MicrosoftDocs
diff --git a/‎docs/pipelines/process/media/approval-fail.png‎
9.31 KB b/‎docs/pipelines/process/media/approval-fail.png‎
9.31 KB
diff --git a/‎docs/pipelines/security/templates.md‎
Lines changed: 83 additions & 77 deletions b/‎docs/pipelines/security/templates.md‎
Lines changed: 83 additions & 77 deletions
@@ -1,43 +1,46 @@
 ---
-title: Use templates for security
-description: Learn about using template features to improve pipeline security.
+title: Templates for security
+description: Learn about using template features to help improve pipeline security.
 ms.assetid: 73d26125-e3ab-4e18-9bcd-387fb21d3568
-ms.date: 07/18/2024
+ms.date: 09/12/2025
 ms.topic: conceptual
 monikerRange: '>= azure-devops-2020'
+#customer intent: As an Azure DevOps user, I want to understand how pipeline templates can help increase security, so I can use templates to do security tasks and help prevent malicious code infiltration and execution.
 ---
 
-# Use templates for security
+# Templates for security
 
 [!INCLUDE [version-gt-eq-2020](../../includes/version-gt-eq-2020.md)]
 
-This article describes how templates can streamline security for Azure Pipelines. Templates can define the outer structure of your pipeline and help prevent malicious code infiltration. Templates can also automatically include steps to do tasks such as credential scanning. If multiple pipelines within your team or organization share the same structure, consider using templates.
+Azure Pipelines [templates](../process/templates.md) let you define reusable content, logic, and parameters in YAML pipelines. This article describes how templates can help enhance pipeline security by:
 
-[Checks on protected resources](resources.md) form the fundamental security framework for Azure Pipelines. These checks apply regardless of pipeline structure, stages, and jobs. You can use templates to help enforce these checks. 
+- Defining the outer structure of a pipeline to help prevent malicious code infiltration.
+- Automatically including steps to do tasks such as credential scanning.
+- Helping enforce [checks on protected resources](resources.md), which form the fundamental security framework for Azure Pipelines and apply to all pipeline structures and components.
 
 [!INCLUDE [security-prerequisites](includes/security-prerequisites.md)]
 
 ## Includes and extends templates
 
 Azure Pipelines provides *includes* and *extends* templates.
 
-- Includes templates include the template's code directly in the outer file that references it, similar to `#include` in C++. The following example pipeline inserts the *include-npm-steps.yml* template into the `steps` section.
+- An `includes` template includes the template's code directly in the outer file that references the template, similar to `#include` in C++. The following example pipeline inserts the *include-npm-steps.yml* template into the `steps` section.
 
   ```yaml
     steps:
     - template: templates/include-npm-steps.yml 
   ```
 
-- Extends templates define the outer structure of the pipeline and offer specific points for targeted customizations. In the context of C++, `extends` templates resemble inheritance.
+- An `extends` template defines the outer structure of the pipeline and offers specific points for targeted customizations. In the context of C++, `extends` templates resemble inheritance.
 
-When you use `extends` templates, you can also use `includes` in both the template and the final pipeline to do common configuration pieces. For a complete reference, see the [Template usage reference](../process/templates.md).
+When you use `extends` templates, you can also use `includes` to do common configuration pieces in both the template and the final pipeline. For more information, see [Use YAML templates in pipelines for reusable and secure processes](../process/templates.md).
 
 <a name="use-extends-templates"></a>
-## Extends templates
+### Extends templates
 
-For the most secure pipelines, start by using extends templates. These templates define the outer structure of the pipeline and prevent malicious code from infiltrating the pipeline.
+For the most secure pipelines, start by using `extends` templates. These templates define the outer structure of the pipeline and help prevent malicious code infiltration.
 
-For example, the following template file is named *template.yml*.
+The following example shows a template file named *template.yml*.
 
 ```yaml
 parameters:
@@ -49,7 +52,7 @@ steps:
   - ${{ step }}
 ```
 
-The following pipeline extends the *template.yml* template.
+The following example pipeline extends the *template.yml* template.
 
 ```yaml
 # azure-pipelines.yml
@@ -69,38 +72,70 @@ extends:
 ```
 
 >[!TIP]
->When you set up `extends` templates, consider anchoring them to a particular Git branch or tag so if there are breaking changes, existing pipelines aren't affected. The preceding example uses this feature.
+>When you set up `extends` templates, consider anchoring them to a particular Git branch or tag so any breaking changes don't affect existing pipelines. The preceding example uses this feature.
 
-## YAML pipeline security features
+## Pipeline security features
 
-The YAML pipeline syntax includes several built-in protections. Extends template can enforce their use. To enhance pipeline security, you can implement any of the following restrictions.
+YAML pipeline syntax includes several built-in protections. `Extends` templates can enforce their use to enhance pipeline security. You can implement any of the following restrictions.
 
 ### Step targets
 
-You can restrict certain steps to run in a container rather than on the host. Steps in containers don't have access to the agent's host, preventing these steps from modifying agent configuration or leaving malicious code for later execution.
+You can restrict specified steps to run in a container rather than on the host. Steps in containers can't access the agent host, so they can't modify agent configuration or leave malicious code for later execution.
 
