draft

Author: v-thepet

docs/pipelines/security/templates.md

@@ -1,43 +1,47 @@
 ---
-title: Use templates for security
-description: Learn about using template features to improve pipeline security.
+title: Template use to improve security
+description: Learn about using template features to help improve pipeline security.
 ms.assetid: 73d26125-e3ab-4e18-9bcd-387fb21d3568
-ms.date: 07/18/2024
+ms.date: 09/12/2025
 ms.topic: conceptual
 monikerRange: '>= azure-devops-2020'
 ---
 
-# Use templates for security
+# Use templates to help improve security
 
 [!INCLUDE [version-gt-eq-2020](../../includes/version-gt-eq-2020.md)]
 
-This article describes how templates can streamline security for Azure Pipelines. Templates can define the outer structure of your pipeline and help prevent malicious code infiltration. Templates can also automatically include steps to do tasks such as credential scanning. If multiple pipelines within your team or organization share the same structure, consider using templates.
+If multiple pipelines within your team or organization share the same structure, consider using [templates](../process/templates.md). This article describes how templates can streamline security for Azure Pipelines.
 
-[Checks on protected resources](resources.md) form the fundamental security framework for Azure Pipelines. These checks apply regardless of pipeline structure, stages, and jobs. You can use templates to help enforce these checks. 
+Pipeline templates can:
+
+- Define the outer structure of your pipeline to help prevent malicious code infiltration.
+- Automatically include steps to do tasks such as credential scanning.
+- Help enforce [checks on protected resources](resources.md). These checks form the fundamental security framework for Azure Pipelines and apply to all pipeline structures, stages, and jobs.
 
 [!INCLUDE [security-prerequisites](includes/security-prerequisites.md)]
 
 ## Includes and extends templates
 
 Azure Pipelines provides *includes* and *extends* templates.
 
-- Includes templates include the template's code directly in the outer file that references it, similar to `#include` in C++. The following example pipeline inserts the *include-npm-steps.yml* template into the `steps` section.
+- An `includes` templates includes the template's code directly in the outer file that references the template, similar to `#include` in C++. The following example pipeline inserts the *include-npm-steps.yml* template into the `steps` section.
 
   ```yaml
     steps:
     - template: templates/include-npm-steps.yml 
   ```
 
-- Extends templates define the outer structure of the pipeline and offer specific points for targeted customizations. In the context of C++, `extends` templates resemble inheritance.
+- An `extends` template defines the outer structure of the pipeline and offers specific points for targeted customizations. In the context of C++, `extends` templates resemble inheritance.
 
-When you use `extends` templates, you can also use `includes` in both the template and the final pipeline to do common configuration pieces. For a complete reference, see the [Template usage reference](../process/templates.md).
+When you use `extends` templates, you can also use `includes` to do common configuration pieces in both the template and the final pipeline. For more information, see [Use YAML templates in pipelines for reusable and secure processes](../process/templates.md).
 
 <a name="use-extends-templates"></a>
-## Extends templates
+### Extends templates
 
-For the most secure pipelines, start by using extends templates. These templates define the outer structure of the pipeline and prevent malicious code from infiltrating the pipeline.
+For the most secure pipelines, start by using `extends` templates. These templates define the outer structure of the pipeline and help prevent malicious code infiltration.
 
-For example, the following template file is named *template.yml*.
+The following example shows a template file named *template.yml*.
 
 ```yaml
 parameters:
@@ -49,7 +53,7 @@ steps:
   - ${{ step }}
 ```
 
-The following pipeline extends the *template.yml* template.
+The following pipeline code extends the *template.yml* template.
 
 ```yaml
 # azure-pipelines.yml
@@ -69,19 +73,19 @@ extends:
 ```
 
 >[!TIP]
->When you set up `extends` templates, consider anchoring them to a particular Git branch or tag so if there are breaking changes, existing pipelines aren't affected. The preceding example uses this feature.
+>When you set up `extends` templates, consider anchoring them to a particular Git branch or tag so any breaking changes don't affect existing pipelines. The preceding example uses this feature.
 
-## YAML pipeline security features
+## Pipeline security features
 
-The YAML pipeline syntax includes several built-in protections. Extends template can enforce their use. To enhance pipeline security, you can implement any of the following restrictions.
+The YAML pipeline syntax includes several built-in protections. `Extends` template can enforce their use to enhance pipeline security. You can implement any of the following restrictions.
 
 ### Step targets
 
 You can restrict certain steps to run in a container rather than on the host. Steps in containers don't have access to the agent's host, preventing these steps from modifying agent configuration or leaving malicious code for later execution.
 
-For example, consider limiting network access. Without open network access, user steps can't retrieve packages from unauthorized sources or upload code and secrets to external network locations.
+For example, you can limit network access. Without open network access, user steps can't retrieve packages from unauthorized sources or upload code and secrets to external network locations.
 
-The following example pipeline runs steps on the agent host before running steps inside a container.
+The following example pipeline runs a step on the agent host before running a step inside a container.
 
 ```yaml
 resources:
@@ -94,13 +98,45 @@ steps:
   target: builder
 ```
 
+### Type-safe parameters
+
+Before a pipeline runs, templates and their parameters transform into constants. [Template parameters](../process/template-parameters.md) can enhance type safety for input parameters.
+
+In the following example template, the parameters restrict the available pipeline pool options by enumerating specific choices instead of allowing freeform strings.
+
+```yaml
+# template.yml
+parameters:
+- name: userpool
+  type: string
+  default: Azure Pipelines
+  values:
+  - Azure Pipelines
+  - private-pool-1
+  - private-pool-2
+
+pool: ${{ parameters.userpool }}
+steps:
+- script: echo Hello world
+```
+
+When it extends the template, the pipeline must specify one of the available pool choices.
+
+```yaml
+# azure-pipelines.yml
+extends:
+  template: template.yml
+  parameters:
+    userpool: private-pool-1
+```
+
 ::: moniker range=">=azure-devops-2022"
 
 ### Agent logging command restrictions
 
-You can restrict the services the Azure Pipelines agent provides to user steps. User steps request services by using *logging commands*, which are specially formatted strings printed to standard output. In restricted mode, most of the agent's services, such as uploading artifacts and attaching test results, are unavailable.
+User steps request services by using *logging commands*, which are specially formatted strings printed to standard output. You can restrict the services that the Azure Pipelines agent provides to user steps. In restricted mode, most of the agent's services, such as uploading artifacts and attaching test results, are unavailable.
 
-The following example task fails because its `target` property instructs the agent not to allow publishing artifacts.
+In the following example, the `target` property instructs the agent not to allow publishing artifacts, so the task fails.
 
 ```yaml
 - task: PublishBuildArtifacts@1
@@ -110,11 +146,11 @@ The following example task fails because its `target` property instructs the age
     commands: restricted
 ```
 
-In `restricted` mode, the `setvariable` command remains permissible, so caution is necessary because pipeline variables are exported as environment variables to subsequent tasks. If tasks output user-provided data, such as open issues retrieved via a REST API, they might be vulnerable to injection attacks. Malicious user content could set environment variables that might be exploited to compromise the agent host.
+The `setvariable` command remains permissible in `restricted` mode, and pipeline variables can be exported as environment variables to subsequent tasks. If tasks output user-provided data, such as open issues retrieved via a REST API, they might be vulnerable to injection attacks. Malicious user content could set environment variables that might be exploited to compromise the agent host.
 
-To mitigate this risk, pipeline authors can explicitly declare which variables are settable by using the `setvariable` logging command. When you specify an empty list, all variable setting is disallowed.
+To mitigate this risk, you can explicitly declare which variables are settable by using the `setvariable` logging command. If you specify an empty list, all variable setting is disallowed.
 
-The following example task fails because the task is only allowed to set the `expectedVar` variable or a variable prefixed with `ok`.
+The following example restricts the `settableVariables` to `expectedVar` or a variable prefixed with `ok`. The task fails because it attempts to set a different variable.
 
 ```yaml
 - task: PowerShell@2
@@ -131,7 +167,7 @@ The following example task fails because the task is only allowed to set the `ex
 
 ### Conditional stage or job execution
 
-You can restrict stages and jobs to run only under specific conditions. In the following example, the condition ensures that restricted code builds only for the main branch.
+You can restrict stages and jobs to run only under specific conditions. The following example ensures that restricted code builds only for the `main` branch.
 
 ```yaml
 jobs:
@@ -150,7 +186,7 @@ Azure Pipelines templates have the flexibility to iterate over and modify YAML s
 
 A template can also rewrite user steps, allowing only approved tasks to run. For example, you can prevent inline script execution.
 
-The following example template prevents the step types `bash`, `powershell`, `pwsh`, and `script` from running. For complete lockdown of ad-hoc scripts, you could also block `BatchScript` and `ShellScript`.
+The following example template prevents the script step types `bash`, `powershell`, `pwsh`, and `script` from running. For complete lockdown of scripts, you could also block `BatchScript` and `ShellScript`.
 
 ```yaml
 # template.yml
@@ -187,57 +223,24 @@ extends:
   parameters:
     usersteps:
     - task: MyTask@1
-    - script: echo This step will be stripped out and not run!
-    - bash: echo This step will be stripped out and not run!
-    - powershell: echo "This step will be stripped out and not run!"
-    - pwsh: echo "This step will be stripped out and not run!"
-    - script: echo This step will be stripped out and not run!
+    - script: echo This step is stripped out and not run
+    - bash: echo This step is stripped out and not run
+    - powershell: echo "This step is stripped out and not run"
+    - pwsh: echo "This step is stripped out and not run"
+    - script: echo This step is stripped out and not run
     - task: CmdLine@2
-      displayName: Test - Will be stripped out
+      displayName: Test - stripped out
       inputs:
-        script: echo This step will be stripped out and not run!
+        script: echo This step is stripped out and not run
     - task: MyOtherTask@2
 ```
 
 :::moniker-end
 
-### Type-safe parameters
-
-Before a pipeline runs, templates and their parameters are transformed into constants. [Template parameters](../process/template-parameters.md) can enhance type safety for input parameters.
-
-In the following example template, the parameters restrict the available pipeline pool options by providing an enumeration of specific choices instead of allowing freeform strings.
-
-```yaml
-# template.yml
-parameters:
-- name: userpool
-  type: string
-  default: Azure Pipelines
-  values:
-  - Azure Pipelines
-  - private-pool-1
-  - private-pool-2
-
-pool: ${{ parameters.userpool }}
-steps:
-- script: # ... removed for clarity
-```
-
-When the pipeline extends the template, it has to specify one of the available pool choices.
-
-```yaml
-# azure-pipelines.yml
-extends:
-  template: template.yml
-  parameters:
-    userpool: private-pool-1
-```
-
 ::: moniker range=">=azure-devops"
-
 ### Template steps
 
-A template can automatically include steps in a pipeline. These steps can do tasks such as credential scanning or static code checks. The following template inserts steps before and after the user steps in every job.
+A template can automatically include steps in a pipeline, for example to do credential scanning or static code checks. The following template inserts steps before and after the user steps in every job.
 
 ```yaml
 parameters:
@@ -258,12 +261,14 @@ jobs:
 
 ## Template enforcement
 
-Templates are a valuable security mechanism, but their effectiveness relies on enforcement. The key control points for enforcing template usage are [protected resources](resources.md). You can configure approvals and checks for your agent pool or other protected resources such as repositories. For an example, see [Add a repository resource check](../process/repository-resource.md#add-a-repository-resource-check).
+The effectiveness of templates as a security mechanism relies on enforcement. The key control points for enforcing template usage are [protected resources](resources.md).
+
+You can configure [approvals and checks](../process/approvals.md) for your agent pool or other protected resources such as repositories. For an example, see [Add a repository resource check](../process/repository-resource.md#add-a-repository-resource-check).
 
 <a name="set-required-templates"></a>
 ### Required templates
 
-To enforce the use of a specific template, configure the [required template check](../process/approvals.md#required-template) for a resource. This check applies only when the pipeline extends from a template.
+To enforce the use of a specific template, configure the [required template](../process/approvals.md#required-template) check for a resource. This check applies only when the pipeline extends from a template.
 
 When you view the pipeline job, you can monitor the check's status. If the pipeline doesn't extend from the required template, the check fails. The run stops and notifies you of the failed check.
 
@@ -273,7 +278,7 @@ When you use the required template, the check passes.
 
 :::image type="content" source="../process/media/approval-pass.png" alt-text="Screenshot showing a passed approval check.":::
 
-The following *params.yml* template must be referenced in any pipeline that extends it.
+For example, the following *params.yml* template must be referenced in any pipeline that extends it.
 
 ```yaml
 # params.yml
@@ -315,7 +320,7 @@ extends:
 
 ## Related content
 
-- [Template usage reference](../process/templates.md)
-- [Secure variables and parameters in pipelines](inputs.md)
+- [Template usage](../process/templates.md)
+- [Template parameters](../process/template-parameters.md)
 - [Resource security](resources.md)
 - [Approvals and checks](../process/approvals.md)