DOS1020

Extensions - Restrict extensions to only trusted publishers

DOS1020

AzureDevOps organization Severityhigh builtIn

Description

Allow extensions only from trusted publishers to be installed in your organization. Running extensions from untrusted source can lead to all type of attacks and data loss.

Learn More

Recommendation

1. Go to Organization Settings. 
2. Select Extensions. 
3. Review all installed extensions in the organization.

Policy Rule

{
  "target": "ADOOrganizationExtension",
  "if": {
    "allOf": [
      {
        "anyOf": [
          {
            "resource": "ADOOrganizationExtension",
            "property": "ExtensionName",
            "operator": "match",
            "value": "$(POLICY_VAR_ORGANIZATION_EXTENSIONS_TRUSTED_PUBLISHER_PATTERNS)"
          },
          {
            "resource": "ADOOrganizationExtension",
            "property": "PublisherName",
            "operator": "match",
            "value": "$(POLICY_VAR_ORGANIZATION_EXTENSIONS_TRUSTED_PUBLISHER_PATTERNS)"
          },
          {
            "resource": "ADOOrganizationExtension",
            "property": "PublisherId",
            "operator": "match",
            "value": "$(POLICY_VAR_ORGANIZATION_EXTENSIONS_TRUSTED_PUBLISHER_PATTERNS)"
          },
          {
            "resource": "ADOOrganizationExtension",
            "property": "Flags",
            "operator": "contains",
            "value": "trusted"
          }
        ]
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS1010 DOS1030 »
Rule Details
  • Rule ID: DOS1020
  • Code: ADO_Organization_Extensions_Restrict_To_Trusted_Publishers
  • Platform: AzureDevOps
  • Category: organization
  • Severity: Severityhigh
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions