DOS3510

DevSecOps Control - Ensure Secret Scanning (SS)

DOS3510

AzureDevOps appsec Severitycritical builtIn

Description

Make sure that Secret Scanning (SS) is in place for your repository. Exposed credentials provide easily exploitable opportunities for attackers. To defend against this threat, secret scanning tools scan for credentials in your source code. https://github.com/gitleaks/gitleaks https://appsecmap.com https://owasp.org/www-project-devsecops-guideline/latest/01a-Secrets-Management

Learn More

Recommendation

1. Navigate to Project -> Pipelines. 
2. Open your repository CI Pipeline. 
3. Ensure a secret scanning tool is present in your pipeline. 
4.Or alternatively, you can enable 'Advanced Security' for your repository.

Policy Rule

{
  "target": "ADORepositoryPipelines",
  "if": {
    "allOf": [
      {
        "anyOf": [
          {
            "resource": "ADORepositoryPipelines",
            "property": "AdvSecEnabled",
            "operator": "equals",
            "value": true
          },
          {
            "resource": "ADORepositoryPipelines",
            "property": "PipelinesFinalYaml",
            "operator": "match",
            "value": "$(ADO_POLICY_VAR_DEVSECOPS_SS_SECRET_SCANNING_TOOLS_PATTERNS)"
          }
        ]
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS3410 DOS3520 »
Rule Details
  • Rule ID: DOS3510
  • Code: ADO_Repository_DevSecOps_Control_SS_Secret_Scanning
  • Platform: AzureDevOps
  • Category: appsec
  • Severity: Severitycritical
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions