Home
This powershell module is built to be used with Bernie White's excellent PSRule module to check an Azure DevOps project against some best practices for a secure development environment.
This module is very much in early stage of development and should not be considered stable. Any input on the direction of the module and included rules is very much appreciated. Please consider opening an issue with your ideas.
To use this module, you need to have PSRule installed. You can install it from the PowerShell Gallery:
Install-Module -Name PSRule -Scope CurrentUserOnce you have PSRule installed, you can install this module from the PowerShell Gallery:
Install-Module -Name PSRule.Rules.AzureDevOps -Scope CurrentUserOnce you have both modules installed, you can run an export of
your Azure DevOps project and run the rules against it. The -PAT
value needs to be an Azure DevOps Personal Access Token with
sufficient permissions to read the project data.
Export-AzDevOpsRuleData `
-Organization "MyOrg" `
-Project "MyProject" `
-PAT $MyPAT `
-OutputPath "C:\Temp\MyProject"
Assert-PSRule `
-InputPath "C:\Temp\MyProject\" `
-Module PSRule.Rules.AzureDevOps
Since version 0.0.8 of this module, you can also export the data at the organization level, looping through all projects in the organization the PAT has access to.
Export-AzDevOpsOrganizationRuleData `
-Organization "MyOrg" `
-PAT $MyPAT `
-OutputPath "C:\Temp\MyOrg"Since version 0.0.12 of this module, you can disable rules that
check for Azure DevOps features that require additional licenses.
This is done through applying the Baseline.NoExtraLicense
baseline to the Assert-PSRule command through the -Baseline
option.
Assert-PSRule `
-InputPath "C:\Temp\MyProject\" `
-Module PSRule.Rules.AzureDevOps `
-Baseline Baseline.NoExtraLicenseDocumentation for the implemented rules can be found in the en folder.
- Azure.DevOps.Pipelines.Core.UseYamlDefinition
- Azure.DevOps.Pipelines.Environments.Description
- Azure.DevOps.Pipelines.Environments.ProductionCheckProtection
- Azure.DevOps.Pipelines.Environments.ProductionHumanApproval
- Azure.DevOps.Pipelines.Releases.Definition.ProductionApproval
- Azure.DevOps.Pipelines.Settings.LimitSetVariablesAtQueueTime
- Azure.DevOps.Pipelines.Settings.LimitJobAuthorizationScope
- Azure.DevOps.Pipelines.Settings.LimitJobAuthorizationScopeForReleasePipelines
- Azure.DevOps.Pipelines.Settings.LimitJobAuthorizationScopeForYamlPipelines
- Azure.DevOps.Pipelines.Settings.RequireCommentForPullRequestFromFork
- Azure.DevOps.Pipelines.Settings.RestrictSecretsForPullRequestFromFork
- Azure.DevOps.Pipelines.Settings.SanitizeShellTaskArguments
- Azure.DevOps.Repos.BranchPolicyAllowSelfApproval
- Azure.DevOps.Repos.BranchPolicyCommentResolution
- Azure.DevOps.Repos.BranchPolicyEnforceLinkedWorkItems
- Azure.DevOps.Repos.BranchPolicyIsEnabled
- Azure.DevOps.Repos.BranchPolicyMergeStrategy
- Azure.DevOps.Repos.BranchPolicyMinimumReviewers
- Azure.DevOps.Repos.BranchPolicyResetVotes
- Azure.DevOps.Repos.HasBranchPolicy
- Azure.DevOps.Repos.License
- Azure.DevOps.Repos.Readme
- Azure.DevOps.Repos.GitHubAdvancedSecurityEnabled
- Azure.DevOps.Repos.GitHubAdvancedSecurityBlockPushes
- Azure.DevOps.ServiceConnections.Description
- Azure.DevOps.ServiceConnections.ProductionCheckProtection
- Azure.DevOps.ServiceConnections.ProductionHumanApproval
- Azure.DevOps.ServiceConnections.Scope
- Azure.DevOps.ServiceConnections.WorkloadIdentityFederation
- Azure.DevOps.Tasks.VariableGroup.Description
- Azure.DevOps.Tasks.VariableGroup.NoKeyVaultNoSecrets