Look at the individual control evaluation status in the CSV file.
- If the control has passed, no action is necessary.
- If the control has failed, look at the control evaluation detail in the LOG file to understand why.
- If the control status says Verify, it means that human judgement is required to determine the final control status. Look at the control evaluation output in the LOG file to make a determination.
- If the control status says Manual, it means that AzSK.ADO (currently) does not cover the control via automation OR AzSK.ADO is not able to fetch the data. You need to manually implement/verify it.
Note: The Recommendation column in the CSV file provides basic (generic) guidance that can help you fix a failed control. You can also use standard ADO product documentation. You should carefully consider the implications of making the required change in the context of your application.
| ControlID | FeatureName | ControlSeverity | IsBaselineControl | Description | Recommendation | Rationale |
|---|---|---|---|---|---|---|
| ADO_Organization_AuthN_Use_AAD_Auth | Organization | High | Yes | Organization must be configured to authenticate users using Azure Active Directory backed credentials. | Refer: https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/connect-organization-to-azure-ad?view=azure-devops#connect-your-organization-to-azure-ad | Using the native enterprise directory for authentication ensures that there is a built-in high level of assurance in the user identity established for subsequent access control. All enterprise organizations are automatically associated with their enterprise directory (xxx.onmicrosoft.com) and users in the native directory are trusted for authentication to enterprise organizations. |
| ADO_Organization_AuthN_Disable_External_Guest_Users | Organization | High | Yes | Do not enable access for external users in your organization. | Go to Organization Settings --> Security --> Policies --> User Policies --> Turn 'Off' external guest access | "Non-AD accounts (such as xyz@hotmail.com |
| ADO_Organization_DP_Dont_Allow_Public_Projects | Organization | High | Yes | Public projects should be turned off for your organization. | Go to Organization Settings --> Security --> Policies --> Security Policies --> Turn 'Off' allow public projects | Data/content in projects that have anonymous access can be downloaded by anyone on the internet without authentication. This can lead to a compromise of corporate data. |
| ADO_Organization_AuthZ_Justify_Guest_Identities | Organization | High | Yes | Justify all guest identities that have been granted access to your organization. | Go to Organization Settings --> Users --> Apply Guest filter under 'AAD User Type' filter --> Validate and remove all unintended guest users present. | "Non-AD accounts (such as xyz@hotmail.com |
| ADO_Organization_SI_Review_Installed_Extensions | Organization | High | Yes | Carefully review all extensions enabled for your organization. | Go to Organization Settings --> Extensions --> Review all installed extensions in organization. | Running extensions from untrusted source can lead to all type of attacks and loss of sensitive enterprise data. |
| ADO_Organization_SI_Review_Shared_Extensions | Organization | High | Yes | Exercise due care when installing (private) shared extensions for your organization. | Go to Organization Settings --> Extensions --> Review all shared extensions in organization. | Running extensions from untrusted source can lead to all type of attacks and loss of sensitive enterprise data. |
| ADO_Organization_AuthZ_Review_Extension_Managers | Organization | High | Yes | Review the set of users who have permission to manage extensions. | Go to Organization Settings --> Extensions --> Security --> Review indentities with manager role assigned. | "Accounts with extension manager access can install/manage extensions for organization. Members with this access without a legitimate business reason increase the risk for organization. By carefully reviewing and removing accounts that shouldn't be there in the first place |
| ADO_Organization_AuthZ_Review_Inactive_Users | Organization | Medium | No | Consider revoking access for inactive users in your organization. | Go to Organization Settings --> Users --> Filter last access column with never accessed users or not accessed over long period | Each additional person having access at organization level increases the attack surface for the entire resources. To minimize this risk ensure that critical resources present in organization are accessed only by the legitimate users when required. |
| ADO_Organization_AuthZ_Remove_Disconnected_Accounts | Organization | Medium | No | Remove access entries for users whose accounts have been deleted/disconnected from Azure Active Directory. | Go to Organization Settings --> Azure Active Directory --> It will have notification for disconnected users on AD --> Click on Resolve | AD disconnected accounts present at any scope within a Organization are unknown guid access. |
| ADO_Organization_AuthN_Use_ALT_Accounts_For_Admin | Organization | High | Yes | Alternate (ALT) accounts must be used for administrative activity at organization scope. | Go to Organization Settings --> Security --> Review whether each user in administrator groups is added via SC-ALT account. | "Corporate accounts are subject to a lot of credential theft attacks due to various activities that a user conducts using such accounts (e.g. |
| ADO_Organization_AuthZ_Review_Project_Collection_Service_Accounts | Organization | High | Yes | Review and minimize accounts that are members of the Project Collection Service Accounts group. | Go to Organization Settings --> Security --> Permissions --> Project Collection Service Accounts --> Validate all the members. | Any accounts that are members of Project Collection Service Accounts are effectively Project Collection Administrators. An adversary that executes code in a pipeline assigned to one of these build agents can take over the entire ADO organization. |
| ADO_Organization_SI_Review_Auto_Injected_Extensions | Organization | Medium | Yes | Set of auto-injected pipeline tasks should be carefully scrutinized. | Go to Organization Settings --> Extensions -> Verify the auto-injected extensions. | "Auto-injected pipeline tasks will run in every pipeline. If an attacker can change/influence the task logic/code |
| ADO_Organization_AuthZ_Verify_Enterprise_Access_To_Projects | Organization | Medium | No | Consider disabling enterprise access to projects in your organization. | Go to Organization Settings --> Security --> Policies --> Security policies --> Disable 'Enterprise access to projects'. | "If enterprise access to projects is enabled |
| ADO_Organization_AuthZ_Enable_AAD_Conditional_Access_Policy | Organization | Medium | No | Consider enabling AAD conditional access policy for your organization. | Go to Organization Settings --> Security --> Policies --> Security policies --> Enable 'Azure Active Directory Conditional Access Policy Validation'. | "Enabling AAD conditional access policy helps manage organization restrictions on security group membership |
| ADO_Organization_DP_Disable_Anonymous_Access_To_Badges | Organization | Low | No | Disable anonymous access to status badge API for parallel pipelines. | Go to Organization Settings --> Pipelines --> Settings --> Turn on 'Disable anonymous access to badges'. | Information that appears in the status badge API response should be hidden from external users. |
| ADO_Organization_SI_Limit_Variables_Settable_At_Queue_Time | Organization | Medium | No | Limit pipeline variables marked settable at queue time. | Go to Organization Settings --> Pipelines --> Settings --> Enable 'Limit variables that can be set at queue time'. | Pipeline variables not marked settable at queue time can only be changed by someone with elevated permissions. These variables (reasonably) can be used in ways that make code injection possible. |
| ADO_Organization_AuthZ_Limit_Non_Release_Pipeline_Access | Organization | Medium | Yes | Limit scope of access for non-release pipelines to the current project. | Go to Organization Settings --> Pipelines --> Settings --> Enable 'Limit job authorization scope to current project for non-release pipelines'. | "If pipelines use project collection level tokens |
| ADO_Organization_AuthZ_Limit_Release_Pipeline_Access | Organization | Medium | Yes | Limit scope of access for release pipelines to the current project. | Go to Organization Settings --> Pipelines --> Settings --> Enable 'Limit job authorization scope to current project for release pipelines'. | "If pipelines use project collection level tokens |
| ADO_Organization_AuthZ_Limit_Pipeline_Access_To_Referenced_Repos | Organization | Medium | Yes | Limit scope of access for pipelines to explicitly referenced Azure DevOps repositories. | Go to Organization Settings --> Settings --> Enable 'Limit job authorization scope to referenced Azure DevOps repositories'. | "If pipelines use tokens having access to all Azure DevOps repositories in authorized projects |
| ADO_Organization_AuthZ_Review_Invite_Users_Setting | Organization | Medium | No | Review if project and team admins should be allowed to invite new users. | Go to Organization Settings --> Policy --> User Policy --> Disable 'Allow team and project administrators to invite new users'. | "By default |
| ADO_Organization_Enable_Audit_Stream | Organization | Medium | No | "Enable audit streaming to support alerting | monitoring and analysis of audit logs over longer periods." | "Go to Organization Settings --> Auditing --> Streams -> New Stream -> Configure at least one of the streaming service. If at least one stream is already configured |
| ADO_Organization_BCDR_Min_Admin_Count | Organization | Medium | Yes | Ensure that there are at least 2 project collection administrators in your organization. | Go to Organization settings --> Security --> Permissions --> Groups --> Select the group : Project Collection Administrators --> Review the members of this group | Having the minimum required number of administrators reduces the risk of losing admin access. This is useful in case of break-glass account scenarios. |
| ADO_Organization_AuthZ_Limit_Admin_Count | Organization | Medium | No | Ensure that there are at most 5 project collection administrators in your organization. | Go to Organization settings --> Security --> Permissions --> Groups --> Select the group : Project Collection Administrators --> Review the members of this group. | Each additional person in the administrator role increases the attack surface for the entire organization. The number of members in these roles should be kept to as low as possible. |
| ADO_Organization_AuthZ_Min_RBAC_Access | Organization | High | No | All teams/groups must be granted minimum required permissions in your organization. | Go to Organization Settings --> Permissions --> Select team/group --> Validate Permissions | Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise. |
| ADO_Organization_AuthZ_Review_Group_Members | Organization | High | No | Review membership of all organization level privileged groups and teams. | Go to Organization Settings --> Permissions --> Groups --> Validate members of each group | "Accounts that are a member of these groups without a legitimate business reason increase the risk for your Organization. By carefully reviewing and removing accounts that shouldn't be there in the first place |
| ADO_Organization_Audit_Configure_Critical_Alerts | Organization | Medium | No | Alerts must be configured for critical actions on Organization | Refer: https://docs.microsoft.com/en-us/azure/devops/notifications/concepts-events-and-notifications?view=vsts | "Alerts notify the configured security point of contact about various sensitive activities on the Organization and its resources (for instance |
| ADO_Organization_AuthZ_Dont_Use_Svc_Accounts | Organization | High | No | Service accounts cannot support MFA and should not be used for organization activity. | Refer: https://docs.microsoft.com/en-us/azure/devops/notifications/concepts-events-and-notifications?view=vsts | "Service accounts are typically not multi-factor authentication capable. Quite often |
| ADO_Organization_AuthN_Use_ALT_Accounts | Organization | High | No | Alternate (ALT) accounts should be used from Secure Admin Workstation (SAW) for privileged organization roles. | Go to Organization Settings --> Users --> Review whether each user is added via SC-ALT account. | "Corporate accounts are subject to a lot of credential theft attacks due to various activities that a user conducts using such accounts (e.g. |
| ADO_Organization_Backup_Audit_Logs | Organization | Medium | No | Backup audit logs to an external location periodically. | Go to Organization Settings --> Auditing --> Export log | "By default |
| ADO_User_AuthZ_PAT_Min_Access | User | Medium | No | Personal access tokens (PAT) must be defined with minimum required permissions to resources | Refer: https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=vsts#revoke-personal-access-tokens-to-remove-access | Granting minimum access ensures that PAT is granted with just enough permissions to perform required tasks. This minimizes exposure of the resources in case of PAT compromise. |
| ADO_User_AuthZ_Minimal_Token_Validity | User | Medium | No | Personal access tokens (PAT) must have a shortest possible validity period | Go to User Profile --> Security --> Personel Access Token --> Validate expiry periods of PAT | "If a personal access token (PAT) gets compromised |
| ADO_User_AuthZ_Review_Token_Expiration | User | Medium | No | Personal access tokens (PAT) near expiry should be renewed. | Go to User Profile --> Security --> Personel Access Token --> Edit | Personal access tokens (PAT) near expiry should be renewed. |
| ADO_User_AuthN_Disable_Alternate_Credentials | User | Medium | No | Alternate credentials must be disabled | Refer: https://docs.microsoft.com/en-us/azure/devops/repos/git/auth-overview?view=vsts#alternate-credentials | Alternate credential allows user to create username and password to access your Git repository.Login with these credentials doesn't expire and can't be scoped to limit access to your Azure DevOps Services data. |
| ADO_Project_AuthZ_Set_Visibility_Private_Or_Enterprise | Project | High | Yes | Ensure that project visibility is set to either private or enterprise. | Refer: https://docs.microsoft.com/en-us/azure/devops/organizations/public/make-project-public?view=vsts&tabs=new-nav | Data/content in projects that have public visibility can be downloaded by anyone on the internet without authentication. This can lead to a compromise of corporate data. |
| ADO_Project_DP_Disable_Anonymous_Access_To_Badges | Project | Low | No | Disable anonymous access to status badge API for parallel pipelines. | Go to Project Settings --> Pipelines --> Settings --> Turn on 'Disable anonymous access to badges'. | Information that appears in the status badge API response should be hidden from external users. |
| ADO_Project_SI_Limit_Variables_Settable_At_Queue_Time | Project | Medium | No | Limit pipeline variables marked settable at queue time. | Go to Project Settings --> Pipelines --> Settings --> Enable 'Limit variables that can be set at queue time'. | Pipeline variables not marked settable at queue time can only be changed by someone with elevated permissions. These variables (reasonably) can be used in ways that make code injection possible. |
| ADO_Project_AuthZ_Limit_Non_Release_Pipeline_Access | Project | Medium | Yes | Limit scope of access for non-release pipelines to the current project. | Go to Project Settings --> Pipelines --> Settings --> Enable 'Limit job authorization scope to current project for non-release pipelines.'. | "If pipelines use project collection level tokens |
| ADO_Project_AuthZ_Limit_Release_Pipeline_Access | Project | Medium | Yes | Limit scope of access for release pipelines to the current project. | Go to Project Settings --> Pipelines --> Settings --> Enable 'Limit job authorization scope to current project for release pipelines.'. | "If pipelines use project collection level tokens |
| ADO_Project_AuthZ_Limit_Pipeline_Access_To_Referenced_Repos | Project | Medium | Yes | Limit scope of access for pipelines to explicitly referenced Azure DevOps repositories. | Go to Project Settings --> Pipelines --> Settings --> Enable 'Limit job authorization scope to referenced Azure DevOps repositories'. | "If pipelines use tokens having access to all Azure DevOps repositories in authorized projects |
| ADO_Project_DP_Publish_Metadata_From_Pipeline | Project | Medium | No | Consider using artifact evaluation for fine-grained control over pipeline stages. | Go to Project Settings --> Pipelines --> Settings --> Enable 'Publish metadata from pipelines'. | Allow pipelines to record metadata. Evaluate artifact check can be configured to define policies using the metadata recorded. |
| ADO_Project_BCDR_Min_Admin_Count | Project | Medium | Yes | Ensure that there are at least 2 project administrators in your project. | Go to Project settings --> General --> Permissions --> Groups --> Select the group : Project Administrators --> Review the members of this group | Having the minimum required number of administrators reduces the risk of losing admin access. This is useful in case of breakglass account scenarios. |
| ADO_Project_AuthZ_Limit_Admin_Count | Project | Medium | No | Ensure that there are at most 5 project administrators in your project. | Go to Project settings --> General --> Permissions --> Groups --> Select the group : Project Administrators --> Review the members of this group | Each additional person in the administrator role increases the attack surface for the entire project. The number of members in these roles should be kept to as low as possible. |
| ADO_Project_AuthN_Use_ALT_Accounts_For_Admin | Project | High | Yes | Alternate (ALT) accounts must be used for administrative activity at project scope. | Go to Project settings --> General --> Permissions --> Groups --> Review whether each user in administrator groups is added via SC-ALT account. | "Corporate accounts are subject to a lot of credential theft attacks due to various activities that a user conducts using such accounts (e.g. |
| ADO_Project_AuthZ_Min_RBAC_Access | Project | High | No | All teams/groups must be granted minimum required permissions on the project. | Refer: https://docs.microsoft.com/en-us/azure/devops/organizations/security/set-project-collection-level-permissions?view=vsts&tabs=new-nav | Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise. |
| ADO_Project_AuthZ_Review_Group_Members | Project | High | No | Review membership of all project level privileged groups and teams. | Go to Project Settings --> Security --> Select Teams/Group --> Verify Members | "Accounts that are a member of these groups without a legitimate business reason increase the risk for your Organization. By carefully reviewing and removing accounts that shouldn't be there in the first place |
| ADO_Build_AuthZ_Grant_Min_RBAC_Access | Build | High | No | All teams/groups must be granted minimum required permissions on build definition. | Refer: https://docs.microsoft.com/en-us/azure/devops/pipelines/policies/permissions?view=vsts | Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise. |
| ADO_Build_DP_No_PlainText_Secrets_In_Definition | Build | High | Yes | Secrets and keys must not be stored as plain text in build variables/task parameters. | Refer: https://docs.microsoft.com/en-us/azure/devops/pipelines/process/variables?view=vsts&tabs=yaml%2Cbatch#secret-variables | "Keeping secrets such as connection strings |
