\Wa-zA-Z]{7,20}$",
        "(?# To match SQL/MySQL conn strings.)((P|p)assword|pwd)\\s*=\\s*\\w+;?",
        "(?# To match Azure storage keys.)^[A-Za-z0-9/+]{86}==$",
        "(?# To match storage SAS.)([^?]*\\?sv=)[^&]+(&s[a-z]=[^&]+){4}",
        "(?# To match ADO PATs.)^[a-z2-7]{52}$"
      ]
    },
    {
      "RegexCode": "SecretsInRelease",
      "RegexList": [
        "(?# To match general passwords.)^(?=\\D*\\d)(?=[^a-z]*[a-z])(?=[^A-Z]*[A-Z])(?=(\\w*\\W|\\w*))[0-9\\Wa-zA-Z]{7,20}$",
        "(?# To match SQL/MySQL conn strings.)((P|p)assword|pwd)\\s*=\\s*\\w+;?",
        "(?# To match Azure storage keys.)^[A-Za-z0-9/+]{86}==$",
        "(?# To match storage SAS.)([^?]*\\?sv=)[^&]+(&s[a-z]=[^&]+){4}",
        "(?# To match ADO PATs.)^[a-z2-7]{52}$"
      ]
    },
    {
      "RegexCode": "URLs",
      "RegexList": [
        "(?# To match any URL.)(www.|http:|https:)+[^\\s]+[\\w]"
      ]
    }
  ],
  "BugLogging": {
    "BugLogAreaPath": "RootDefaultProject",
    "BugLogIterationPath": "RootDefaultProject",
    "ResolvedBugLogBehaviour": "ReactiveOldBug",
    "MaxKeyWordsToQueryForBugClose": 30,
    "AutoCloseProjectBug": true,
    "AutoCloseOrgBug": true,
    "BugAssigneeAndPathCustomFlow": false,
    "BuildSTData": "BuildSTData.json",
    "ReleaseSTData": "ReleaseSTData.json",
    "ServiceTreeData": "ServiceTreeData.json",
    "DomainName": "microsoft.com",
    "BugDescriptionField" : "",
    "ShowBugsInS360" : false,
    "HowFound": "ADO Scanner",
    "ComplianceArea": "Security",
    "ServiceTreeIdType": "Service",
    "UseAzureStorageAccount": false,
    "LogBugsForInactiveResources": true,
    "CustomControlList": [],
    "LogBugsForUnmappedResource": true,
    "Description":"Control failure - {0} for resource {1} {2} </br></br> <b>Control Description: </b> {3} </br></br> <b> Control Result: </b> {4} </br> </br> <b> Rationale:</b> {5} </br></br> <b> Recommendation:</b> {6} </br></br> <b> Resource Link: </b> <a href='{7}' target='_blank'>{8}</a> </br></br> <b>Scan command (you can use to verify fix):</b></br>{9} </br></br><b>Reference: </b> <a href='https://github.com/azsk/ADOScanner-docs' target='_blank'>ADO Scanner Documentation</a> </br>"
  },
  "GenerateSecurityEvaluationJsonFile" : false,
  "ResourceProviders": [
    "Microsoft.Storage",
    "Microsoft.Keyvault",
    "Microsoft.Resources",
    "Microsoft.OperationalInsights"
  ],
  "CriticalPATPermissions": [
    "vso.build_execute",
    "vso.release_execute",
    "vso.release_manage"
  ]
}