Framework/Configurations/SVT/AzureDevOps/AzureDevOps.Build.json

{
  "FeatureName": "Build",
  "Reference": "aka.ms/azsktcp/Build",
  "IsMaintenanceMode": false,
"Controls": [
  {
    "ControlID": "AzureDevOps_Build_AuthZ_Grant_Min_RBAC_Access",
    "Description": "All teams/groups must be granted minimum required permissions on build definition",
    "Id": "Build110",
    "ControlSeverity": "High",
    "Automated": "Yes",
    "MethodName": "CheckRBACAccess",
    "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",
    "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/devops/pipelines/policies/permissions?view=vsts",
    "Tags": [
      "SDL",
      "TCP",
      "Automated",
      "AuthZ",
      "RBAC"
    ],
    "Enabled": true
  },
  {
    "ControlID": "AzureDevOps_Build_DP_No_PlainText_Secrets_In_Definition",
    "Description": "Secrets and keys must not be stored as plain text in build variables/task parameters",
    "Id": "Build120",
    "ControlSeverity": "High",
    "Automated": "Yes",
    "MethodName": "CheckCredInVariables",
    "Rationale": "Keeping secrets such as connection strings, passwords, keys, etc. in clear text can lead to easy compromise. Making them secret type variables ensures that they are protected at rest.",
    "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/devops/pipelines/process/variables?view=vsts&tabs=yaml%2Cbatch#secret-variables",
    "Tags": [
      "SDL",
      "TCP",
      "Manual",
      "Audit"
    ],
    "Enabled": true
  },
  {
    "ControlID": "AzureDevOps_Build_Config_Add_Static_Code_Analyzer",
    "Description": "Consider adding static code analysis step in your pipelines.",
    "Id": "Build140",
    "ControlSeverity": "High",
    "Automated": "No",
    "MethodName": "",
    "Rationale": "Static code analyzer ensure that the code is following all rules for security",
    "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/devops/articles/security-validation-cicd-pipeline?view=vsts#ci-continuous-integration",
    "Tags": [
      "SDL",
      "TCP",
      "Automated",
      "Config"
    ],
    "Enabled": true
  },
  {
      "ControlID": "AzureDevOps_Build_DP_Store_SecretFiles_in_Secure_Library",
      "Description": " Secure Files library must be used to store secret files such as signing certificates, Apple Provisioning Profiles, Android KeyStore files, and SSH keys",
      "Id": "Build150",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Keeping secret files such as signing certificates, Apple Provisioning Profiles, Android KeyStore files, SSH keys etc. in repository can lead to easy compromise at various avenues during an application's lifecycle. Storing them in a secure library ensures that they are protected at rest.",
      "Recommendation": "Refer https://docs.microsoft.com/en-us/azure/devops/pipelines/library/secure-files?view=vsts",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "DP"
      ],
      "Enabled": true
  },
  {
    "ControlID": "AzureDevOps_Build_SI_Review_Inactive_Build",
    "Description": "Inactive build pipelines must be removed if no more required.",
    "Id": "Build160",
    "ControlSeverity": "Low",
    "Automated": "Yes",
    "MethodName": "CheckInActiveBuild",
    "Rationale": "Each additional build having access at repositories increases the attack surface. To minimize this risk ensure that only activite and legitimate build resources present in Organization",
    "Recommendation": "To remove inactive build pipelines follow the steps given here: 1.Navigate to the build pipeline. 2. Select a build pipeline. 3. Select three dots (present in right top). 4. Click on Delete. (https://www.azuredevopslabs.com/labs/devopsserver/build/)",
    "Tags": [
      "SDL",
      "Best Practice",
      "Manual",
      "SI"
    ],
    "Enabled": true
  },
  {
    "ControlID": "AzureDevOps_Build_AuthZ_Disable_Inherited_Permissions",
    "Description": "Do not allow inherited permission on build definitions",
    "Id": "Build170",
    "ControlSeverity": "High",
    "Automated": "Yes",
    "MethodName": "CheckInheritPermissions",
    "Rationale": "Disabling inherit permissions lets you finely control access to various operations at the build level for different stakeholders. This ensures that you follow the principle of least privilege and provide access only to the persons that require it.",
    "Recommendation": "To disable inheritance follow the steps given here: 1.Navigate to the build pipeline. 2. Open up the Security dialog for the build. 3. Add the service lead & service owner as Users with Allow permissions for each permission line item. 4. Select Off under Inheritance. 5. Add users/groups to your build definition and provide only required access. As best practice, All teams/groups must be granted minimum required permissions on build definition.",
    "Tags": [
      "SDL",
      "TCP",
      "Automated",
      "AuthZ",
      "RBAC"
    ],
    "Enabled": true
  },
  {
    "ControlID": "AzureDevOps_Build_SI_Review_Settable_At_Queue_Time",
    "Description": "Pipeline variables marked settable at queue time should be carefully reviewed.",
    "Id": "Build180",
    "ControlSeverity": "High",
    "Automated": "Yes",
    "MethodName": "CheckSettableAtQueueTime",
    "Rationale": "Pipeline variables not marked settable at queue time can only be changed by someone with elevated permissions. These variables (reasonably) used in ways that make code injection possible.",
    "Recommendation": "To uncheck settable at queue time follow the steps given here: 1.Navigate to the build pipeline. 2. Open up the build pipeline. 3. Select variables. 4. Uncheck settable at queue time.",
    "Tags": [
      "SDL",
      "TCP",
      "Automated",
      "AuthZ",
      "RBAC"
    ],
    "Enabled": true
  },
  {
    "ControlID": "AzureDevOps_Build_Check_External_Source_Self_Hosted_Build",
    "Description": "Building code from untrusted external sources is effectively allowing external parties to execute arbitrary code on your computer.",
    "Id": "Build190",
    "ControlSeverity": "High",
    "Automated": "Yes",
    "MethodName": "ExternalSourceSelfHostedBuild",
    "Rationale": "Builds execute attacker-controlled code by-design (e.g. solution files contain build command lines to invoke, unit tests compile into DLLs that are loaded and executed by a harness, etc). Building code from untrusted external sources is effectively allowing external parties to execute arbitrary code on your computer.",
    "Recommendation": "Validate the external source repo and self-hosted agents for vulnerabilities.",
    "Tags": [
      "SDL",
      "TCP",
      "Automated",
      "AuthZ",
      "RBAC"
    ],
    "Enabled": true
  }
]
}