| ADO_Build_DP_Review_Inactive_Build | Build | Medium | No | Inactive build pipelines must be removed if no more required. | To remove inactive build pipelines follow the steps given here: 1.Navigate to the build pipeline. 2. Select a build pipeline. 3. Select three dots (present at right top). 4. Click on Delete. (https://www.azuredevopslabs.com/labs/devopsserver/build/) | Each additional build having access to repositories increases the attack surface. To minimize this risk ensure that only active and legitimate build pipelines are present in your environment. |
| ADO_Build_AuthZ_Disable_Inherited_Permissions | Build | High | Yes | Do not allow inherited permission on build definitions. | "To disable inheritance follow the steps given here: 1.Navigate to the build pipeline. 2. Select three dots (present at right top). 3. Click Manage Security 4. Add the service lead & service owner as Users with Allow permissions for each permission line item. 5. Disable Inheritance. 6. Add users/groups to your build definition and provide only required access. As best practice | All teams/groups must be granted minimum required permissions on build definition." |
| ADO_Build_SI_Review_Variables_Settable_At_Queue_Time | Build | High | No | Pipeline variables marked settable at queue time should be carefully reviewed. | 1. Navigate to the build pipeline. 2. Click on Edit. 3. Select variables. 4. Uncheck 'settable at queue time' for such variables. 5. Save the build pipeline. | Pipeline variables that are marked settable at queue time can be changed by anyone who can queue a build. Such variables can be misused for code injection/data theft attacks from pipelines. |
| ADO_Build_SI_Review_URL_Variables_Settable_At_Queue_Time | Build | High | Yes | Pipeline variables marked settable at queue time and containing URLs should be carefully reviewed. | 1. Navigate to the build pipeline. 2. Click on Edit. 3. Select variables. 4. Uncheck 'settable at queue time' for such variables. 5. Save the build pipeline. | Pipeline variables that are marked settable at queue time can be changed by anyone who can queue a build. If these variables contain a URL then someone can change the URL to a server that they control and can intercept any secrets used to interact with the intended server by queueing a build. |
| ADO_Build_SI_Review_External_Sources | Build | High | No | Review external source code repositories before adding them to your pipeline. | Validate the external source repo and self-hosted agents for vulnerabilities. | "Building code from untrusted external sources can allow an attacker to execute arbitrary code in your pipeline. Hence |
| ADO_Build_SI_Disable_Task_Group_Edit_Permission | Build | High | Yes | Do not include loosely permissioned task groups in your pipeline. | 1. Navigate to the build pipeline. 2. Click on Tasks. 3. Right click on each task group and select 'Manage task group'. 4. Select 'Security' for the task group. 5. Ensure 'Edit task group' permission of Contributors is not set to 'Allow'. | "If a broad pool of users (e.g. |
| ADO_Build_SI_Disable_Variable_Group_Edit_Permission | Build | High | Yes | Do not include loosely permissioned variable groups in your pipeline. | 1. Navigate to the build pipeline. 2. Click on Variables. 3. Click on each variable groups used in the pipeline. 4. Select 'Security' for the variable group. 5. Ensure Contributors have only reader access to the variable group. | "If a broad pool of users (e.g. |
| ADO_Build_Config_Add_Static_Code_Analyzer | Build | High | No | Consider adding static code analysis step in your pipelines. | Refer: https://docs.microsoft.com/en-us/azure/devops/articles/security-validation-cicd-pipeline?view=vsts#ci-continuous-integration | Static code analyzers ensure that many kinds of security vulnerabilities are detected in early stages of software/service development. |
| ADO_Build_DP_Store_SecretFiles_in_Secure_Library | Build | Medium | No | "Secure Files library must be used to store secret files such as signing certificates | Apple Provisioning Profiles | Android KeyStore files |
| ADO_ServiceConnection_AuthN_Use_Cert_Auth_for_SPN | ServiceConnection | High | No | "Azure Active Directory applications | which used in pipeline | must use certificate based authentication." |
| ADO_ServiceConnection_AuthZ_Dont_Grant_Subscription_Access | ServiceConnection | High | Yes | Azure service connection should not be provided access at subscription/management group scope. | "Make sure you add SPN at the specific permission scope and role required for your scenario. For example | sometimes 'Contributor' access at 'Resource Group' scope might work. Exact permission will vary based on your use case. If you want to remove the SPN |
| ADO_ServiceConnection_AuthZ_Dont_Use_Classic_Connections | ServiceConnection | High | Yes | Do not use Azure classic service connections to grant access on a subscription. | Migrate each v1/ASM-based service connections to a corresponding v2/ARM-based connection. Refer: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/migration-classic-resource-manager-overview | "You should use new ARM/v2 resources as the ARM model provides several security enhancements such as: stronger access control (RBAC) |
| ADO_ServiceConnection_AuthZ_Disable_Inherited_Permissions | ServiceConnection | High | Yes | Do not allow inherited permissions on service connections. | "To remediate this | navigate to the service connections settings page for your project -> select your service connection from the list -> click on three dots on top right -> select Security -> In user permissions go to Inheritance -> Turn OFF Inheritance" |
| ADO_ServiceConnection_AuthZ_Dont_Allow_Global_Groups | ServiceConnection | High | Yes | Do not grant global groups access to service connections. | "Refer detailed log files for the list of non compliant service connections. To remediate this follow steps given here: 1. Navigate to the project settings page 2. Select service connection under pipelines category 3. Select your service connection from the list 4. Select Roles from the menu 5. Check for a global security group - (a) global security group added as a User (b) global security group added as an Administrator 6. Remove all global security groups. 7. Save changes and refresh the page to confirm that your changes have been saved. Note: Global security groups are the groups maintained at organization and project level and may contain users at a very broad scope (e.g. | all users in the organization). For more information |
| ADO_ServiceConnection_AuthZ_Dont_Grant_BuildServAcc_Permission | ServiceConnection | High | No | Do not grant Build Service Account access for connections | "To remediate this | navigate to the service connections settings page for your project -> select your service connection from the list -> select three dots on top right -> select security -> remove 'Project Collection Build Service Accounts' access from user permission." |
| ADO_ServiceConnection_AuthZ_Dont_Grant_All_Pipelines_Access | ServiceConnection | High | Yes | Do not make service connections accessible to all pipelines. | "To remediate this | navigate to the service connections settings page for your project -> select your service connection from the list -> click Edit -> uncheck 'Grant access permission to all pipelines'." |
| ADO_ServiceConnection_AuthZ_PAT_Or_Auth | ServiceConnection | High | No | Justify GitHub service connections are authenticated with full scope GitHub PATs instead of the OAuth flow. | Go to Project Settings --> Service Connections --> Select Service Connection --> Select Edit --> Verify connection authentication type. | Full scope PAT exposes the environment to a full account compromise. The OAuth flow creates a token that only allows source code and webhook read/write access on GitHub. The impact of losing control of a scoped OAuth token is far lower. |
| ADO_ServiceConnection_DP_Review_Inactive_Connection | ServiceConnection | High | Yes | Inactive service connection must be removed if no more required. | "To remove inactive service connection | follow the steps given here: 1.Navigate to the service connection settings. 2. Select service connection. 3. Select three dots (present at right top). 4. Click on Delete." |
| ADO_ServiceConnection_SI_Dont_Share_Across_Projects | ServiceConnection | High | Yes | Service connections should not be shared across multiple projects. | "To remediate this | navigate to the service connections settings page for your project -> select your service connection from the list -> click Security -> Under 'Project Permissions' |
| ADO_ServiceConnection_SI_Review_Pipeline_Sharing | ServiceConnection | High | No | Ensure that service connection access is granted only to pipelines that require it. | "To remediate this | navigate to the service connections settings page for your project -> select your service connection from the list -> click Security -> Under 'Pipeline Permissions' |
| ADO_ServiceConnection_AuthZ_Justify_Connection_Admin | ServiceConnection | High | No | Justify all users/groups that have access to the service connection. | Go to Project Settings --> Pipelines --> Service Connections --> Select Service Connection --> Select three dots on top right --> Select Security --> Under user permissions verify connection admin and users | "Accounts with admin access can install/manage extensions for Organization. Members with this access without a legitimate business reason increase the risk for Organization. By carefully reviewing and removing accounts that shouldn't be there in the first place |
| ADO_ServiceConnection_Audit_Usage_History | ServiceConnection | High | No | Periodically review usage history of service connection to validate use from legitimate pipelines. | Go to Project Settings --> Pipelines --> Service Connections --> Select Service Connection --> Usage History --> Validate connection is been used from legitimate build/release definitions only | Periodic reviews of request history logs ensures that sevice connection been used from legitimate build definitions and avoid major compromise. |
| ADO_ServiceConnection_AuthN_Use_Cert_Auth_for_SPN | ServiceConnection | High | No | "Azure Active Directory applications | which used in pipeline | must use certificate based authentication." |
| ADO_ServiceConnection_AuthZ_Dont_Grant_Subscription_Access | ServiceConnection | High | Yes | Azure service connection should not be provided access at subscription/management group scope. | "Make sure you add SPN at the specific permission scope and role required for your scenario. For example | sometimes 'Contributor' access at 'Resource Group' scope might work. Exact permission will vary based on your use case. If you want to remove the SPN |
| ADO_ServiceConnection_AuthZ_Dont_Use_Classic_Connections | ServiceConnection | High | Yes | Do not use Azure classic service connections to grant access on a subscription. | Migrate each v1/ASM-based service connections to a corresponding v2/ARM-based connection. Refer: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/migration-classic-resource-manager-overview | "You should use new ARM/v2 resources as the ARM model provides several security enhancements such as: stronger access control (RBAC) |
| ADO_ServiceConnection_AuthZ_Disable_Inherited_Permissions | ServiceConnection | High | Yes | Do not allow inherited permissions on service connections. | "To remediate this | navigate to the service connections settings page for your project -> select your service connection from the list -> click on three dots on top right -> select Security -> In user permissions go to Inheritance -> Turn OFF Inheritance" |
| ADO_ServiceConnection_AuthZ_Dont_Allow_Global_Groups | ServiceConnection | High | Yes | Do not grant global groups access to service connections. | "Refer detailed log files for the list of non compliant service connections. To remediate this follow steps given here: 1. Navigate to the project settings page 2. Select service connection under pipelines category 3. Select your service connection from the list 4. Select Roles from the menu 5. Check for a global security group - (a) global security group added as a User (b) global security group added as an Administrator 6. Remove all global security groups. 7. Save changes and refresh the page to confirm that your changes have been saved. Note: Global security groups are the groups maintained at organization and project level and may contain users at a very broad scope (e.g. | all users in the organization). For more information |
| ADO_ServiceConnection_AuthZ_Dont_Grant_BuildServAcc_Permission | ServiceConnection | High | No | Do not grant Build Service Account access for connections | "To remediate this | navigate to the service connections settings page for your project -> select your service connection from the list -> select three dots on top right -> select security -> remove 'Project Collection Build Service Accounts' access from user permission." |
| ADO_ServiceConnection_AuthZ_Dont_Grant_All_Pipelines_Access | ServiceConnection | High | Yes | Do not make service connections accessible to all pipelines. | "To remediate this | navigate to the service connections settings page for your project -> select your service connection from the list -> click Edit -> uncheck 'Grant access permission to all pipelines'." |
| ADO_ServiceConnection_AuthZ_PAT_Or_Auth | ServiceConnection | High | No | Justify GitHub service connections are authenticated with full scope GitHub PATs instead of the OAuth flow. | Go to Project Settings --> Service Connections --> Select Service Connection --> Select Edit --> Verify connection authentication type. | Full scope PAT exposes the environment to a full account compromise. The OAuth flow creates a token that only allows source code and webhook read/write access on GitHub. The impact of losing control of a scoped OAuth token is far lower. |
| ADO_ServiceConnection_DP_Review_Inactive_Connection | ServiceConnection | High | Yes | Inactive service connection must be removed if no more required. | "To remove inactive service connection | follow the steps given here: 1.Navigate to the service connection settings. 2. Select service connection. 3. Select three dots (present at right top). 4. Click on Delete." |
| ADO_ServiceConnection_SI_Dont_Share_Across_Projects | ServiceConnection | High | Yes | Service connections should not be shared across multiple projects. | "To remediate this | navigate to the service connections settings page for your project -> select your service connection from the list -> click Security -> Under 'Project Permissions' |
| ADO_ServiceConnection_SI_Review_Pipeline_Sharing | ServiceConnection | High | No | Ensure that service connection access is granted only to pipelines that require it. | "To remediate this | navigate to the service connections settings page for your project -> select your service connection from the list -> click Security -> Under 'Pipeline Permissions' |
| ADO_ServiceConnection_AuthZ_Justify_Connection_Admin | ServiceConnection | High | No | Justify all users/groups that have access to the service connection. | Go to Project Settings --> Pipelines --> Service Connections --> Select Service Connection --> Select three dots on top right --> Select Security --> Under user permissions verify connection admin and users | "Accounts with admin access can install/manage extensions for Organization. Members with this access without a legitimate business reason increase the risk for Organization. By carefully reviewing and removing accounts that shouldn't be there in the first place |
| ADO_ServiceConnection_Audit_Usage_History | ServiceConnection | High | No | Periodically review usage history of service connection to validate use from legitimate pipelines. | Go to Project Settings --> Pipelines --> Service Connections --> Select Service Connection --> Usage History --> Validate connection is been used from legitimate build/release definitions only | Periodic reviews of request history logs ensures that sevice connection been used from legitimate build definitions and avoid major compromise. |
| ADO_ServiceConnection_AuthN_Use_Cert_Auth_for_SPN | ServiceConnection | High | No | "Azure Active Directory applications | which used in pipeline | must use certificate based authentication." |
| ADO_ServiceConnection_AuthZ_Dont_Grant_Subscription_Access | ServiceConnection | High | Yes | Azure service connection should not be provided access at subscription/management group scope. | "Make sure you add SPN at the specific permission scope and role required for your scenario. For example | sometimes 'Contributor' access at 'Resource Group' scope might work. Exact permission will vary based on your use case. If you want to remove the SPN |
| ADO_ServiceConnection_AuthZ_Dont_Use_Classic_Connections | ServiceConnection | High | Yes | Do not use Azure classic service connections to grant access on a subscription. | Migrate each v1/ASM-based service connections to a corresponding v2/ARM-based connection. Refer: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/migration-classic-resource-manager-overview | "You should use new ARM/v2 resources as the ARM model provides several security enhancements such as: stronger access control (RBAC) |
| ADO_ServiceConnection_AuthZ_Disable_Inherited_Permissions | ServiceConnection | High | Yes | Do not allow inherited permissions on service connections. | "To remediate this | navigate to the service connections settings page for your project -> select your service connection from the list -> click on three dots on top right -> select Security -> In user permissions go to Inheritance -> Turn OFF Inheritance" |
| ADO_ServiceConnection_AuthZ_Dont_Allow_Global_Groups | ServiceConnection | High | Yes | Do not grant global groups access to service connections. | "Refer detailed log files for the list of non compliant service connections. To remediate this follow steps given here: 1. Navigate to the project settings page 2. Select service connection under pipelines category 3. Select your service connection from the list 4. Select Roles from the menu 5. Check for a global security group - (a) global security group added as a User (b) global security group added as an Administrator 6. Remove all global security groups. 7. Save changes and refresh the page to confirm that your changes have been saved. Note: Global security groups are the groups maintained at organization and project level and may contain users at a very broad scope (e.g. | all users in the organization). For more information |
| ADO_ServiceConnection_AuthZ_Dont_Grant_BuildServAcc_Permission | ServiceConnection | High | No | Do not grant Build Service Account access for connections | "To remediate this | navigate to the service connections settings page for your project -> select your service connection from the list -> select three dots on top right -> select security -> remove 'Project Collection Build Service Accounts' access from user permission." |
| ADO_ServiceConnection_AuthZ_Dont_Grant_All_Pipelines_Access | ServiceConnection | High | Yes | Do not make service connections accessible to all pipelines. | "To remediate this | navigate to the service connections settings page for your project -> select your service connection from the list -> click Edit -> uncheck 'Grant access permission to all pipelines'." |
| ADO_ServiceConnection_AuthZ_PAT_Or_Auth | ServiceConnection | High | No | Justify GitHub service connections are authenticated with full scope GitHub PATs instead of the OAuth flow. | Go to Project Settings --> Service Connections --> Select Service Connection --> Select Edit --> Verify connection authentication type. | Full scope PAT exposes the environment to a full account compromise. The OAuth flow creates a token that only allows source code and webhook read/write access on GitHub. The impact of losing control of a scoped OAuth token is far lower. |
| ADO_ServiceConnection_DP_Review_Inactive_Connection | ServiceConnection | High | Yes | Inactive service connection must be removed if no more required. | "To remove inactive service connection | follow the steps given here: 1.Navigate to the service connection settings. 2. Select service connection. 3. Select three dots (present at right top). 4. Click on Delete." |
| ADO_ServiceConnection_SI_Dont_Share_Across_Projects | ServiceConnection | High | Yes | Service connections should not be shared across multiple projects. | "To remediate this | navigate to the service connections settings page for your project -> select your service connection from the list -> click Security -> Under 'Project Permissions' |
| ADO_ServiceConnection_SI_Review_Pipeline_Sharing | ServiceConnection | High | No | Ensure that service connection access is granted only to pipelines that require it. | "To remediate this | navigate to the service connections settings page for your project -> select your service connection from the list -> click Security -> Under 'Pipeline Permissions' |
| ADO_ServiceConnection_AuthZ_Justify_Connection_Admin | ServiceConnection | High | No | Justify all users/groups that have access to the service connection. | Go to Project Settings --> Pipelines --> Service Connections --> Select Service Connection --> Select three dots on top right --> Select Security --> Under user permissions verify connection admin and users | "Accounts with admin access can install/manage extensions for Organization. Members with this access without a legitimate business reason increase the risk for Organization. By carefully reviewing and removing accounts that shouldn't be there in the first place |
| ADO_ServiceConnection_Audit_Usage_History | ServiceConnection | High | No | Periodically review usage history of service connection to validate use from legitimate pipelines. | Go to Project Settings --> Pipelines --> Service Connections --> Select Service Connection --> Usage History --> Validate connection is been used from legitimate build/release definitions only | Periodic reviews of request history logs ensures that sevice connection been used from legitimate build definitions and avoid major compromise. |
| ADO_ServiceConnection_AuthN_Use_Cert_Auth_for_SPN | ServiceConnection | High | No | "Azure Active Directory applications | which used in pipeline | must use certificate based authentication." |
| ADO_ServiceConnection_AuthZ_Dont_Grant_Subscription_Access | ServiceConnection | High | Yes | Azure service connection should not be provided access at subscription/management group scope. | "Make sure you add SPN at the specific permission scope and role required for your scenario. For example | sometimes 'Contributor' access at 'Resource Group' scope might work. Exact permission will vary based on your use case. If you want to remove the SPN |
| ADO_ServiceConnection_AuthZ_Dont_Use_Classic_Connections | ServiceConnection | High | Yes | Do not use Azure classic service connections to grant access on a subscription. | Migrate each v1/ASM-based service connections to a corresponding v2/ARM-based connection. Refer: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/migration-classic-resource-manager-overview | "You should use new ARM/v2 resources as the ARM model provides several security enhancements such as: stronger access control (RBAC) |
| ADO_ServiceConnection_AuthZ_Disable_Inherited_Permissions | ServiceConnection | High | Yes | Do not allow inherited permissions on service connections. | "To remediate this | navigate to the service connections settings page for your project -> select your service connection from the list -> click on three dots on top right -> select Security -> In user permissions go to Inheritance -> Turn OFF Inheritance" |
| ADO_ServiceConnection_AuthZ_Dont_Allow_Global_Groups | ServiceConnection | High | Yes | Do not grant global groups access to service connections. | "Refer detailed log files for the list of non compliant service connections. To remediate this follow steps given here: 1. Navigate to the project settings page 2. Select service connection under pipelines category 3. Select your service connection from the list 4. Select Roles from the menu 5. Check for a global security group - (a) global security group added as a User (b) global security group added as an Administrator 6. Remove all global security groups. 7. Save changes and refresh the page to confirm that your changes have been saved. Note: Global security groups are the groups maintained at organization and project level and may contain users at a very broad scope (e.g. | all users in the organization). For more information |
| ADO_ServiceConnection_AuthZ_Dont_Grant_BuildServAcc_Permission | ServiceConnection | High | No | Do not grant Build Service Account access for connections | "To remediate this | navigate to the service connections settings page for your project -> select your service connection from the list -> select three dots on top right -> select security -> remove 'Project Collection Build Service Accounts' access from user permission." |
| ADO_ServiceConnection_AuthZ_Dont_Grant_All_Pipelines_Access | ServiceConnection | High | Yes | Do not make service connections accessible to all pipelines. | "To remediate this | navigate to the service connections settings page for your project -> select your service connection from the list -> click Edit -> uncheck 'Grant access permission to all pipelines'." |
| ADO_ServiceConnection_AuthZ_PAT_Or_Auth | ServiceConnection | High | No | Justify GitHub service connections are authenticated with full scope GitHub PATs instead of the OAuth flow. | Go to Project Settings --> Service Connections --> Select Service Connection --> Select Edit --> Verify connection authentication type. | Full scope PAT exposes the environment to a full account compromise. The OAuth flow creates a token that only allows source code and webhook read/write access on GitHub. The impact of losing control of a scoped OAuth token is far lower. |
| ADO_ServiceConnection_DP_Review_Inactive_Connection | ServiceConnection | High | Yes | Inactive service connection must be removed if no more required. | "To remove inactive service connection | follow the steps given here: 1.Navigate to the service connection settings. 2. Select service connection. 3. Select three dots (present at right top). 4. Click on Delete." |
