DOS1020

Extensions - Restrict extensions to only trusted publishers

DOS1020

AzureDevOps organization high builtIn

Description

Allow extensions only from trusted publishers to be installed in your organization. Running extensions from untrusted source can lead to all type of attacks and data loss. Learn more: https://learn.microsoft.com/en-us/azure/devops/extend/overview

Recommendation

1. Go to Organization Settings. 
2. Select Extensions. 
3. Review all installed extensions in the organization.

Policy Rule

{
  "target": "ADOOrganizationExtension",
  "if": {
    "allOf": [
      {
        "anyOf": [
          {
            "resource": "ADOOrganizationExtension",
            "property": "ExtensionName",
            "operator": "match",
            "value": "$(POLICY_VAR_ORGANIZATION_EXTENSIONS_TRUSTED_PUBLISHER_PATTERNS)"
          },
          {
            "resource": "ADOOrganizationExtension",
            "property": "PublisherName",
            "operator": "match",
            "value": "$(POLICY_VAR_ORGANIZATION_EXTENSIONS_TRUSTED_PUBLISHER_PATTERNS)"
          },
          {
            "resource": "ADOOrganizationExtension",
            "property": "PublisherId",
            "operator": "match",
            "value": "$(POLICY_VAR_ORGANIZATION_EXTENSIONS_TRUSTED_PUBLISHER_PATTERNS)"
          },
          {
            "resource": "ADOOrganizationExtension",
            "property": "Flags",
            "operator": "contains",
            "value": "trusted"
          }
        ]
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS1010 DOS1030 »
Rule Details
  • Rule ID: DOS1020
  • Code: ADO_Organization_Extensions_Restrict_To_Trusted_Publishers
  • Platform: AzureDevOps
  • Category: organization
  • Severity: high
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions