DOS2152: Pipeline Protected Resources - Checks - Configure a protected branch check on each production service connection | Security KB - DevOps Shield - The ultimate DevSecOps platform designed to secure your DevOps.

This website stores cookies on your computer.These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, please review our Privacy Policy.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference not to be tracked.
By clicking “Accept All”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.

AzureDevOps project high builtIn

Description

Allow deployments based on branches linked to the run. Extend pipeline protection by configuring a protected branch check on each of your resources. This will automatically stop your pipeline from running on top of any user branches. Most pipelines need a second set of eyes look over changes (especially to the pipeline itself) before deploying to production. Checks allow you to pause the pipeline run until certain conditions are met. Learn more: https://learn.microsoft.com/en-us/azure/devops/pipelines/security/resources#checks https://learn.microsoft.com/en-us/azure/devops/pipelines/process/approvals https://learn.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints

Recommendation

1. Navigate to Project Settings. 
2. Open the Service connections link under Pipelines. 
3. Select a service connection. 
4. Click on 'Approvals and checks' tab. 
5. Add a new 'Branch control' check.

Policy Rule

{
  "target": "ADOProjectCheckConfiguration",
  "if": {
    "allOf": [
      {
        "resource": "ADOProjectCheckConfiguration",
        "property": "Resource.Type",
        "operator": "equals",
        "value": "endpoint"
      },
      {
        "resource": "ADOProjectCheckConfiguration",
        "property": "Resource.Name",
        "operator": "match",
        "value": "$(POLICY_VAR_PROJECT_PROD_SERVICE_CONNECTION_PATTERNS)"
      },
      {
        "resource": "ADOProjectCheckConfiguration",
        "property": "Type.Name",
        "operator": "equals",
        "value": "Task Check"
      },
      {
        "resource": "ADOProjectCheckConfiguration",
        "property": "BranchControl.DefinitionRef.Name",
        "operator": "equals",
        "value": "evaluatebranchProtection"
      },
      {
        "resource": "ADOProjectCheckConfiguration",
        "property": "BranchControl.Inputs.AllowedBranches",
        "operator": "notEquals",
        "value": "*"
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}

« DOS2150 DOS2155 »

Rule Details

Rule ID: DOS2152
Code: ADO_Project_Pipeline_Checks_ServiceConnection_Configure_Branch_Control_Check_For_Production
Platform: AzureDevOps
Category: project
Severity: high
Type: builtIn

DOS2152

Pipeline Protected Resources - Checks - Configure a protected branch check on each production service connection

DOS2152

Description

Recommendation

Policy Rule

View evaluation logic (JSON)

Rule Details

Related Rules