DOS2327

Pipelines - Variable group secrets should only be linked to a key vault

DOS2327

AzureDevOps project high builtIn

Description

Link an existing Azure key vault to a variable group and map selective vault secrets to the variable group. When a variable group is not linked to a key vault, it is important to ensure that it does not contain any secrets. Learn more: https://learn.microsoft.com/en-us/azure/devops/pipelines/library/variable-groups#link-secrets-from-an-azure-key-vault https://learn.microsoft.com/en-us/azure/devops/pipelines/library/variable-groups?tabs=classic https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?#tasks

Recommendation

1. Navigate to Project -> Pipelines -> Library 
2. Select a variable group. 
3. In the Variable groups page, enable Link secrets from an Azure key vault as variables.

Policy Rule

{
  "target": "ADOProjectVariableGroup",
  "if": {
    "allOf": [
      {
        "resource": "ADOProjectVariableGroup",
        "property": "HasSecrets",
        "operator": "equals",
        "value": true
      },
      {
        "resource": "ADOProjectVariableGroup",
        "property": "Type",
        "operator": "equals",
        "value": "AzureKeyVault"
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS2326 DOS2330 »
Rule Details
  • Rule ID: DOS2327
  • Code: ADO_Project_Pipelines_Library_VariableGroup_Link_Secrets_From_AKV
  • Platform: AzureDevOps
  • Category: project
  • Severity: high
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions