Releases: cloudyspells/PSRule.Rules.AzureDevOps
Releases · cloudyspells/PSRule.Rules.AzureDevOps
v.0.5.1
v0.5.0
Whats new:
This release brings new internal export functionality to the module and expands the capabilities in exporting Access Control Lists (ACL). These capabilities enable 15 new rules for validating best-practices in setting permission inheritance and misconfigurations of the Project Valid Users
group in Azure DevOps.
Module Internal Functions
Get-AzDevOpsProjectAcls
Get-AzDevOpsEnvironmentAcls
Get-AzDevOpsServiceConnectionAcls
Get-AzDevOpsVariableGroupAcls
Rules
Azure.DevOps.Pipelines.Core.ProjectValidUsers
Azure.DevOps.Pipelines.Environments.InheritedPermissions
Azure.DevOps.Pipelines.Environments.ProjectValidUsers
Azure.DevOps.Pipelines.Releases.ProjectValidUsers
Azure.DevOps.Project.MainEnvironmentAcl.ProjectValidUsers
Azure.DevOps.Project.MainPipelineAcl.ProjectValidUsers
Azure.DevOps.Project.MainReleaseDefinitionAcl.ProjectValidUsers
Azure.DevOps.Project.MainRepositoryAcl.ProjectValidUsers
Azure.DevOps.Project.MainServiceConnectionAcl.ProjectValidUsers
Azure.DevOps.Project.MainVariableGroupAcl.ProjectValidUsers
Azure.DevOps.Repos.ProjectValidUsers
Azure.DevOps.ServiceConnections.InheritedPermissions
Azure.DevOps.ServiceConnections.ProjectValidUsers
Azure.DevOps.Tasks.VariableGroup.InheritedPermissions
Azure.DevOps.Tasks.VariableGroup.ProjectValidUsers
Bug fixes
- Undocumented bug where no ACL was returned when Release or Build Definition is in a folder
v0.4.4
v0.4.3
v0.4.2
Whats new:
- All exported objects now have an
id
property consisting of a JSON formatted object string of the fields below. This has been added to allow KQL parsing back to the original object hierarchy when the module is used together withPSRule.Monitor
originalId
resourceName
project
organization
v0.4.1
v0.4.0
What's new
Features:
-PassThru
Parameter. This new parameter enables the export functions to write their output to the PowerShell pipeline and not write any files to storage. This enables full in-memory execution of the rules and prevents sensitive information written to the filesystem.- Azure DevOps Group export and rules. Group information is now exported and 3 new rules have been added for best practices concering the default groups in Azure DevOps.
- All repository branches are now exported and in scope. With the PSRule Supression Groups functionality you can define the scope of branches that should be protected with best practices.
- All serviceconnections are now exported and in scope. Previous versions of the module only inspected serviceconnections with names like
prd
,production
etc. The scope has now been expanded to all serviceconnections and suppression groups can be set as shown in the supplied example for best-practice based suppression groups. - Build (-artifact) retention settings export and rules.
- Rules for private vs. public projects and corresponding baselines.
- Enhancements in unit testing maintainability.
Rules:
- Azure.DevOps.Groups.ProjectAdmins.MinMembers
- Azure.DevOps.Groups.ProjectAdmins.MaxMembers
- Azure.DevOps.Groups.ProjectValidUsers.DoNotAssignMemberOfOtherGroups
- Azure.DevOps.Pipelines.Settings.StatusBadgesPrivate
- Azure.DevOps.Project.Visibility
- Azure.DevOps.Repos.Branch.BranchPolicyAllowSelfApproval
- Azure.DevOps.Repos.Branch.BranchPolicyCommentResolution
- Azure.DevOps.Repos.Branch.BranchPolicyEnforceLinkedWorkItems
- Azure.DevOps.Repos.Branch.BranchPolicyIsEnabled
- Azure.DevOps.Repos.Branch.BranchPolicyMergeStrategy
- Azure.DevOps.Repos.Branch.BranchPolicyMinimumReviewers
- Azure.DevOps.Repos.Branch.BranchPolicyRequireBuild
- Azure.DevOps.Repos.Branch.BranchPolicyResetVotes
- Azure.DevOps.Repos.Branch.HasBranchPolicy
- Azure.DevOps.RetentionSettings.ArtifactMinimumRetentionDays
- Azure.DevOps.RetentionSettings.PullRequestRunsMinimumRetentionDays
v0.4.0-preview1
What's new
Features:
-PassThru
Parameter. This new parameter enables the export functions to write their output to the PowerShell pipeline and not write any files to storage. This enables full in-memory execution of the rules and prevents sensitive information written to the filesystem.- Azure DevOps Group export and rules. Group information is now exported and 3 new rules have been added for best practices concering the default groups in Azure DevOps.
- All repository branches are now exported and in scope. With the PSRule Supression Groups functionality you can define the scope of branches that should be protected with best practices.
- All serviceconnections are now exported and in scope. Previous versions of the module only inspected serviceconnections with names like
prd
,production
etc. The scope has now been expanded to all serviceconnections and suppression groups can be set as shown in the supplied example for best-practice based suppression groups. - Build (-artifact) retention settings export and rules.
- Rules for private vs. public projects and corresponding baselines.
- Enhancements in unit testing maintainability.
Rules:
- Azure.DevOps.Groups.ProjectAdmins.MinMembers
- Azure.DevOps.Groups.ProjectAdmins.MaxMembers
- Azure.DevOps.Groups.ProjectValidUsers.DoNotAssignMemberOfOtherGroups
- Azure.DevOps.Pipelines.Settings.StatusBadgesPrivate
- Azure.DevOps.Project.Visibility
- Azure.DevOps.Repos.Branch.BranchPolicyAllowSelfApproval
- Azure.DevOps.Repos.Branch.BranchPolicyCommentResolution
- Azure.DevOps.Repos.Branch.BranchPolicyEnforceLinkedWorkItems
- Azure.DevOps.Repos.Branch.BranchPolicyIsEnabled
- Azure.DevOps.Repos.Branch.BranchPolicyMergeStrategy
- Azure.DevOps.Repos.Branch.BranchPolicyMinimumReviewers
- Azure.DevOps.Repos.Branch.BranchPolicyRequireBuild
- Azure.DevOps.Repos.Branch.BranchPolicyResetVotes
- Azure.DevOps.Repos.Branch.HasBranchPolicy
- Azure.DevOps.RetentionSettings.ArtifactMinimumRetentionDays
- Azure.DevOps.RetentionSettings.PullRequestRunsMinimumRetentionDays
v0.3.0
What's new
Connect-AzDevOps
Cmdlet to connect to Azure DevOps- New name convention for exported resources:
{DevOps Organization}.{Project}.{resource}
. The new name convention allows for better use of the module at scale. E.g. when collecting data for all projects in an organization. - Rule
Severity
levels reviewed and improved. See the table below for improvements.
Rule | Previous Severity | New Severity |
---|---|---|
Azure.DevOps.Pipelines.PipelineYaml.AgentPoolVersionNotLatest |
Informational | Important |
Azure.DevOps.Pipelines.Settings.RequireCommentForPullRequestFromFork |
Severe | Important |
Azure.DevOps.Pipelines.Settings.RestrictSecretsForPullRequestFromFork |
Severe | Critical |
Azure.DevOps.Repos.BranchPolicyCommentResolution |
Informational | Important |
Azure.DevOps.Repos.BranchPolicyMergeStrategy |
Informational | Important |
Azure.DevOps.Repos.License |
Important | Informational |
Azure.DevOps.Repos.Readme |
Important | Informational |
Azure.DevOps.ServiceConnections.ClassicAzure |
Severe | Critical |
Azure.DevOps.ServiceConnections.Description |
Severe | Informational |
Azure.DevOps.ServiceConnections.WorkloadIdentityFederation |
Severe | Important |
Azure.DevOps.Tasks.VariableGroup.Description |
Severe | Informational |
Azure.DevOps.Tasks.VariableGroup.NoKeyVaultNoSecrets |
Severe | Critical |
v0.3.0-preview4
- Fix cmdlet export