-For example, consider limiting network access. Without open network access, user steps can't retrieve packages from unauthorized sources or upload code and secrets to external network locations.
+For example, you can run user steps in a container to prevent them from accessing the network, so they can't retrieve packages from unauthorized sources or upload code and secrets to external locations.
 
-The following example pipeline runs steps on the agent host before running steps inside a container.
+The following example pipeline runs a step on the agent host that could potentially alter the host network, followed by a step inside a container that limits network access.
 
 ```yaml
 resources:
   containers:
   - container: builder
     image: mysecurebuildcontainer:latest
 steps:
-- script: echo This step runs on the agent host, and it could use Docker commands to tear down or limit the container's network
+- script: echo This step runs on the agent host
 - script: echo This step runs inside the builder container
   target: builder
 ```
 
+### Type-safe parameters
+
+Before a pipeline runs, templates and their parameters transform into constants. [Template parameters](../process/template-parameters.md) can enhance type safety for input parameters.
+
+In the following example template, the parameters restrict the available pipeline pool options by enumerating specific choices instead of allowing any string.
+
+```yaml
+# template.yml
+parameters:
+- name: userpool
+  type: string
+  default: Azure Pipelines
+  values:
+  - Azure Pipelines
+  - private-pool-1
+  - private-pool-2
+
+pool: ${{ parameters.userpool }}
+steps:
+- script: echo Hello world
+```
+
+To extend the template, the pipeline must specify one of the available pool choices.
+
+```yaml
+# azure-pipelines.yml
+extends:
+  template: template.yml
+  parameters:
+    userpool: private-pool-1
+```
+
 ::: moniker range=">=azure-devops-2022"
 
 ### Agent logging command restrictions
 
-You can restrict the services the Azure Pipelines agent provides to user steps. User steps request services by using *logging commands*, which are specially formatted strings printed to standard output. In restricted mode, most of the agent's services, such as uploading artifacts and attaching test results, are unavailable.
+User steps request services by using *logging commands*, which are specially formatted strings printed to standard output. You can restrict the services that logging commands provide for user steps. In `restricted` mode, most agent services such as uploading artifacts and attaching test results are unavailable for logging commands.
 
-The following example task fails because its `target` property instructs the agent not to allow publishing artifacts.
+In the following example, the `target` property instructs the agent to restrict publishing artifacts, so the artifact publishing task fails.
 
 ```yaml
 - task: PublishBuildArtifacts@1
@@ -110,11 +145,13 @@ The following example task fails because its `target` property instructs the age
     commands: restricted
 ```
 
-In `restricted` mode, the `setvariable` command remains permissible, so caution is necessary because pipeline variables are exported as environment variables to subsequent tasks. If tasks output user-provided data, such as open issues retrieved via a REST API, they might be vulnerable to injection attacks. Malicious user content could set environment variables that might be exploited to compromise the agent host.
+#### Variables in logging commands
+
+The `setvariable` command remains permissible in `restricted` mode, so tasks that output user-provided data, such as open issues retrieved via a REST API, might be vulnerable to injection attacks. Malicious user content could set variables that export to subsequent tasks as environment variables and could compromise the agent host.
 
-To mitigate this risk, pipeline authors can explicitly declare which variables are settable by using the `setvariable` logging command. When you specify an empty list, all variable setting is disallowed.
+To mitigate this risk, you can explicitly declare the variables that are settable by using the `setvariable` logging command. If you specify an empty list in `settableVariables`, all variable setting is disallowed.
 
-The following example task fails because the task is only allowed to set the `expectedVar` variable or a variable prefixed with `ok`.
+The following example restricts the `settableVariables` to `expectedVar` and any variable prefixed with `ok`. The task fails because it attempts to set a different variable called `BadVar`.
 
 ```yaml
 - task: PowerShell@2
@@ -131,7 +168,7 @@ The following example task fails because the task is only allowed to set the `ex
 
 ### Conditional stage or job execution
 
-You can restrict stages and jobs to run only under specific conditions. In the following example, the condition ensures that restricted code builds only for the main branch.
+You can restrict stages and jobs to run only under specific conditions. The following example ensures that restricted code builds only for the `main` branch.
 
 ```yaml
 jobs:
@@ -148,9 +185,9 @@ jobs:
 
 Azure Pipelines templates have the flexibility to iterate over and modify YAML syntax. By using iteration, you can enforce specific YAML security features.
 
-A template can also rewrite user steps, allowing only approved tasks to run. For example, you can prevent inline script execution.
+A template can also rewrite user steps, allowing only approved tasks to run. For example, the template can prevent inline script execution.
 
-The following example template prevents the step types `bash`, `powershell`, `pwsh`, and `script` from running. For complete lockdown of ad-hoc scripts, you could also block `BatchScript` and `ShellScript`.
+The following example template prevents the script step types `bash`, `powershell`, `pwsh`, and `script` from running. For complete lockdown of scripts, you could also block `BatchScript` and `ShellScript`.
 
 ```yaml
 # template.yml
@@ -178,7 +215,7 @@ steps:
           displayName: 'Disabled by template: ${{ step.displayName }}'
 ```
 
-In the following pipeline that extends this template, the script steps are stripped out and not run.
+In the following example pipeline that extends the preceding template, the script steps are stripped out and not run.
 
 ```yaml
 # azure-pipelines.yml
@@ -187,57 +224,24 @@ extends:
   parameters:
     usersteps:
     - task: MyTask@1
-    - script: echo This step will be stripped out and not run!
-    - bash: echo This step will be stripped out and not run!
-    - powershell: echo "This step will be stripped out and not run!"
-    - pwsh: echo "This step will be stripped out and not run!"
-    - script: echo This step will be stripped out and not run!
+    - script: echo This step is stripped out and not run
+    - bash: echo This step is stripped out and not run
+    - powershell: echo "This step is stripped out and not run"
+    - pwsh: echo "This step is stripped out and not run"
+    - script: echo This step is stripped out and not run
     - task: CmdLine@2
-      displayName: Test - Will be stripped out
+      displayName: Test - stripped out
       inputs:
-        script: echo This step will be stripped out and not run!
+        script: echo This step is stripped out and not run
     - task: MyOtherTask@2
 ```
 
 :::moniker-end
 
-### Type-safe parameters
-
-Before a pipeline runs, templates and their parameters are transformed into constants. [Template parameters](../process/template-parameters.md) can enhance type safety for input parameters.
-
-In the following example template, the parameters restrict the available pipeline pool options by providing an enumeration of specific choices instead of allowing freeform strings.
-
-```yaml
-# template.yml
-parameters:
-- name: userpool
-  type: string
-  default: Azure Pipelines
-  values:
-  - Azure Pipelines
-  - private-pool-1
-  - private-pool-2
-
-pool: ${{ parameters.userpool }}
-steps:
-- script: # ... removed for clarity
-```
-
-When the pipeline extends the template, it has to specify one of the available pool choices.
-
-```yaml
-# azure-pipelines.yml
-extends:
-  template: template.yml
-  parameters:
-    userpool: private-pool-1
-```
-
 ::: moniker range=">=azure-devops"
-
 ### Template steps
 
-A template can automatically include steps in a pipeline. These steps can do tasks such as credential scanning or static code checks. The following template inserts steps before and after the user steps in every job.
+A template can automatically include steps in a pipeline, for example to do credential scanning or static code checks. The following template inserts steps before and after the user steps in every job.
 
 ```yaml
 parameters:
@@ -258,22 +262,24 @@ jobs:
 
 ## Template enforcement
 
-Templates are a valuable security mechanism, but their effectiveness relies on enforcement. The key control points for enforcing template usage are [protected resources](resources.md). You can configure approvals and checks for your agent pool or other protected resources such as repositories. For an example, see [Add a repository resource check](../process/repository-resource.md#add-a-repository-resource-check).
+The effectiveness of templates as a security mechanism relies on enforcement. The key control points for enforcing template usage are [protected resources](resources.md).
+
+You can configure [approvals and checks](../process/approvals.md) for your agent pool or other protected resources such as repositories. For an example, see [Add a repository resource check](../process/repository-resource.md#add-a-repository-resource-check).
 
 <a name="set-required-templates"></a>
 ### Required templates
 
-To enforce the use of a specific template, configure the [required template check](../process/approvals.md#required-template) for a resource. This check applies only when the pipeline extends from a template.
+To enforce the use of a specific template, configure the [required template](../process/approvals.md#required-template) check on the service connection for a resource. This check applies only when the pipeline extends from a template.
 
-When you view the pipeline job, you can monitor the check's status. If the pipeline doesn't extend from the required template, the check fails. The run stops and notifies you of the failed check.
+When you view the pipeline job, you can monitor the check's status. If the pipeline doesn't extend from the required template, the check fails.
 
 :::image type="content" source="../process/media/approval-fail.png" alt-text="Screenshot showing a failed approval check.":::
 
 When you use the required template, the check passes.
 
 :::image type="content" source="../process/media/approval-pass.png" alt-text="Screenshot showing a passed approval check.":::
 
-The following *params.yml* template must be referenced in any pipeline that extends it.
+For example, the following *params.yml* template must be referenced in any pipeline that extends it.
 
 ```yaml
 # params.yml
@@ -295,7 +301,7 @@ steps:
 - script: echo ${{ parameters.image }}
 ```
 
-The following example pipeline extends the *params.yml* template and requires it for approval. To demonstrate a pipeline failure, comment out the reference to *params.yml*.
+The following example pipeline extends the *params.yml* template and requires it for approval. To demonstrate a pipeline failure, comment out the `extends` reference to *params.yml*.
 
 ```yaml
 # azure-pipeline.yml
@@ -315,7 +321,7 @@ extends:
 
 ## Related content
 
-- [Template usage reference](../process/templates.md)
-- [Secure variables and parameters in pipelines](inputs.md)
+- [Template usage](../process/templates.md)
+- [Template parameters](../process/template-parameters.md)
 - [Resource security](resources.md)
 - [Approvals and checks](../process/approvals.md)