| ADO_ServiceConnection_SI_Dont_Share_Across_Projects | ServiceConnection | High | Yes | Service connections should not be shared across multiple projects. | "To remediate this | navigate to the service connections settings page for your project -> select your service connection from the list -> click Security -> Under 'Project Permissions' |
| ADO_ServiceConnection_SI_Review_Pipeline_Sharing | ServiceConnection | High | No | Ensure that service connection access is granted only to pipelines that require it. | "To remediate this | navigate to the service connections settings page for your project -> select your service connection from the list -> click Security -> Under 'Pipeline Permissions' |
| ADO_ServiceConnection_AuthZ_Justify_Connection_Admin | ServiceConnection | High | No | Justify all users/groups that have access to the service connection. | Go to Project Settings --> Pipelines --> Service Connections --> Select Service Connection --> Select three dots on top right --> Select Security --> Under user permissions verify connection admin and users | "Accounts with admin access can install/manage extensions for Organization. Members with this access without a legitimate business reason increase the risk for Organization. By carefully reviewing and removing accounts that shouldn't be there in the first place |
| ADO_ServiceConnection_Audit_Usage_History | ServiceConnection | High | No | Periodically review usage history of service connection to validate use from legitimate pipelines. | Go to Project Settings --> Pipelines --> Service Connections --> Select Service Connection --> Usage History --> Validate connection is been used from legitimate build/release definitions only | Periodic reviews of request history logs ensures that sevice connection been used from legitimate build definitions and avoid major compromise. |
| ADO_AgentPool_AuthZ_Grant_Min_RBAC_Access | AgentPool | High | No | All teams/groups must be granted minimum required permissions on agent pool. | Refer: https://docs.microsoft.com/en-us/azure/devops/pipelines/policies/permissions?view=vsts | Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise. |
| ADO_AgentPool_AuthZ_Disable_Inherited_Permissions | AgentPool | High | Yes | Do not allow inherited permission on agent pool. | "To disable inheritance follow the steps given here: 1.Navigate to the agent pool. 2. Select Security. 3. Under User Permissions | add the service lead & service owner as users with allow permissions for each permission line item. 4. Select Off under Inheritance. 5. Add users/groups to agent and provide only required access. As best practice |
| ADO_AgentPool_AuthZ_Dont_Enable_Auto_Provisioning | AgentPool | High | Yes | Do not enable auto-provisioning for agent pools. | To change auto-provision settings: 1.Navigate to the Organization settings. 2. Open Agent pools. 3. Select Settings. 4. Change the settings for 'Auto-provisioning' this agent pools in new projects' | "By enabling auto-provisioning the organization agent pool is imported in all your new team projects and is accessible there immediately. Therefore |
| ADO_AgentPool_AuthZ_Project_Dont_Grant_All_Pipeline_Access | AgentPool | High | Yes | Do not make agent pool accessible to all pipelines in the project. | Go to 'Project settings' --> 'Agent pools' --> Select the agent pool --> Security --> Disable 'Grant access permission to all pipeline'. | "To support security of the pipeline operations |
| ADO_AgentPool_DP_Review_Inactive_Pool | AgentPool | Medium | Yes | Inactive agent pools must be removed if no more required. | "To remove inactive agent pool | follow the steps given here: 1.Navigate to the agent pool settings. 3. Click on Delete." |
| ADO_AgentPool_SI_Apply_Security_Patches | AgentPool | High | No | Non-hosted agent virtual machine must have all the required security patches installed. | Refer: https://docs.microsoft.com/en-us/azure/automation/automation-tutorial-update-management | Un-patched VMs are easy targets for compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems and related software. |
| ADO_AgentPool_SI_Lockdown_Machine | AgentPool | Medium | No | "Use a security hardened | locked down OS image for self-hosted VMs in agent pool." | "Use a locked down OS configuration. Ensure that the system is always fully patched |
| ADO_AgentPool_AuthZ_Grant_Min_RBAC_Access | AgentPool | High | No | All teams/groups must be granted minimum required permissions on agent pool. | Refer: https://docs.microsoft.com/en-us/azure/devops/pipelines/policies/permissions?view=vsts | Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise. |
| ADO_AgentPool_AuthZ_Disable_Inherited_Permissions | AgentPool | High | Yes | Do not allow inherited permission on agent pool. | "To disable inheritance follow the steps given here: 1.Navigate to the agent pool. 2. Select Security. 3. Under User Permissions | add the service lead & service owner as users with allow permissions for each permission line item. 4. Select Off under Inheritance. 5. Add users/groups to agent and provide only required access. As best practice |
| ADO_AgentPool_AuthZ_Dont_Enable_Auto_Provisioning | AgentPool | High | Yes | Do not enable auto-provisioning for agent pools. | To change auto-provision settings: 1.Navigate to the Organization settings. 2. Open Agent pools. 3. Select Settings. 4. Change the settings for 'Auto-provisioning' this agent pools in new projects' | "By enabling auto-provisioning the organization agent pool is imported in all your new team projects and is accessible there immediately. Therefore |
| ADO_AgentPool_AuthZ_Project_Dont_Grant_All_Pipeline_Access | AgentPool | High | Yes | Do not make agent pool accessible to all pipelines in the project. | Go to 'Project settings' --> 'Agent pools' --> Select the agent pool --> Security --> Disable 'Grant access permission to all pipeline'. | "To support security of the pipeline operations |
| ADO_AgentPool_DP_Review_Inactive_Pool | AgentPool | Medium | Yes | Inactive agent pools must be removed if no more required. | "To remove inactive agent pool | follow the steps given here: 1.Navigate to the agent pool settings. 3. Click on Delete." |
| ADO_AgentPool_SI_Apply_Security_Patches | AgentPool | High | No | Non-hosted agent virtual machine must have all the required security patches installed. | Refer: https://docs.microsoft.com/en-us/azure/automation/automation-tutorial-update-management | Un-patched VMs are easy targets for compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems and related software. |
| ADO_AgentPool_SI_Lockdown_Machine | AgentPool | Medium | No | "Use a security hardened | locked down OS image for self-hosted VMs in agent pool." | "Use a locked down OS configuration. Ensure that the system is always fully patched |