DOS1120

Pipeline Settings - Enforce job authorization scope to current project for non-release pipelines

DOS1120

AzureDevOps organization critical builtIn

Description

Limit job authorization scope to current project for non-release pipelines. If enabled, scope of access for all pipelines reduces to the current project. Non-Release Pipelines can run with collection scoped access tokens unless this option is enabled. With this option enabled, you can reduce the scope of access for all non-release pipelines to the current project. Learn more: https://learn.microsoft.com/en-us/azure/devops/pipelines/security/secure-access-to-repos https://learn.microsoft.com/en-us/azure/devops/pipelines/process/access-tokens#job-authorization-scope

Recommendation

1. Go to Organization Settings. 
2. Click on Pipelines -> Settings. 
3. Turn 'On' the setting 'Limit job authorization scope to current project for non-release pipelines'.

Policy Rule

{
  "target": "ADOOrganizationPipelineSettings",
  "if": {
    "allOf": [
      {
        "resource": "ADOOrganizationPipelineSettings",
        "property": "EnforceJobAuthScope",
        "operator": "equals",
        "value": true
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS1115 DOS1130 »
Rule Details
  • Rule ID: DOS1120
  • Code: ADO_Organization_Pipeline_Settings_Limit_Non_Release_Pipeline_Scope
  • Platform: AzureDevOps
  • Category: organization
  • Severity: critical
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions