cloudyspells / psrule.rules.azuredevops Goto Github PK
View Code? Open in Web Editor NEWPSRule Module for Azure DevOps. Audit your Azure DevOps project configuration for best practice adoption in minutes.
License: MIT License
PSRule Module for Azure DevOps. Audit your Azure DevOps project configuration for best practice adoption in minutes.
License: MIT License
As a product owner I want to explore what is needed to run the module from Azure Automation runbooks with managed identity or other available means of authentication so we can offer users a choice of Azure services for running the module in a cost efficient manner so users can save on cloud spend.
As an end-user I want to be sure the retention settings for build and artifacts are sensible. Therefore I want the module to export and check relevant settings from Azure DevOps so I can be sure these settings are not overlooked in an audit.
As a product owner I want to have a GitHub actions based environment for testing VM based MSI auth so end-user can be sure this works. Solution should be cost efficient, have auto-shutdown and be easy to turn on.
Due to the direct impact on project budget, this task is only assignable to the project maintainer @webtonize
As a PO I want transparency in the objects selected for inspection so users can have a clear understanding of the scope of the audit. Therefore I want the selectors used for inspecting only production resources deprecated and rules adapted accordingly. To help users get started quickly a decent suppressiongroups yaml should be offered as a replacement.
As a repository maintainer I want to be aware of branches that have not been updated for a while (2 to 3 months) so I can remove stale branches and keep my repository tree clean.
int
as nr of daysAs an end-user I want 2 baselines I can use for either public or private projects so I can check the best practices for each case as applicable so I always have the best appropriate security measures.
As an end-user I want current and future objects to have a clear name that depicts their position in the larger Azure DevOps architecture. That way I can use the module on multiple projects and still relate the output and also allows future parts of objects to be named and inspected seperatly while mainting the ability to locate the inspected object
ObjectName
field with a name convention of org.project.objectname.childname.grandchildname
As an end-user I want more serviceconnection capabilities than just the current ARM type, for example I want to check if I am not using non-recommended classic-ARM-connectors, this to ensure I am using the most secure connections available.
As a Product Owner I want best practice recommendations for all service connection types. As limited Azure sponsoring is available, I want to eplore all service connection types for Azure related resources so we can build and test these usecases before funding ends.
As an end-user I want to be sure all my Azure DevOps objects can be exported, even if I have special characters in the object names so I can be sure my complete Azure DevOps environment will get audited and I will not be surprised in human audit.
Export-
functionsExport-
functions should be changed to use the new functionAs a module publisher I want end users using only the PowerShell Gallery to be able to read the latest release notes for the module as published on GitHub so users can stay up to date via the gallery alone.
PSRule.Rules.AzureDevOps
.As a developer I want the unit tests for rules split over multiple files so I have better overview, co-pilot works better and have less merge conflicts and therefore I can develop more efficiently.
TokenType
and AuthType
. In other words: The number of calls to the REST API should not increase when splitting the files.As an end-user I want to be able to use a fine-grained personal access token for data collection, therefore the Export functions should use documented REST API endpoints instead of the endpoints used by the API so I can specify the access required by the token and avoid unnecesarry large permission sets.
Build/GeneralSettings
REST API endpoint documented here is used over Contributions/Hierarchy
UI endpoint in the export functions for pipeline settings.As an end-user I want maximum probability in detection possible sensitive information so I can feel assured secrets are stored in a secure manner
keys
as well as full connection strings for the most popular Azure Servicesvariable-groups
, GUI Build Pipelines
, GUI Releases
As a developer I prefer multiple smaller files over 1 big one to prevent merge conflicts when adding tests for new functions.
Functions
directoryFor the Azure DevOps pipeline example, "Grave Accent `" symbol should be removed.
Link to code:
https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/e609897620d10de08b88a8be416994066142ce23/pipelines/azure-pipelines.yml#L53C38-L53C38
Error message from Azure DevOps Pipeline:
Export-AzDevOpsRuleData: /home/vsts/work/_temp/364686e8-433e-44db-9604-197f4e66cf3b.ps1:11
Line |
11 | -OutputPath './results.sarif' `
| ~~~~~~~~~~~
| Cannot bind parameter because parameter 'OutputPath' is specified more
| than once. To provide multiple values to parameters that can accept
| multiple values, use the array syntax. For example, "-parameter
| value1,value2,value3".
As a security specialist I want to module to be able to run in a read-only role so I can be confident the module does not make modifications to Azure DevOps.
Running Export-AzDevOpsRuleData on a new repo, with a new pipeline not on the main/default branch fails with the following error:
Invoke-RestMethod: /Users/[email protected]/PSRule.Rules.AzureDevOps/src/PSRule.Rules.AzureDevOps/Functions/DevOps.Pipelines.Core.ps1:223:21
Line |
223 | โฆ $response = Invoke-RestMethod -Uri $uri -Method Get -Headers $header
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| {"$id":"1","innerException":null,"message":"TF401174: The item 'test-pipeline.yaml' could not be found in the
| repository 'PmcTest' at the version specified by '' (resolved to commit
| '97cc80fe33624aeff34d81adb6a4a409aabf69bf')","typeName":"Microsoft.TeamFoundation.Git.Server.GitItemNotFoundException,
| Microsoft.TeamFoundation.Git.Server","typeKey":"GitItemNotFoundException","errorCode":0,"eventId":3000}
I don't know.
Data Collection should run without throwing an error.
OS: Darwin 22.6.0 Darwin Kernel Version 22.6.0
PowerShell version: 7.3.3
PSRule version: 2.9.0
PSRule.Rules.AzureDevOps version: v0.2.0
Export command was run from my dev mac using a ReadOnly PAT.
As an end user I want to make sure I am compliant with the recommendations regarding group membership so I can be sure I have a secure best practice environment.
Project Administrators
group includes no less than 2 and no more than 4 members.As an end-user I want to be able to run the module with different sets of REST API permissions on the PAT in line with my compliance/security requirements so I can avoid the tool becoming a security risk.
Export
function must have a option parameter for FullAccess
, FineGrained
and ReadOnly
settings.
FullAccess
may use any endpoint we can get useful information for analyzing security posture.FineGrained
is limited to the items we can specify in setting a fine-grained personal access token.ReadOnly
is limited to Read
permissions we can set in a fine-grained personal access tokenWhen clicking on the link https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/CONTRIBUTING.md#code-of-conduct the user receives a Not Found page.
When clicking on any of the following links nothing happens (as the links reference missing markdown sections)
When clicking on the rule hyperlinks in https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/docs/token-permissions.md user gets 404 page not found
Hyperlink corrected so the user does not see a Not Found page.
Sections for Styleguides, commit messages and join the project team added to documentation.
The link in the CONTRIBUTING.md markdown file needs a small amendment.
The current link is:
https://github.com/cloudyspells/PSRule.Rules.AzureDevOpsblob/master/CODE_OF_CONDUCT.md
but this needs changing to:
https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/CODE_OF_CONDUCT.md
i.e. change branch from master to main
In Token Scope for Rules example link:
but this needs changing to:
i.e. remove /docs from the link path
No
Need to add fix in code in case if Azure DevOps service connection contains backslash /:
"name": "CI/CD template Repo Connection",
"description": ""
}
],
"ObjectType": "Azure.DevOps.ServiceConnection",
Link to line in code:
Error message from Azure DevOps pipeline:
Out-File: /home/vsts/.local/share/powershell/Modules/PSRule.Rules.AzureDevOps/0.4.3/Functions/DevOps.ServiceConnections.ps1:156
Line |
156 | โฆ Depth 100 | Out-File "$OutputPath/$($serviceConnection.name).ado.sc.j โฆ
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Could not find a part of the path '/home/vsts/work/_temp/CI/CD template
| Repo Connection.ado.sc.json'.
As a product owner I want to ensure all cmdlets are covered in unit testing for the various TokenType
settings and PATs. Not just for the cmdlets that actually expect different behaviour, but all cmdlets should be covered by the various connections
$script:connection
object created by Connect-AzDevOps
should have a test case for the workflow ADO_PAT
, ADO_PAT_READONLY
and ADO_PAT_FINEGRAINED
personal access tokens.Azure.DevOps.Repos.Branch.BranchPolicyIsEnabled
gives a false positive when Require minimum reviewers
is not selected as branch policy and other policies are enabled.No
Merge strategy
policy on a branchAs an end-user I want to be able to inspect my Azure DevOps environment without exporting the configuration as files stored on a disk. Therefore I want the Export-
cmdlets to have an option to pass the AzDo objects to the pipeline instead of exporting as json files so I can rest assured no sensitive information is left lingering on disks available to others.
Export-
cmdlets (including those internal to the module) have a -PassThru
parameter to output PSObject
s to the pipeline.-PassThru
parameter is tested in CI with a Pester test passing the output to Invoke-PSRule
.-PassThru
parameter is mutually exclusive with the -OutputPath
parameter.As an end-user I want insights in to the ACLs on more objects than currently supported. I want to check ACLs on service connections, environments and variable groups so I can be sure security best practices are adopted in regards to ACLs on those objects
As an end user I want a better structured Wiki giving answers to relevant questions like installation, running and analyzing the modules results so I have a better understanding of the value of the module
As a project maintainer I want other to be able to contribute and have transperancy in the testing environment. At this time, all pester tests are conducted in hand-built private Azure DevOps projects. To enable potential contributors I want to have a piece of code that can be run to deploy a test environment suiteable for running the implemented pester tests.
As an end-user I want to have a broader view of my environment than just the default branch of my repo. I want the module to collect data for all branches and I want the module to allow me to use the resource exclusion method provided by PSRule in the configuration file.
As a user I want to easily track back objects to their Organization and Project. Although the name convention allows to do this to some degree, use of the .
character in project or resource names will mess up any automation. Therefore I want to use a more solid method of attaching this information so I can build nice reports in Azure Monitor.
id
field in each object should be a JSON string with the required informationAs an end-user I want to ensure my Project Valid Users
group does not have any custom role assignments as this should be a default minimum privilege group only.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.