DOS2220

Pipeline Settings - Enforce job authorization scope to current project for release pipelines

DOS2220

AzureDevOps project critical builtIn

Description

Limit job authorization scope to current project for release pipelines. Release pipelines can run with collection scoped access tokens unless this option is enabled. With this option enabled, you can reduce the scope of access for all release pipelines to the current project. Learn more: https://learn.microsoft.com/en-us/azure/devops/pipelines/security/secure-access-to-repos

Recommendation

1. Navigate to Project Settings. 
2. Open the Settings link under Pipelines. 
3. Turn 'On' the setting 'Limit job authorization scope to current project for release pipelines'.

Policy Rule

{
  "target": "ADOProjectPipelineGeneralSettings",
  "if": {
    "allOf": [
      {
        "resource": "ADOProjectPipelineGeneralSettings",
        "property": "EnforceJobAuthScopeForReleases",
        "operator": "equals",
        "value": true
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS2210 DOS2230 »
Rule Details
  • Rule ID: DOS2220
  • Code: ADO_Project_Pipeline_Settings_Limit_Release_Pipeline_Scope
  • Platform: AzureDevOps
  • Category: project
  • Severity: critical
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions