DOS1140

Pipeline Settings - Enforce job authorization scope to current project for release pipelines

DOS1140

AzureDevOps organization critical builtIn

Description

Limit job authorization scope to current project for release pipelines. Release pipelines can run with collection scoped access tokens unless this option is enabled. With this option enabled, you can reduce the scope of access for all release pipelines to the current project. Learn more: https://learn.microsoft.com/en-us/azure/devops/pipelines/security/secure-access-to-repos https://learn.microsoft.com/en-us/azure/devops/pipelines/process/access-tokens#job-authorization-scope

Recommendation

1. Go to Organization Settings. 
2. Click on Pipelines -> Settings. 
3. Turn 'On' the setting 'Limit job authorization scope to current project for release pipelines'.

Policy Rule

{
  "target": "ADOOrganizationPipelineSettings",
  "if": {
    "allOf": [
      {
        "resource": "ADOOrganizationPipelineSettings",
        "property": "EnforceJobAuthScopeForReleases",
        "operator": "equals",
        "value": true
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS1130 DOS1150 »
Rule Details
  • Rule ID: DOS1140
  • Code: ADO_Organization_Pipeline_Settings_Limit_Release_Pipeline_Scope
  • Platform: AzureDevOps
  • Category: organization
  • Severity: critical
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions